proxmoxve.realm.OpenidLegacy

Proxmox Virtual Environment (Proxmox VE) v8.0.0, Apr 5 26

Viewing docs for Proxmox Virtual Environment (Proxmox VE) v8.0.0
published on Sunday, Apr 5, 2026 by Daniel Muehlbachler-Pietrzykowski

Schema (JSON)

muhlba91/pulumi-proxmoxve

Viewing docs for Proxmox Virtual Environment (Proxmox VE) v8.0.0
published on Sunday, Apr 5, 2026 by Daniel Muehlbachler-Pietrzykowski

Schema (JSON)

muhlba91/pulumi-proxmoxve

Privileges Required

Path	Attribute
/access/domains	Realm.Allocate

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as proxmoxve from "@muhlba91/pulumi-proxmoxve";

const example = new proxmoxve.realm.OpenidLegacy("example", {
    realm: "example-oidc",
    issuerUrl: "https://auth.example.com",
    clientId: "your-client-id",
    clientKey: oidcClientSecret,
    usernameClaim: "email",
    autocreate: true,
    groupsClaim: "groups",
    groupsAutocreate: true,
    groupsOverwrite: false,
    scopes: "openid email profile",
    queryUserinfo: true,
    comment: "Example OpenID Connect realm managed by Terraform",
});

import pulumi
import pulumi_proxmoxve as proxmoxve

example = proxmoxve.realm.OpenidLegacy("example",
    realm="example-oidc",
    issuer_url="https://auth.example.com",
    client_id="your-client-id",
    client_key=oidc_client_secret,
    username_claim="email",
    autocreate=True,
    groups_claim="groups",
    groups_autocreate=True,
    groups_overwrite=False,
    scopes="openid email profile",
    query_userinfo=True,
    comment="Example OpenID Connect realm managed by Terraform")

package main

import (
	"github.com/muhlba91/pulumi-proxmoxve/sdk/v8/go/proxmoxve/realm"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := realm.NewOpenidLegacy(ctx, "example", &realm.OpenidLegacyArgs{
			Realm:            pulumi.String("example-oidc"),
			IssuerUrl:        pulumi.String("https://auth.example.com"),
			ClientId:         pulumi.String("your-client-id"),
			ClientKey:        pulumi.Any(oidcClientSecret),
			UsernameClaim:    pulumi.String("email"),
			Autocreate:       pulumi.Bool(true),
			GroupsClaim:      pulumi.String("groups"),
			GroupsAutocreate: pulumi.Bool(true),
			GroupsOverwrite:  pulumi.Bool(false),
			Scopes:           pulumi.String("openid email profile"),
			QueryUserinfo:    pulumi.Bool(true),
			Comment:          pulumi.String("Example OpenID Connect realm managed by Terraform"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using ProxmoxVE = Pulumi.ProxmoxVE;

return await Deployment.RunAsync(() => 
{
    var example = new ProxmoxVE.Realm.OpenidLegacy("example", new()
    {
        Realm = "example-oidc",
        IssuerUrl = "https://auth.example.com",
        ClientId = "your-client-id",
        ClientKey = oidcClientSecret,
        UsernameClaim = "email",
        Autocreate = true,
        GroupsClaim = "groups",
        GroupsAutocreate = true,
        GroupsOverwrite = false,
        Scopes = "openid email profile",
        QueryUserinfo = true,
        Comment = "Example OpenID Connect realm managed by Terraform",
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import io.muehlbachler.pulumi.proxmoxve.realm.OpenidLegacy;
import io.muehlbachler.pulumi.proxmoxve.realm.OpenidLegacyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var example = new OpenidLegacy("example", OpenidLegacyArgs.builder()
            .realm("example-oidc")
            .issuerUrl("https://auth.example.com")
            .clientId("your-client-id")
            .clientKey(oidcClientSecret)
            .usernameClaim("email")
            .autocreate(true)
            .groupsClaim("groups")
            .groupsAutocreate(true)
            .groupsOverwrite(false)
            .scopes("openid email profile")
            .queryUserinfo(true)
            .comment("Example OpenID Connect realm managed by Terraform")
            .build());

    }
}

resources:
  example:
    type: proxmoxve:realm:OpenidLegacy
    properties:
      realm: example-oidc
      issuerUrl: https://auth.example.com
      clientId: your-client-id
      clientKey: ${oidcClientSecret}
      usernameClaim: email
      autocreate: true # Group mapping (optional)
      groupsClaim: groups
      groupsAutocreate: true
      groupsOverwrite: false # Scopes and prompt
      scopes: openid email profile
      queryUserinfo: true
      comment: Example OpenID Connect realm managed by Terraform

Notes

Client Key Security

The clientKey is sent to Proxmox and stored securely, but it’s never returned by the API. This means:

Terraform cannot detect if the client key was changed outside of Terraform
You must maintain the client key in your Terraform configuration or use a variable
The client key will be marked as sensitive in Terraform state

Username Claim

The usernameClaim attribute is fixed after creation — it cannot be changed once the realm is created. Changing it requires destroying and recreating the realm. Common values:

subject (default) — Uses the OpenID sub claim
username — Uses the preferredUsername claim
email — Uses the email claim
upn — Uses the User Principal Name claim (common with ADFS/Azure AD)

Any valid OpenID claim name can be used. Ensure the chosen claim provides unique, stable identifiers for your users.

Common Configuration Scenarios

Minimal Configuration

import * as pulumi from "@pulumi/pulumi";
import * as proxmoxve from "@muhlba91/pulumi-proxmoxve";

const minimal = new proxmoxve.realm.OpenidLegacy("minimal", {
    realm: "my-oidc",
    issuerUrl: "https://auth.example.com",
    clientId: oidcClientId,
    clientKey: oidcClientSecret,
});

import pulumi
import pulumi_proxmoxve as proxmoxve

minimal = proxmoxve.realm.OpenidLegacy("minimal",
    realm="my-oidc",
    issuer_url="https://auth.example.com",
    client_id=oidc_client_id,
    client_key=oidc_client_secret)

package main

import (
	"github.com/muhlba91/pulumi-proxmoxve/sdk/v8/go/proxmoxve/realm"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := realm.NewOpenidLegacy(ctx, "minimal", &realm.OpenidLegacyArgs{
			Realm:     pulumi.String("my-oidc"),
			IssuerUrl: pulumi.String("https://auth.example.com"),
			ClientId:  pulumi.Any(oidcClientId),
			ClientKey: pulumi.Any(oidcClientSecret),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using ProxmoxVE = Pulumi.ProxmoxVE;

return await Deployment.RunAsync(() => 
{
    var minimal = new ProxmoxVE.Realm.OpenidLegacy("minimal", new()
    {
        Realm = "my-oidc",
        IssuerUrl = "https://auth.example.com",
        ClientId = oidcClientId,
        ClientKey = oidcClientSecret,
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import io.muehlbachler.pulumi.proxmoxve.realm.OpenidLegacy;
import io.muehlbachler.pulumi.proxmoxve.realm.OpenidLegacyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var minimal = new OpenidLegacy("minimal", OpenidLegacyArgs.builder()
            .realm("my-oidc")
            .issuerUrl("https://auth.example.com")
            .clientId(oidcClientId)
            .clientKey(oidcClientSecret)
            .build());

    }
}

resources:
  minimal:
    type: proxmoxve:realm:OpenidLegacy
    properties:
      realm: my-oidc
      issuerUrl: https://auth.example.com
      clientId: ${oidcClientId}
      clientKey: ${oidcClientSecret}

With User and Group Provisioning

import * as pulumi from "@pulumi/pulumi";
import * as proxmoxve from "@muhlba91/pulumi-proxmoxve";

const full = new proxmoxve.realm.OpenidLegacy("full", {
    realm: "corporate-oidc",
    issuerUrl: "https://auth.example.com/realms/my-realm",
    clientId: oidcClientId,
    clientKey: oidcClientSecret,
    usernameClaim: "email",
    autocreate: true,
    groupsClaim: "groups",
    groupsAutocreate: true,
    scopes: "openid email profile",
    queryUserinfo: true,
});

import pulumi
import pulumi_proxmoxve as proxmoxve

full = proxmoxve.realm.OpenidLegacy("full",
    realm="corporate-oidc",
    issuer_url="https://auth.example.com/realms/my-realm",
    client_id=oidc_client_id,
    client_key=oidc_client_secret,
    username_claim="email",
    autocreate=True,
    groups_claim="groups",
    groups_autocreate=True,
    scopes="openid email profile",
    query_userinfo=True)

package main

import (
	"github.com/muhlba91/pulumi-proxmoxve/sdk/v8/go/proxmoxve/realm"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := realm.NewOpenidLegacy(ctx, "full", &realm.OpenidLegacyArgs{
			Realm:            pulumi.String("corporate-oidc"),
			IssuerUrl:        pulumi.String("https://auth.example.com/realms/my-realm"),
			ClientId:         pulumi.Any(oidcClientId),
			ClientKey:        pulumi.Any(oidcClientSecret),
			UsernameClaim:    pulumi.String("email"),
			Autocreate:       pulumi.Bool(true),
			GroupsClaim:      pulumi.String("groups"),
			GroupsAutocreate: pulumi.Bool(true),
			Scopes:           pulumi.String("openid email profile"),
			QueryUserinfo:    pulumi.Bool(true),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using ProxmoxVE = Pulumi.ProxmoxVE;

return await Deployment.RunAsync(() => 
{
    var full = new ProxmoxVE.Realm.OpenidLegacy("full", new()
    {
        Realm = "corporate-oidc",
        IssuerUrl = "https://auth.example.com/realms/my-realm",
        ClientId = oidcClientId,
        ClientKey = oidcClientSecret,
        UsernameClaim = "email",
        Autocreate = true,
        GroupsClaim = "groups",
        GroupsAutocreate = true,
        Scopes = "openid email profile",
        QueryUserinfo = true,
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import io.muehlbachler.pulumi.proxmoxve.realm.OpenidLegacy;
import io.muehlbachler.pulumi.proxmoxve.realm.OpenidLegacyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var full = new OpenidLegacy("full", OpenidLegacyArgs.builder()
            .realm("corporate-oidc")
            .issuerUrl("https://auth.example.com/realms/my-realm")
            .clientId(oidcClientId)
            .clientKey(oidcClientSecret)
            .usernameClaim("email")
            .autocreate(true)
            .groupsClaim("groups")
            .groupsAutocreate(true)
            .scopes("openid email profile")
            .queryUserinfo(true)
            .build());

    }
}

resources:
  full:
    type: proxmoxve:realm:OpenidLegacy
    properties:
      realm: corporate-oidc
      issuerUrl: https://auth.example.com/realms/my-realm
      clientId: ${oidcClientId}
      clientKey: ${oidcClientSecret}
      usernameClaim: email
      autocreate: true # Group synchronization
      groupsClaim: groups
      groupsAutocreate: true
      scopes: openid email profile
      queryUserinfo: true

Create OpenidLegacy Resource

Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

Constructor syntax

new OpenidLegacy(name: string, args: OpenidLegacyArgs, opts?: CustomResourceOptions);

@overload
def OpenidLegacy(resource_name: str,
                 args: OpenidLegacyArgs,
                 opts: Optional[ResourceOptions] = None)

@overload
def OpenidLegacy(resource_name: str,
                 opts: Optional[ResourceOptions] = None,
                 issuer_url: Optional[str] = None,
                 realm: Optional[str] = None,
                 client_id: Optional[str] = None,
                 client_key: Optional[str] = None,
                 comment: Optional[str] = None,
                 default: Optional[bool] = None,
                 groups_autocreate: Optional[bool] = None,
                 groups_claim: Optional[str] = None,
                 groups_overwrite: Optional[bool] = None,
                 acr_values: Optional[str] = None,
                 prompt: Optional[str] = None,
                 query_userinfo: Optional[bool] = None,
                 autocreate: Optional[bool] = None,
                 scopes: Optional[str] = None,
                 username_claim: Optional[str] = None)

func NewOpenidLegacy(ctx *Context, name string, args OpenidLegacyArgs, opts ...ResourceOption) (*OpenidLegacy, error)

public OpenidLegacy(string name, OpenidLegacyArgs args, CustomResourceOptions? opts = null)

public OpenidLegacy(String name, OpenidLegacyArgs args)
public OpenidLegacy(String name, OpenidLegacyArgs args, CustomResourceOptions options)

type: proxmoxve:realm:OpenidLegacy
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

Parameters

name string: The unique name of the resource.
args OpenidLegacyArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
args OpenidLegacyArgs: The arguments to resource properties.
opts ResourceOptions: Bag of options to control resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args OpenidLegacyArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args OpenidLegacyArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

name String: The unique name of the resource.
args OpenidLegacyArgs: The arguments to resource properties.
options CustomResourceOptions: Bag of options to control resource's behavior.

Constructor example

The following reference example uses placeholder values for all input properties.

var openidLegacyResource = new ProxmoxVE.Realm.OpenidLegacy("openidLegacyResource", new()
{
    IssuerUrl = "string",
    Realm = "string",
    ClientId = "string",
    ClientKey = "string",
    Comment = "string",
    Default = false,
    GroupsAutocreate = false,
    GroupsClaim = "string",
    GroupsOverwrite = false,
    AcrValues = "string",
    Prompt = "string",
    QueryUserinfo = false,
    Autocreate = false,
    Scopes = "string",
    UsernameClaim = "string",
});

example, err := realm.NewOpenidLegacy(ctx, "openidLegacyResource", &realm.OpenidLegacyArgs{
	IssuerUrl:        pulumi.String("string"),
	Realm:            pulumi.String("string"),
	ClientId:         pulumi.String("string"),
	ClientKey:        pulumi.String("string"),
	Comment:          pulumi.String("string"),
	Default:          pulumi.Bool(false),
	GroupsAutocreate: pulumi.Bool(false),
	GroupsClaim:      pulumi.String("string"),
	GroupsOverwrite:  pulumi.Bool(false),
	AcrValues:        pulumi.String("string"),
	Prompt:           pulumi.String("string"),
	QueryUserinfo:    pulumi.Bool(false),
	Autocreate:       pulumi.Bool(false),
	Scopes:           pulumi.String("string"),
	UsernameClaim:    pulumi.String("string"),
})

var openidLegacyResource = new OpenidLegacy("openidLegacyResource", OpenidLegacyArgs.builder()
    .issuerUrl("string")
    .realm("string")
    .clientId("string")
    .clientKey("string")
    .comment("string")
    .default_(false)
    .groupsAutocreate(false)
    .groupsClaim("string")
    .groupsOverwrite(false)
    .acrValues("string")
    .prompt("string")
    .queryUserinfo(false)
    .autocreate(false)
    .scopes("string")
    .usernameClaim("string")
    .build());

openid_legacy_resource = proxmoxve.realm.OpenidLegacy("openidLegacyResource",
    issuer_url="string",
    realm="string",
    client_id="string",
    client_key="string",
    comment="string",
    default=False,
    groups_autocreate=False,
    groups_claim="string",
    groups_overwrite=False,
    acr_values="string",
    prompt="string",
    query_userinfo=False,
    autocreate=False,
    scopes="string",
    username_claim="string")

const openidLegacyResource = new proxmoxve.realm.OpenidLegacy("openidLegacyResource", {
    issuerUrl: "string",
    realm: "string",
    clientId: "string",
    clientKey: "string",
    comment: "string",
    "default": false,
    groupsAutocreate: false,
    groupsClaim: "string",
    groupsOverwrite: false,
    acrValues: "string",
    prompt: "string",
    queryUserinfo: false,
    autocreate: false,
    scopes: "string",
    usernameClaim: "string",
});

type: proxmoxve:realm:OpenidLegacy
properties:
    acrValues: string
    autocreate: false
    clientId: string
    clientKey: string
    comment: string
    default: false
    groupsAutocreate: false
    groupsClaim: string
    groupsOverwrite: false
    issuerUrl: string
    prompt: string
    queryUserinfo: false
    realm: string
    scopes: string
    usernameClaim: string

OpenidLegacy Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

The OpenidLegacy resource accepts the following input properties:

ClientId string: OpenID Connect Client ID.
IssuerUrl string: OpenID Connect issuer URL. Proxmox uses OpenID Connect Discovery to configure the provider.
Realm string: Realm identifier (e.g., 'my-oidc').
AcrValues string: Authentication Context Class Reference values for the OpenID provider.
Autocreate bool: Automatically create users on the Proxmox cluster if they do not exist.
ClientKey string: OpenID Connect Client Key (secret). Note: stored in Proxmox but not returned by API.
Comment string: Description of the realm.
Default bool: Use this realm as the default for login.
GroupsAutocreate bool: Automatically create groups from claims rather than using existing Proxmox VE groups.
GroupsClaim string: OpenID claim used to retrieve user group memberships.
GroupsOverwrite bool: Replace assigned groups on login instead of appending to existing ones.
Prompt string: Specifies whether the authorization server prompts for reauthentication and/or consent (e.g., 'none', 'login', 'consent', 'select_account').
QueryUserinfo bool: Query the OpenID userinfo endpoint for claims. Required when the identity provider does not include claims in the ID token.
Scopes string: Space-separated list of OpenID scopes to request.
UsernameClaim string: OpenID claim used to generate the unique username. Common values are subject, username, email, and upn.

ClientId string: OpenID Connect Client ID.
IssuerUrl string: OpenID Connect issuer URL. Proxmox uses OpenID Connect Discovery to configure the provider.
Realm string: Realm identifier (e.g., 'my-oidc').
AcrValues string: Authentication Context Class Reference values for the OpenID provider.
Autocreate bool: Automatically create users on the Proxmox cluster if they do not exist.
ClientKey string: OpenID Connect Client Key (secret). Note: stored in Proxmox but not returned by API.
Comment string: Description of the realm.
Default bool: Use this realm as the default for login.
GroupsAutocreate bool: Automatically create groups from claims rather than using existing Proxmox VE groups.
GroupsClaim string: OpenID claim used to retrieve user group memberships.
GroupsOverwrite bool: Replace assigned groups on login instead of appending to existing ones.
Prompt string: Specifies whether the authorization server prompts for reauthentication and/or consent (e.g., 'none', 'login', 'consent', 'select_account').
QueryUserinfo bool: Query the OpenID userinfo endpoint for claims. Required when the identity provider does not include claims in the ID token.
Scopes string: Space-separated list of OpenID scopes to request.
UsernameClaim string: OpenID claim used to generate the unique username. Common values are subject, username, email, and upn.

clientId String: OpenID Connect Client ID.
issuerUrl String: OpenID Connect issuer URL. Proxmox uses OpenID Connect Discovery to configure the provider.
realm String: Realm identifier (e.g., 'my-oidc').
acrValues String: Authentication Context Class Reference values for the OpenID provider.
autocreate Boolean: Automatically create users on the Proxmox cluster if they do not exist.
clientKey String: OpenID Connect Client Key (secret). Note: stored in Proxmox but not returned by API.
comment String: Description of the realm.
default_ Boolean: Use this realm as the default for login.
groupsAutocreate Boolean: Automatically create groups from claims rather than using existing Proxmox VE groups.
groupsClaim String: OpenID claim used to retrieve user group memberships.
groupsOverwrite Boolean: Replace assigned groups on login instead of appending to existing ones.
prompt String: Specifies whether the authorization server prompts for reauthentication and/or consent (e.g., 'none', 'login', 'consent', 'select_account').
queryUserinfo Boolean: Query the OpenID userinfo endpoint for claims. Required when the identity provider does not include claims in the ID token.
scopes String: Space-separated list of OpenID scopes to request.
usernameClaim String: OpenID claim used to generate the unique username. Common values are subject, username, email, and upn.

clientId string: OpenID Connect Client ID.
issuerUrl string: OpenID Connect issuer URL. Proxmox uses OpenID Connect Discovery to configure the provider.
realm string: Realm identifier (e.g., 'my-oidc').
acrValues string: Authentication Context Class Reference values for the OpenID provider.
autocreate boolean: Automatically create users on the Proxmox cluster if they do not exist.
clientKey string: OpenID Connect Client Key (secret). Note: stored in Proxmox but not returned by API.
comment string: Description of the realm.
default boolean: Use this realm as the default for login.
groupsAutocreate boolean: Automatically create groups from claims rather than using existing Proxmox VE groups.
groupsClaim string: OpenID claim used to retrieve user group memberships.
groupsOverwrite boolean: Replace assigned groups on login instead of appending to existing ones.
prompt string: Specifies whether the authorization server prompts for reauthentication and/or consent (e.g., 'none', 'login', 'consent', 'select_account').
queryUserinfo boolean: Query the OpenID userinfo endpoint for claims. Required when the identity provider does not include claims in the ID token.
scopes string: Space-separated list of OpenID scopes to request.
usernameClaim string: OpenID claim used to generate the unique username. Common values are subject, username, email, and upn.

client_id str: OpenID Connect Client ID.
issuer_url str: OpenID Connect issuer URL. Proxmox uses OpenID Connect Discovery to configure the provider.
realm str: Realm identifier (e.g., 'my-oidc').
acr_values str: Authentication Context Class Reference values for the OpenID provider.
autocreate bool: Automatically create users on the Proxmox cluster if they do not exist.
client_key str: OpenID Connect Client Key (secret). Note: stored in Proxmox but not returned by API.
comment str: Description of the realm.
default bool: Use this realm as the default for login.
groups_autocreate bool: Automatically create groups from claims rather than using existing Proxmox VE groups.
groups_claim str: OpenID claim used to retrieve user group memberships.
groups_overwrite bool: Replace assigned groups on login instead of appending to existing ones.
prompt str: Specifies whether the authorization server prompts for reauthentication and/or consent (e.g., 'none', 'login', 'consent', 'select_account').
query_userinfo bool: Query the OpenID userinfo endpoint for claims. Required when the identity provider does not include claims in the ID token.
scopes str: Space-separated list of OpenID scopes to request.
username_claim str: OpenID claim used to generate the unique username. Common values are subject, username, email, and upn.

clientId String: OpenID Connect Client ID.
issuerUrl String: OpenID Connect issuer URL. Proxmox uses OpenID Connect Discovery to configure the provider.
realm String: Realm identifier (e.g., 'my-oidc').
acrValues String: Authentication Context Class Reference values for the OpenID provider.
autocreate Boolean: Automatically create users on the Proxmox cluster if they do not exist.
clientKey String: OpenID Connect Client Key (secret). Note: stored in Proxmox but not returned by API.
comment String: Description of the realm.
default Boolean: Use this realm as the default for login.
groupsAutocreate Boolean: Automatically create groups from claims rather than using existing Proxmox VE groups.
groupsClaim String: OpenID claim used to retrieve user group memberships.
groupsOverwrite Boolean: Replace assigned groups on login instead of appending to existing ones.
prompt String: Specifies whether the authorization server prompts for reauthentication and/or consent (e.g., 'none', 'login', 'consent', 'select_account').
queryUserinfo Boolean: Query the OpenID userinfo endpoint for claims. Required when the identity provider does not include claims in the ID token.
scopes String: Space-separated list of OpenID scopes to request.
usernameClaim String: OpenID claim used to generate the unique username. Common values are subject, username, email, and upn.

Outputs

All input properties are implicitly available as output properties. Additionally, the OpenidLegacy resource produces the following output properties:

Id string: The provider-assigned unique ID for this managed resource.

Id string: The provider-assigned unique ID for this managed resource.

id String: The provider-assigned unique ID for this managed resource.

id string: The provider-assigned unique ID for this managed resource.

id str: The provider-assigned unique ID for this managed resource.

id String: The provider-assigned unique ID for this managed resource.

Look up Existing OpenidLegacy Resource

Get an existing OpenidLegacy resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: OpenidLegacyState, opts?: CustomResourceOptions): OpenidLegacy

@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        acr_values: Optional[str] = None,
        autocreate: Optional[bool] = None,
        client_id: Optional[str] = None,
        client_key: Optional[str] = None,
        comment: Optional[str] = None,
        default: Optional[bool] = None,
        groups_autocreate: Optional[bool] = None,
        groups_claim: Optional[str] = None,
        groups_overwrite: Optional[bool] = None,
        issuer_url: Optional[str] = None,
        prompt: Optional[str] = None,
        query_userinfo: Optional[bool] = None,
        realm: Optional[str] = None,
        scopes: Optional[str] = None,
        username_claim: Optional[str] = None) -> OpenidLegacy

func GetOpenidLegacy(ctx *Context, name string, id IDInput, state *OpenidLegacyState, opts ...ResourceOption) (*OpenidLegacy, error)

public static OpenidLegacy Get(string name, Input<string> id, OpenidLegacyState? state, CustomResourceOptions? opts = null)

public static OpenidLegacy get(String name, Output<String> id, OpenidLegacyState state, CustomResourceOptions options)

resources:  _:    type: proxmoxve:realm:OpenidLegacy    get:      id: ${id}

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

resource_name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

The following state arguments are supported:

AcrValues string: Authentication Context Class Reference values for the OpenID provider.
Autocreate bool: Automatically create users on the Proxmox cluster if they do not exist.
ClientId string: OpenID Connect Client ID.
ClientKey string: OpenID Connect Client Key (secret). Note: stored in Proxmox but not returned by API.
Comment string: Description of the realm.
Default bool: Use this realm as the default for login.
GroupsAutocreate bool: Automatically create groups from claims rather than using existing Proxmox VE groups.
GroupsClaim string: OpenID claim used to retrieve user group memberships.
GroupsOverwrite bool: Replace assigned groups on login instead of appending to existing ones.
IssuerUrl string: OpenID Connect issuer URL. Proxmox uses OpenID Connect Discovery to configure the provider.
Prompt string: Specifies whether the authorization server prompts for reauthentication and/or consent (e.g., 'none', 'login', 'consent', 'select_account').
QueryUserinfo bool: Query the OpenID userinfo endpoint for claims. Required when the identity provider does not include claims in the ID token.
Realm string: Realm identifier (e.g., 'my-oidc').
Scopes string: Space-separated list of OpenID scopes to request.
UsernameClaim string: OpenID claim used to generate the unique username. Common values are subject, username, email, and upn.

AcrValues string: Authentication Context Class Reference values for the OpenID provider.
Autocreate bool: Automatically create users on the Proxmox cluster if they do not exist.
ClientId string: OpenID Connect Client ID.
ClientKey string: OpenID Connect Client Key (secret). Note: stored in Proxmox but not returned by API.
Comment string: Description of the realm.
Default bool: Use this realm as the default for login.
GroupsAutocreate bool: Automatically create groups from claims rather than using existing Proxmox VE groups.
GroupsClaim string: OpenID claim used to retrieve user group memberships.
GroupsOverwrite bool: Replace assigned groups on login instead of appending to existing ones.
IssuerUrl string: OpenID Connect issuer URL. Proxmox uses OpenID Connect Discovery to configure the provider.
Prompt string: Specifies whether the authorization server prompts for reauthentication and/or consent (e.g., 'none', 'login', 'consent', 'select_account').
QueryUserinfo bool: Query the OpenID userinfo endpoint for claims. Required when the identity provider does not include claims in the ID token.
Realm string: Realm identifier (e.g., 'my-oidc').
Scopes string: Space-separated list of OpenID scopes to request.
UsernameClaim string: OpenID claim used to generate the unique username. Common values are subject, username, email, and upn.

acrValues String: Authentication Context Class Reference values for the OpenID provider.
autocreate Boolean: Automatically create users on the Proxmox cluster if they do not exist.
clientId String: OpenID Connect Client ID.
clientKey String: OpenID Connect Client Key (secret). Note: stored in Proxmox but not returned by API.
comment String: Description of the realm.
default_ Boolean: Use this realm as the default for login.
groupsAutocreate Boolean: Automatically create groups from claims rather than using existing Proxmox VE groups.
groupsClaim String: OpenID claim used to retrieve user group memberships.
groupsOverwrite Boolean: Replace assigned groups on login instead of appending to existing ones.
issuerUrl String: OpenID Connect issuer URL. Proxmox uses OpenID Connect Discovery to configure the provider.
prompt String: Specifies whether the authorization server prompts for reauthentication and/or consent (e.g., 'none', 'login', 'consent', 'select_account').
queryUserinfo Boolean: Query the OpenID userinfo endpoint for claims. Required when the identity provider does not include claims in the ID token.
realm String: Realm identifier (e.g., 'my-oidc').
scopes String: Space-separated list of OpenID scopes to request.
usernameClaim String: OpenID claim used to generate the unique username. Common values are subject, username, email, and upn.

acrValues string: Authentication Context Class Reference values for the OpenID provider.
autocreate boolean: Automatically create users on the Proxmox cluster if they do not exist.
clientId string: OpenID Connect Client ID.
clientKey string: OpenID Connect Client Key (secret). Note: stored in Proxmox but not returned by API.
comment string: Description of the realm.
default boolean: Use this realm as the default for login.
groupsAutocreate boolean: Automatically create groups from claims rather than using existing Proxmox VE groups.
groupsClaim string: OpenID claim used to retrieve user group memberships.
groupsOverwrite boolean: Replace assigned groups on login instead of appending to existing ones.
issuerUrl string: OpenID Connect issuer URL. Proxmox uses OpenID Connect Discovery to configure the provider.
prompt string: Specifies whether the authorization server prompts for reauthentication and/or consent (e.g., 'none', 'login', 'consent', 'select_account').
queryUserinfo boolean: Query the OpenID userinfo endpoint for claims. Required when the identity provider does not include claims in the ID token.
realm string: Realm identifier (e.g., 'my-oidc').
scopes string: Space-separated list of OpenID scopes to request.
usernameClaim string: OpenID claim used to generate the unique username. Common values are subject, username, email, and upn.

acr_values str: Authentication Context Class Reference values for the OpenID provider.
autocreate bool: Automatically create users on the Proxmox cluster if they do not exist.
client_id str: OpenID Connect Client ID.
client_key str: OpenID Connect Client Key (secret). Note: stored in Proxmox but not returned by API.
comment str: Description of the realm.
default bool: Use this realm as the default for login.
groups_autocreate bool: Automatically create groups from claims rather than using existing Proxmox VE groups.
groups_claim str: OpenID claim used to retrieve user group memberships.
groups_overwrite bool: Replace assigned groups on login instead of appending to existing ones.
issuer_url str: OpenID Connect issuer URL. Proxmox uses OpenID Connect Discovery to configure the provider.
prompt str: Specifies whether the authorization server prompts for reauthentication and/or consent (e.g., 'none', 'login', 'consent', 'select_account').
query_userinfo bool: Query the OpenID userinfo endpoint for claims. Required when the identity provider does not include claims in the ID token.
realm str: Realm identifier (e.g., 'my-oidc').
scopes str: Space-separated list of OpenID scopes to request.
username_claim str: OpenID claim used to generate the unique username. Common values are subject, username, email, and upn.

acrValues String: Authentication Context Class Reference values for the OpenID provider.
autocreate Boolean: Automatically create users on the Proxmox cluster if they do not exist.
clientId String: OpenID Connect Client ID.
clientKey String: OpenID Connect Client Key (secret). Note: stored in Proxmox but not returned by API.
comment String: Description of the realm.
default Boolean: Use this realm as the default for login.
groupsAutocreate Boolean: Automatically create groups from claims rather than using existing Proxmox VE groups.
groupsClaim String: OpenID claim used to retrieve user group memberships.
groupsOverwrite Boolean: Replace assigned groups on login instead of appending to existing ones.
issuerUrl String: OpenID Connect issuer URL. Proxmox uses OpenID Connect Discovery to configure the provider.
prompt String: Specifies whether the authorization server prompts for reauthentication and/or consent (e.g., 'none', 'login', 'consent', 'select_account').
queryUserinfo Boolean: Query the OpenID userinfo endpoint for claims. Required when the identity provider does not include claims in the ID token.
realm String: Realm identifier (e.g., 'my-oidc').
scopes String: Space-separated list of OpenID scopes to request.
usernameClaim String: OpenID claim used to generate the unique username. Common values are subject, username, email, and upn.

Import

!/usr/bin/env sh OpenID realms can be imported using the realm identifier, e.g.:

$ pulumi import proxmoxve:realm/openidLegacy:OpenidLegacy example example-oidc

When importing, the clientKey attribute cannot be imported since it’s not returned by the Proxmox API. You’ll need to set this attribute in your Terraform configuration after the import to manage it with Terraform.

To learn more about importing existing cloud resources, see Importing resources.

Package Details

Repository: proxmoxve muhlba91/pulumi-proxmoxve
License: Apache-2.0
Notes: This Pulumi package is based on the proxmox Terraform Provider.

Viewing docs for Proxmox Virtual Environment (Proxmox VE) v8.0.0
published on Sunday, Apr 5, 2026 by Daniel Muehlbachler-Pietrzykowski

Schema (JSON)

muhlba91/pulumi-proxmoxve

proxmoxve.realm.OpenidLegacy

On this page

On this page

Privileges Required

Example Usage

Notes

Client Key Security

Username Claim

Common Configuration Scenarios

Minimal Configuration

With User and Group Provisioning

See Also

Create OpenidLegacy Resource

Constructor syntax

Parameters

Constructor example

OpenidLegacy Resource Properties

Inputs

Outputs

Look up Existing OpenidLegacy Resource

Import

Package Details

On this page

On this page