oidc

package
v4.6.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Nov 11, 2021 License: Apache-2.0 Imports: 7 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type GoogleIdentityProvider 

type GoogleIdentityProvider struct {
	pulumi.CustomResourceState

	// When `true`, unauthenticated requests with `prompt=none` will be forwarded to Google instead of returning an error. Defaults to `false`.
	AcceptsPromptNoneForwardFromClient pulumi.BoolPtrOutput `pulumi:"acceptsPromptNoneForwardFromClient"`
	// When `true`, new users will be able to read stored tokens. This will automatically assign the `broker.read-token` role. Defaults to `false`.
	AddReadTokenRoleOnCreate pulumi.BoolPtrOutput `pulumi:"addReadTokenRoleOnCreate"`
	// (Computed) The alias for the Google identity provider.
	Alias pulumi.StringOutput `pulumi:"alias"`
	// Enable/disable authenticate users by default.
	AuthenticateByDefault pulumi.BoolPtrOutput `pulumi:"authenticateByDefault"`
	// The client or client identifier registered within the identity provider.
	ClientId pulumi.StringOutput `pulumi:"clientId"`
	// The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format.
	ClientSecret pulumi.StringOutput `pulumi:"clientSecret"`
	// The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to `openid profile email`.
	DefaultScopes pulumi.StringPtrOutput `pulumi:"defaultScopes"`
	// When `true`, disables the usage of the user info service to obtain additional user information. Defaults to `false`.
	DisableUserInfo pulumi.BoolPtrOutput `pulumi:"disableUserInfo"`
	// (Computed) Display name for the Google identity provider in the GUI.
	DisplayName pulumi.StringOutput `pulumi:"displayName"`
	// When `true`, users will be able to log in to this realm using this identity provider. Defaults to `true`.
	Enabled     pulumi.BoolPtrOutput `pulumi:"enabled"`
	ExtraConfig pulumi.MapOutput     `pulumi:"extraConfig"`
	// The authentication flow to use when users log in for the first time through this identity provider. Defaults to `first broker login`.
	FirstBrokerLoginFlowAlias pulumi.StringPtrOutput `pulumi:"firstBrokerLoginFlowAlias"`
	// A number defining the order of this identity provider in the GUI.
	GuiOrder pulumi.StringPtrOutput `pulumi:"guiOrder"`
	// When `true`, this identity provider will be hidden on the login page. Defaults to `false`.
	HideOnLoginPage pulumi.BoolPtrOutput `pulumi:"hideOnLoginPage"`
	// Sets the "hd" query parameter when logging in with Google. Google will only list accounts for this domain. Keycloak will validate that the returned identity token has a claim for this domain. When `*` is entered, an account from any domain can be used.
	HostedDomain pulumi.StringPtrOutput `pulumi:"hostedDomain"`
	// (Computed) The unique ID that Keycloak assigns to the identity provider upon creation.
	InternalId pulumi.StringOutput `pulumi:"internalId"`
	// When `true`, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults to `false`.
	LinkOnly pulumi.BoolPtrOutput `pulumi:"linkOnly"`
	// The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.
	PostBrokerLoginFlowAlias pulumi.StringPtrOutput `pulumi:"postBrokerLoginFlowAlias"`
	// The ID of the identity provider to use. Defaults to `google`, which should be used unless you have extended Keycloak and provided your own implementation.
	ProviderId pulumi.StringPtrOutput `pulumi:"providerId"`
	// The name of the realm. This is unique across Keycloak.
	Realm pulumi.StringOutput `pulumi:"realm"`
	// Sets the "accessType" query parameter to "offline" when redirecting to google authorization endpoint,to get a refresh token back. This is useful for using Token Exchange to retrieve a Google token to access Google APIs when the user is offline.
	RequestRefreshToken pulumi.BoolPtrOutput `pulumi:"requestRefreshToken"`
	// When `true`, tokens will be stored after authenticating users. Defaults to `true`.
	StoreToken pulumi.BoolPtrOutput `pulumi:"storeToken"`
	// The default sync mode to use for all mappers attached to this identity provider. Can be once of `IMPORT`, `FORCE`, or `LEGACY`.
	SyncMode pulumi.StringPtrOutput `pulumi:"syncMode"`
	// When `true`, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to `false`.
	TrustEmail pulumi.BoolPtrOutput `pulumi:"trustEmail"`
	// Sets the "userIp" query parameter when querying Google's User Info service. This will use the user's IP address. This is useful if Google is throttling Keycloak's access to the User Info service.
	UseUserIpParam pulumi.BoolPtrOutput `pulumi:"useUserIpParam"`
}

Allows for creating and managing OIDC Identity Providers within Keycloak.

OIDC (OpenID Connect) identity providers allows users to authenticate through a third party system using the OIDC standard.

## Example Usage

```go package main

import ( 

"github.com/pulumi/pulumi-keycloak/sdk/v4/go/keycloak"
"github.com/pulumi/pulumi-keycloak/sdk/v4/go/keycloak/oidc"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		realm, err := keycloak.NewRealm(ctx, "realm", &keycloak.RealmArgs{
			Realm:   pulumi.String("my-realm"),
			Enabled: pulumi.Bool(true),
		})
		if err != nil {
			return err
		}
		_, err = oidc.NewGoogleIdentityProvider(ctx, "google", &oidc.GoogleIdentityProviderArgs{
			Realm:        realm.ID(),
			ClientId:     pulumi.Any(_var.Google_identity_provider_client_id),
			ClientSecret: pulumi.Any(_var.Google_identity_provider_client_secret),
			TrustEmail:   pulumi.Bool(true),
			HostedDomain: pulumi.String("example.com"),
			SyncMode:     pulumi.String("IMPORT"),
			ExtraConfig: pulumi.AnyMap{
				"myCustomConfigKey": pulumi.Any("myValue"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## Import

This resource does not yet support importing.

func GetGoogleIdentityProvider 

func GetGoogleIdentityProvider(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *GoogleIdentityProviderState, opts ...pulumi.ResourceOption) (*GoogleIdentityProvider, error)

GetGoogleIdentityProvider gets an existing GoogleIdentityProvider resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewGoogleIdentityProvider 

func NewGoogleIdentityProvider(ctx *pulumi.Context,
	name string, args *GoogleIdentityProviderArgs, opts ...pulumi.ResourceOption) (*GoogleIdentityProvider, error)

NewGoogleIdentityProvider registers a new resource with the given unique name, arguments, and options.

func (*GoogleIdentityProvider) ElementType 

func (*GoogleIdentityProvider) ElementType() reflect.Type

func (*GoogleIdentityProvider) ToGoogleIdentityProviderOutput 

func (i *GoogleIdentityProvider) ToGoogleIdentityProviderOutput() GoogleIdentityProviderOutput

func (*GoogleIdentityProvider) ToGoogleIdentityProviderOutputWithContext 

func (i *GoogleIdentityProvider) ToGoogleIdentityProviderOutputWithContext(ctx context.Context) GoogleIdentityProviderOutput

func (*GoogleIdentityProvider) ToGoogleIdentityProviderPtrOutput 

func (i *GoogleIdentityProvider) ToGoogleIdentityProviderPtrOutput() GoogleIdentityProviderPtrOutput

func (*GoogleIdentityProvider) ToGoogleIdentityProviderPtrOutputWithContext 

func (i *GoogleIdentityProvider) ToGoogleIdentityProviderPtrOutputWithContext(ctx context.Context) GoogleIdentityProviderPtrOutput

type GoogleIdentityProviderArgs 

type GoogleIdentityProviderArgs struct {
	// When `true`, unauthenticated requests with `prompt=none` will be forwarded to Google instead of returning an error. Defaults to `false`.
	AcceptsPromptNoneForwardFromClient pulumi.BoolPtrInput
	// When `true`, new users will be able to read stored tokens. This will automatically assign the `broker.read-token` role. Defaults to `false`.
	AddReadTokenRoleOnCreate pulumi.BoolPtrInput
	// Enable/disable authenticate users by default.
	AuthenticateByDefault pulumi.BoolPtrInput
	// The client or client identifier registered within the identity provider.
	ClientId pulumi.StringInput
	// The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format.
	ClientSecret pulumi.StringInput
	// The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to `openid profile email`.
	DefaultScopes pulumi.StringPtrInput
	// When `true`, disables the usage of the user info service to obtain additional user information. Defaults to `false`.
	DisableUserInfo pulumi.BoolPtrInput
	// When `true`, users will be able to log in to this realm using this identity provider. Defaults to `true`.
	Enabled     pulumi.BoolPtrInput
	ExtraConfig pulumi.MapInput
	// The authentication flow to use when users log in for the first time through this identity provider. Defaults to `first broker login`.
	FirstBrokerLoginFlowAlias pulumi.StringPtrInput
	// A number defining the order of this identity provider in the GUI.
	GuiOrder pulumi.StringPtrInput
	// When `true`, this identity provider will be hidden on the login page. Defaults to `false`.
	HideOnLoginPage pulumi.BoolPtrInput
	// Sets the "hd" query parameter when logging in with Google. Google will only list accounts for this domain. Keycloak will validate that the returned identity token has a claim for this domain. When `*` is entered, an account from any domain can be used.
	HostedDomain pulumi.StringPtrInput
	// When `true`, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults to `false`.
	LinkOnly pulumi.BoolPtrInput
	// The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.
	PostBrokerLoginFlowAlias pulumi.StringPtrInput
	// The ID of the identity provider to use. Defaults to `google`, which should be used unless you have extended Keycloak and provided your own implementation.
	ProviderId pulumi.StringPtrInput
	// The name of the realm. This is unique across Keycloak.
	Realm pulumi.StringInput
	// Sets the "accessType" query parameter to "offline" when redirecting to google authorization endpoint,to get a refresh token back. This is useful for using Token Exchange to retrieve a Google token to access Google APIs when the user is offline.
	RequestRefreshToken pulumi.BoolPtrInput
	// When `true`, tokens will be stored after authenticating users. Defaults to `true`.
	StoreToken pulumi.BoolPtrInput
	// The default sync mode to use for all mappers attached to this identity provider. Can be once of `IMPORT`, `FORCE`, or `LEGACY`.
	SyncMode pulumi.StringPtrInput
	// When `true`, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to `false`.
	TrustEmail pulumi.BoolPtrInput
	// Sets the "userIp" query parameter when querying Google's User Info service. This will use the user's IP address. This is useful if Google is throttling Keycloak's access to the User Info service.
	UseUserIpParam pulumi.BoolPtrInput
}

The set of arguments for constructing a GoogleIdentityProvider resource.

func (GoogleIdentityProviderArgs) ElementType 

func (GoogleIdentityProviderArgs) ElementType() reflect.Type

type GoogleIdentityProviderArray 

type GoogleIdentityProviderArray []GoogleIdentityProviderInput

func (GoogleIdentityProviderArray) ElementType 

func (GoogleIdentityProviderArray) ElementType() reflect.Type

func (GoogleIdentityProviderArray) ToGoogleIdentityProviderArrayOutput 

func (i GoogleIdentityProviderArray) ToGoogleIdentityProviderArrayOutput() GoogleIdentityProviderArrayOutput

func (GoogleIdentityProviderArray) ToGoogleIdentityProviderArrayOutputWithContext 

func (i GoogleIdentityProviderArray) ToGoogleIdentityProviderArrayOutputWithContext(ctx context.Context) GoogleIdentityProviderArrayOutput

type GoogleIdentityProviderArrayInput 

type GoogleIdentityProviderArrayInput interface {
	pulumi.Input

	ToGoogleIdentityProviderArrayOutput() GoogleIdentityProviderArrayOutput
	ToGoogleIdentityProviderArrayOutputWithContext(context.Context) GoogleIdentityProviderArrayOutput
}

GoogleIdentityProviderArrayInput is an input type that accepts GoogleIdentityProviderArray and GoogleIdentityProviderArrayOutput values. You can construct a concrete instance of `GoogleIdentityProviderArrayInput` via: 

GoogleIdentityProviderArray{ GoogleIdentityProviderArgs{...} }

type GoogleIdentityProviderArrayOutput 

type GoogleIdentityProviderArrayOutput struct{ *pulumi.OutputState }

func (GoogleIdentityProviderArrayOutput) ElementType 

func (GoogleIdentityProviderArrayOutput) ElementType() reflect.Type

func (GoogleIdentityProviderArrayOutput) Index 

func (o GoogleIdentityProviderArrayOutput) Index(i pulumi.IntInput) GoogleIdentityProviderOutput

func (GoogleIdentityProviderArrayOutput) ToGoogleIdentityProviderArrayOutput 

func (o GoogleIdentityProviderArrayOutput) ToGoogleIdentityProviderArrayOutput() GoogleIdentityProviderArrayOutput

func (GoogleIdentityProviderArrayOutput) ToGoogleIdentityProviderArrayOutputWithContext 

func (o GoogleIdentityProviderArrayOutput) ToGoogleIdentityProviderArrayOutputWithContext(ctx context.Context) GoogleIdentityProviderArrayOutput

type GoogleIdentityProviderInput 

type GoogleIdentityProviderInput interface {
	pulumi.Input

	ToGoogleIdentityProviderOutput() GoogleIdentityProviderOutput
	ToGoogleIdentityProviderOutputWithContext(ctx context.Context) GoogleIdentityProviderOutput
}

type GoogleIdentityProviderMap 

type GoogleIdentityProviderMap map[string]GoogleIdentityProviderInput

func (GoogleIdentityProviderMap) ElementType 

func (GoogleIdentityProviderMap) ElementType() reflect.Type

func (GoogleIdentityProviderMap) ToGoogleIdentityProviderMapOutput 

func (i GoogleIdentityProviderMap) ToGoogleIdentityProviderMapOutput() GoogleIdentityProviderMapOutput

func (GoogleIdentityProviderMap) ToGoogleIdentityProviderMapOutputWithContext 

func (i GoogleIdentityProviderMap) ToGoogleIdentityProviderMapOutputWithContext(ctx context.Context) GoogleIdentityProviderMapOutput

type GoogleIdentityProviderMapInput 

type GoogleIdentityProviderMapInput interface {
	pulumi.Input

	ToGoogleIdentityProviderMapOutput() GoogleIdentityProviderMapOutput
	ToGoogleIdentityProviderMapOutputWithContext(context.Context) GoogleIdentityProviderMapOutput
}

GoogleIdentityProviderMapInput is an input type that accepts GoogleIdentityProviderMap and GoogleIdentityProviderMapOutput values. You can construct a concrete instance of `GoogleIdentityProviderMapInput` via: 

GoogleIdentityProviderMap{ "key": GoogleIdentityProviderArgs{...} }

type GoogleIdentityProviderMapOutput 

type GoogleIdentityProviderMapOutput struct{ *pulumi.OutputState }

func (GoogleIdentityProviderMapOutput) ElementType 

func (GoogleIdentityProviderMapOutput) ElementType() reflect.Type

func (GoogleIdentityProviderMapOutput) MapIndex 

func (o GoogleIdentityProviderMapOutput) MapIndex(k pulumi.StringInput) GoogleIdentityProviderOutput

func (GoogleIdentityProviderMapOutput) ToGoogleIdentityProviderMapOutput 

func (o GoogleIdentityProviderMapOutput) ToGoogleIdentityProviderMapOutput() GoogleIdentityProviderMapOutput

func (GoogleIdentityProviderMapOutput) ToGoogleIdentityProviderMapOutputWithContext 

func (o GoogleIdentityProviderMapOutput) ToGoogleIdentityProviderMapOutputWithContext(ctx context.Context) GoogleIdentityProviderMapOutput

type GoogleIdentityProviderOutput 

type GoogleIdentityProviderOutput struct{ *pulumi.OutputState }

func (GoogleIdentityProviderOutput) ElementType 

func (GoogleIdentityProviderOutput) ElementType() reflect.Type

func (GoogleIdentityProviderOutput) ToGoogleIdentityProviderOutput 

func (o GoogleIdentityProviderOutput) ToGoogleIdentityProviderOutput() GoogleIdentityProviderOutput

func (GoogleIdentityProviderOutput) ToGoogleIdentityProviderOutputWithContext 

func (o GoogleIdentityProviderOutput) ToGoogleIdentityProviderOutputWithContext(ctx context.Context) GoogleIdentityProviderOutput

func (GoogleIdentityProviderOutput) ToGoogleIdentityProviderPtrOutput 

func (o GoogleIdentityProviderOutput) ToGoogleIdentityProviderPtrOutput() GoogleIdentityProviderPtrOutput

func (GoogleIdentityProviderOutput) ToGoogleIdentityProviderPtrOutputWithContext 

func (o GoogleIdentityProviderOutput) ToGoogleIdentityProviderPtrOutputWithContext(ctx context.Context) GoogleIdentityProviderPtrOutput

type GoogleIdentityProviderPtrInput 

type GoogleIdentityProviderPtrInput interface {
	pulumi.Input

	ToGoogleIdentityProviderPtrOutput() GoogleIdentityProviderPtrOutput
	ToGoogleIdentityProviderPtrOutputWithContext(ctx context.Context) GoogleIdentityProviderPtrOutput
}

type GoogleIdentityProviderPtrOutput 

type GoogleIdentityProviderPtrOutput struct{ *pulumi.OutputState }

func (GoogleIdentityProviderPtrOutput) Elem added in v4.6.0 

func (o GoogleIdentityProviderPtrOutput) Elem() GoogleIdentityProviderOutput

func (GoogleIdentityProviderPtrOutput) ElementType 

func (GoogleIdentityProviderPtrOutput) ElementType() reflect.Type

func (GoogleIdentityProviderPtrOutput) ToGoogleIdentityProviderPtrOutput 

func (o GoogleIdentityProviderPtrOutput) ToGoogleIdentityProviderPtrOutput() GoogleIdentityProviderPtrOutput

func (GoogleIdentityProviderPtrOutput) ToGoogleIdentityProviderPtrOutputWithContext 

func (o GoogleIdentityProviderPtrOutput) ToGoogleIdentityProviderPtrOutputWithContext(ctx context.Context) GoogleIdentityProviderPtrOutput

type GoogleIdentityProviderState 

type GoogleIdentityProviderState struct {
	// When `true`, unauthenticated requests with `prompt=none` will be forwarded to Google instead of returning an error. Defaults to `false`.
	AcceptsPromptNoneForwardFromClient pulumi.BoolPtrInput
	// When `true`, new users will be able to read stored tokens. This will automatically assign the `broker.read-token` role. Defaults to `false`.
	AddReadTokenRoleOnCreate pulumi.BoolPtrInput
	// (Computed) The alias for the Google identity provider.
	Alias pulumi.StringPtrInput
	// Enable/disable authenticate users by default.
	AuthenticateByDefault pulumi.BoolPtrInput
	// The client or client identifier registered within the identity provider.
	ClientId pulumi.StringPtrInput
	// The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format.
	ClientSecret pulumi.StringPtrInput
	// The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to `openid profile email`.
	DefaultScopes pulumi.StringPtrInput
	// When `true`, disables the usage of the user info service to obtain additional user information. Defaults to `false`.
	DisableUserInfo pulumi.BoolPtrInput
	// (Computed) Display name for the Google identity provider in the GUI.
	DisplayName pulumi.StringPtrInput
	// When `true`, users will be able to log in to this realm using this identity provider. Defaults to `true`.
	Enabled     pulumi.BoolPtrInput
	ExtraConfig pulumi.MapInput
	// The authentication flow to use when users log in for the first time through this identity provider. Defaults to `first broker login`.
	FirstBrokerLoginFlowAlias pulumi.StringPtrInput
	// A number defining the order of this identity provider in the GUI.
	GuiOrder pulumi.StringPtrInput
	// When `true`, this identity provider will be hidden on the login page. Defaults to `false`.
	HideOnLoginPage pulumi.BoolPtrInput
	// Sets the "hd" query parameter when logging in with Google. Google will only list accounts for this domain. Keycloak will validate that the returned identity token has a claim for this domain. When `*` is entered, an account from any domain can be used.
	HostedDomain pulumi.StringPtrInput
	// (Computed) The unique ID that Keycloak assigns to the identity provider upon creation.
	InternalId pulumi.StringPtrInput
	// When `true`, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults to `false`.
	LinkOnly pulumi.BoolPtrInput
	// The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.
	PostBrokerLoginFlowAlias pulumi.StringPtrInput
	// The ID of the identity provider to use. Defaults to `google`, which should be used unless you have extended Keycloak and provided your own implementation.
	ProviderId pulumi.StringPtrInput
	// The name of the realm. This is unique across Keycloak.
	Realm pulumi.StringPtrInput
	// Sets the "accessType" query parameter to "offline" when redirecting to google authorization endpoint,to get a refresh token back. This is useful for using Token Exchange to retrieve a Google token to access Google APIs when the user is offline.
	RequestRefreshToken pulumi.BoolPtrInput
	// When `true`, tokens will be stored after authenticating users. Defaults to `true`.
	StoreToken pulumi.BoolPtrInput
	// The default sync mode to use for all mappers attached to this identity provider. Can be once of `IMPORT`, `FORCE`, or `LEGACY`.
	SyncMode pulumi.StringPtrInput
	// When `true`, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to `false`.
	TrustEmail pulumi.BoolPtrInput
	// Sets the "userIp" query parameter when querying Google's User Info service. This will use the user's IP address. This is useful if Google is throttling Keycloak's access to the User Info service.
	UseUserIpParam pulumi.BoolPtrInput
}

func (GoogleIdentityProviderState) ElementType 

func (GoogleIdentityProviderState) ElementType() reflect.Type

type IdentityProvider 

type IdentityProvider struct {
	pulumi.CustomResourceState

	// When `true`, the IDP will accept forwarded authentication requests that contain the `prompt=none` query parameter. Defaults to `false`.
	AcceptsPromptNoneForwardFromClient pulumi.BoolPtrOutput `pulumi:"acceptsPromptNoneForwardFromClient"`
	// When `true`, new users will be able to read stored tokens. This will automatically assign the `broker.read-token` role. Defaults to `false`.
	AddReadTokenRoleOnCreate pulumi.BoolPtrOutput `pulumi:"addReadTokenRoleOnCreate"`
	// The alias uniquely identifies an identity provider and it is also used to build the redirect uri.
	Alias pulumi.StringOutput `pulumi:"alias"`
	// Enable/disable authenticate users by default.
	AuthenticateByDefault pulumi.BoolPtrOutput `pulumi:"authenticateByDefault"`
	// The Authorization Url.
	AuthorizationUrl pulumi.StringOutput `pulumi:"authorizationUrl"`
	// Does the external IDP support backchannel logout? Defaults to `true`.
	BackchannelSupported pulumi.BoolPtrOutput `pulumi:"backchannelSupported"`
	// The client or client identifier registered within the identity provider.
	ClientId pulumi.StringOutput `pulumi:"clientId"`
	// The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format.
	ClientSecret pulumi.StringOutput `pulumi:"clientSecret"`
	// The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to `openid`.
	DefaultScopes pulumi.StringPtrOutput `pulumi:"defaultScopes"`
	// When `true`, disables the usage of the user info service to obtain additional user information. Defaults to `false`.
	DisableUserInfo pulumi.BoolPtrOutput `pulumi:"disableUserInfo"`
	// Display name for the identity provider in the GUI.
	DisplayName pulumi.StringPtrOutput `pulumi:"displayName"`
	// When `true`, users will be able to log in to this realm using this identity provider. Defaults to `true`.
	Enabled     pulumi.BoolPtrOutput `pulumi:"enabled"`
	ExtraConfig pulumi.MapOutput     `pulumi:"extraConfig"`
	// The authentication flow to use when users log in for the first time through this identity provider. Defaults to `first broker login`.
	FirstBrokerLoginFlowAlias pulumi.StringPtrOutput `pulumi:"firstBrokerLoginFlowAlias"`
	// A number defining the order of this identity provider in the GUI.
	GuiOrder pulumi.StringPtrOutput `pulumi:"guiOrder"`
	// When `true`, this provider will be hidden on the login page, and is only accessible when requested explicitly. Defaults to `false`.
	HideOnLoginPage pulumi.BoolPtrOutput `pulumi:"hideOnLoginPage"`
	// (Computed) The unique ID that Keycloak assigns to the identity provider upon creation.
	InternalId pulumi.StringOutput `pulumi:"internalId"`
	// JSON Web Key Set URL.
	JwksUrl pulumi.StringPtrOutput `pulumi:"jwksUrl"`
	// When `true`, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults to `false`.
	LinkOnly pulumi.BoolPtrOutput `pulumi:"linkOnly"`
	// Pass login hint to identity provider.
	LoginHint pulumi.StringPtrOutput `pulumi:"loginHint"`
	// The Logout URL is the end session endpoint to use to logout user from external identity provider.
	LogoutUrl pulumi.StringPtrOutput `pulumi:"logoutUrl"`
	// The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.
	PostBrokerLoginFlowAlias pulumi.StringPtrOutput `pulumi:"postBrokerLoginFlowAlias"`
	// The ID of the identity provider to use. Defaults to `oidc`, which should be used unless you have extended Keycloak and provided your own implementation.
	ProviderId pulumi.StringPtrOutput `pulumi:"providerId"`
	// The name of the realm. This is unique across Keycloak.
	Realm pulumi.StringOutput `pulumi:"realm"`
	// When `true`, tokens will be stored after authenticating users. Defaults to `true`.
	StoreToken pulumi.BoolPtrOutput `pulumi:"storeToken"`
	// The default sync mode to use for all mappers attached to this identity provider. Can be once of `IMPORT`, `FORCE`, or `LEGACY`.
	SyncMode pulumi.StringPtrOutput `pulumi:"syncMode"`
	// The Token URL.
	TokenUrl pulumi.StringOutput `pulumi:"tokenUrl"`
	// When `true`, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to `false`.
	TrustEmail pulumi.BoolPtrOutput `pulumi:"trustEmail"`
	// Pass current locale to identity provider. Defaults to `false`.
	UiLocales pulumi.BoolPtrOutput `pulumi:"uiLocales"`
	// User Info URL.
	UserInfoUrl pulumi.StringPtrOutput `pulumi:"userInfoUrl"`
	// Enable/disable signature validation of external IDP signatures. Defaults to `false`.
	ValidateSignature pulumi.BoolPtrOutput `pulumi:"validateSignature"`
}

Allows for creating and managing OIDC Identity Providers within Keycloak.

OIDC (OpenID Connect) identity providers allows users to authenticate through a third party system using the OIDC standard.

## Example Usage

```go package main

import ( 

"github.com/pulumi/pulumi-keycloak/sdk/v4/go/keycloak"
"github.com/pulumi/pulumi-keycloak/sdk/v4/go/keycloak/oidc"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		realm, err := keycloak.NewRealm(ctx, "realm", &keycloak.RealmArgs{
			Realm:   pulumi.String("my-realm"),
			Enabled: pulumi.Bool(true),
		})
		if err != nil {
			return err
		}
		_, err = oidc.NewIdentityProvider(ctx, "realmIdentityProvider", &oidc.IdentityProviderArgs{
			Realm:            realm.ID(),
			Alias:            pulumi.String("my-idp"),
			AuthorizationUrl: pulumi.String("https://authorizationurl.com"),
			ClientId:         pulumi.String("clientID"),
			ClientSecret:     pulumi.String("clientSecret"),
			TokenUrl:         pulumi.String("https://tokenurl.com"),
			ExtraConfig: pulumi.AnyMap{
				"clientAuthMethod": pulumi.Any("client_secret_post"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## Import

Identity providers can be imported using the format `{{realm_id}}/{{idp_alias}}`, where `idp_alias` is the identity provider alias. Examplebash

```sh 

$ pulumi import keycloak:oidc/identityProvider:IdentityProvider realm_identity_provider my-realm/my-idp

```

func GetIdentityProvider 

func GetIdentityProvider(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *IdentityProviderState, opts ...pulumi.ResourceOption) (*IdentityProvider, error)

GetIdentityProvider gets an existing IdentityProvider resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewIdentityProvider 

func NewIdentityProvider(ctx *pulumi.Context,
	name string, args *IdentityProviderArgs, opts ...pulumi.ResourceOption) (*IdentityProvider, error)

NewIdentityProvider registers a new resource with the given unique name, arguments, and options.

func (*IdentityProvider) ElementType 

func (*IdentityProvider) ElementType() reflect.Type

func (*IdentityProvider) ToIdentityProviderOutput 

func (i *IdentityProvider) ToIdentityProviderOutput() IdentityProviderOutput

func (*IdentityProvider) ToIdentityProviderOutputWithContext 

func (i *IdentityProvider) ToIdentityProviderOutputWithContext(ctx context.Context) IdentityProviderOutput

func (*IdentityProvider) ToIdentityProviderPtrOutput 

func (i *IdentityProvider) ToIdentityProviderPtrOutput() IdentityProviderPtrOutput

func (*IdentityProvider) ToIdentityProviderPtrOutputWithContext 

func (i *IdentityProvider) ToIdentityProviderPtrOutputWithContext(ctx context.Context) IdentityProviderPtrOutput

type IdentityProviderArgs 

type IdentityProviderArgs struct {
	// When `true`, the IDP will accept forwarded authentication requests that contain the `prompt=none` query parameter. Defaults to `false`.
	AcceptsPromptNoneForwardFromClient pulumi.BoolPtrInput
	// When `true`, new users will be able to read stored tokens. This will automatically assign the `broker.read-token` role. Defaults to `false`.
	AddReadTokenRoleOnCreate pulumi.BoolPtrInput
	// The alias uniquely identifies an identity provider and it is also used to build the redirect uri.
	Alias pulumi.StringInput
	// Enable/disable authenticate users by default.
	AuthenticateByDefault pulumi.BoolPtrInput
	// The Authorization Url.
	AuthorizationUrl pulumi.StringInput
	// Does the external IDP support backchannel logout? Defaults to `true`.
	BackchannelSupported pulumi.BoolPtrInput
	// The client or client identifier registered within the identity provider.
	ClientId pulumi.StringInput
	// The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format.
	ClientSecret pulumi.StringInput
	// The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to `openid`.
	DefaultScopes pulumi.StringPtrInput
	// When `true`, disables the usage of the user info service to obtain additional user information. Defaults to `false`.
	DisableUserInfo pulumi.BoolPtrInput
	// Display name for the identity provider in the GUI.
	DisplayName pulumi.StringPtrInput
	// When `true`, users will be able to log in to this realm using this identity provider. Defaults to `true`.
	Enabled     pulumi.BoolPtrInput
	ExtraConfig pulumi.MapInput
	// The authentication flow to use when users log in for the first time through this identity provider. Defaults to `first broker login`.
	FirstBrokerLoginFlowAlias pulumi.StringPtrInput
	// A number defining the order of this identity provider in the GUI.
	GuiOrder pulumi.StringPtrInput
	// When `true`, this provider will be hidden on the login page, and is only accessible when requested explicitly. Defaults to `false`.
	HideOnLoginPage pulumi.BoolPtrInput
	// JSON Web Key Set URL.
	JwksUrl pulumi.StringPtrInput
	// When `true`, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults to `false`.
	LinkOnly pulumi.BoolPtrInput
	// Pass login hint to identity provider.
	LoginHint pulumi.StringPtrInput
	// The Logout URL is the end session endpoint to use to logout user from external identity provider.
	LogoutUrl pulumi.StringPtrInput
	// The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.
	PostBrokerLoginFlowAlias pulumi.StringPtrInput
	// The ID of the identity provider to use. Defaults to `oidc`, which should be used unless you have extended Keycloak and provided your own implementation.
	ProviderId pulumi.StringPtrInput
	// The name of the realm. This is unique across Keycloak.
	Realm pulumi.StringInput
	// When `true`, tokens will be stored after authenticating users. Defaults to `true`.
	StoreToken pulumi.BoolPtrInput
	// The default sync mode to use for all mappers attached to this identity provider. Can be once of `IMPORT`, `FORCE`, or `LEGACY`.
	SyncMode pulumi.StringPtrInput
	// The Token URL.
	TokenUrl pulumi.StringInput
	// When `true`, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to `false`.
	TrustEmail pulumi.BoolPtrInput
	// Pass current locale to identity provider. Defaults to `false`.
	UiLocales pulumi.BoolPtrInput
	// User Info URL.
	UserInfoUrl pulumi.StringPtrInput
	// Enable/disable signature validation of external IDP signatures. Defaults to `false`.
	ValidateSignature pulumi.BoolPtrInput
}

The set of arguments for constructing a IdentityProvider resource.

func (IdentityProviderArgs) ElementType 

func (IdentityProviderArgs) ElementType() reflect.Type

type IdentityProviderArray 

type IdentityProviderArray []IdentityProviderInput

func (IdentityProviderArray) ElementType 

func (IdentityProviderArray) ElementType() reflect.Type

func (IdentityProviderArray) ToIdentityProviderArrayOutput 

func (i IdentityProviderArray) ToIdentityProviderArrayOutput() IdentityProviderArrayOutput

func (IdentityProviderArray) ToIdentityProviderArrayOutputWithContext 

func (i IdentityProviderArray) ToIdentityProviderArrayOutputWithContext(ctx context.Context) IdentityProviderArrayOutput

type IdentityProviderArrayInput 

type IdentityProviderArrayInput interface {
	pulumi.Input

	ToIdentityProviderArrayOutput() IdentityProviderArrayOutput
	ToIdentityProviderArrayOutputWithContext(context.Context) IdentityProviderArrayOutput
}

IdentityProviderArrayInput is an input type that accepts IdentityProviderArray and IdentityProviderArrayOutput values. You can construct a concrete instance of `IdentityProviderArrayInput` via: 

IdentityProviderArray{ IdentityProviderArgs{...} }

type IdentityProviderArrayOutput 

type IdentityProviderArrayOutput struct{ *pulumi.OutputState }

func (IdentityProviderArrayOutput) ElementType 

func (IdentityProviderArrayOutput) ElementType() reflect.Type

func (IdentityProviderArrayOutput) Index 

func (o IdentityProviderArrayOutput) Index(i pulumi.IntInput) IdentityProviderOutput

func (IdentityProviderArrayOutput) ToIdentityProviderArrayOutput 

func (o IdentityProviderArrayOutput) ToIdentityProviderArrayOutput() IdentityProviderArrayOutput

func (IdentityProviderArrayOutput) ToIdentityProviderArrayOutputWithContext 

func (o IdentityProviderArrayOutput) ToIdentityProviderArrayOutputWithContext(ctx context.Context) IdentityProviderArrayOutput

type IdentityProviderInput 

type IdentityProviderInput interface {
	pulumi.Input

	ToIdentityProviderOutput() IdentityProviderOutput
	ToIdentityProviderOutputWithContext(ctx context.Context) IdentityProviderOutput
}

type IdentityProviderMap 

type IdentityProviderMap map[string]IdentityProviderInput

func (IdentityProviderMap) ElementType 

func (IdentityProviderMap) ElementType() reflect.Type

func (IdentityProviderMap) ToIdentityProviderMapOutput 

func (i IdentityProviderMap) ToIdentityProviderMapOutput() IdentityProviderMapOutput

func (IdentityProviderMap) ToIdentityProviderMapOutputWithContext 

func (i IdentityProviderMap) ToIdentityProviderMapOutputWithContext(ctx context.Context) IdentityProviderMapOutput

type IdentityProviderMapInput 

type IdentityProviderMapInput interface {
	pulumi.Input

	ToIdentityProviderMapOutput() IdentityProviderMapOutput
	ToIdentityProviderMapOutputWithContext(context.Context) IdentityProviderMapOutput
}

IdentityProviderMapInput is an input type that accepts IdentityProviderMap and IdentityProviderMapOutput values. You can construct a concrete instance of `IdentityProviderMapInput` via: 

IdentityProviderMap{ "key": IdentityProviderArgs{...} }

type IdentityProviderMapOutput 

type IdentityProviderMapOutput struct{ *pulumi.OutputState }

func (IdentityProviderMapOutput) ElementType 

func (IdentityProviderMapOutput) ElementType() reflect.Type

func (IdentityProviderMapOutput) MapIndex 

func (o IdentityProviderMapOutput) MapIndex(k pulumi.StringInput) IdentityProviderOutput

func (IdentityProviderMapOutput) ToIdentityProviderMapOutput 

func (o IdentityProviderMapOutput) ToIdentityProviderMapOutput() IdentityProviderMapOutput

func (IdentityProviderMapOutput) ToIdentityProviderMapOutputWithContext 

func (o IdentityProviderMapOutput) ToIdentityProviderMapOutputWithContext(ctx context.Context) IdentityProviderMapOutput

type IdentityProviderOutput 

type IdentityProviderOutput struct{ *pulumi.OutputState }

func (IdentityProviderOutput) ElementType 

func (IdentityProviderOutput) ElementType() reflect.Type

func (IdentityProviderOutput) ToIdentityProviderOutput 

func (o IdentityProviderOutput) ToIdentityProviderOutput() IdentityProviderOutput

func (IdentityProviderOutput) ToIdentityProviderOutputWithContext 

func (o IdentityProviderOutput) ToIdentityProviderOutputWithContext(ctx context.Context) IdentityProviderOutput

func (IdentityProviderOutput) ToIdentityProviderPtrOutput 

func (o IdentityProviderOutput) ToIdentityProviderPtrOutput() IdentityProviderPtrOutput

func (IdentityProviderOutput) ToIdentityProviderPtrOutputWithContext 

func (o IdentityProviderOutput) ToIdentityProviderPtrOutputWithContext(ctx context.Context) IdentityProviderPtrOutput

type IdentityProviderPtrInput 

type IdentityProviderPtrInput interface {
	pulumi.Input

	ToIdentityProviderPtrOutput() IdentityProviderPtrOutput
	ToIdentityProviderPtrOutputWithContext(ctx context.Context) IdentityProviderPtrOutput
}

type IdentityProviderPtrOutput 

type IdentityProviderPtrOutput struct{ *pulumi.OutputState }

func (IdentityProviderPtrOutput) Elem added in v4.6.0 

func (o IdentityProviderPtrOutput) Elem() IdentityProviderOutput

func (IdentityProviderPtrOutput) ElementType 

func (IdentityProviderPtrOutput) ElementType() reflect.Type

func (IdentityProviderPtrOutput) ToIdentityProviderPtrOutput 

func (o IdentityProviderPtrOutput) ToIdentityProviderPtrOutput() IdentityProviderPtrOutput

func (IdentityProviderPtrOutput) ToIdentityProviderPtrOutputWithContext 

func (o IdentityProviderPtrOutput) ToIdentityProviderPtrOutputWithContext(ctx context.Context) IdentityProviderPtrOutput

type IdentityProviderState 

type IdentityProviderState struct {
	// When `true`, the IDP will accept forwarded authentication requests that contain the `prompt=none` query parameter. Defaults to `false`.
	AcceptsPromptNoneForwardFromClient pulumi.BoolPtrInput
	// When `true`, new users will be able to read stored tokens. This will automatically assign the `broker.read-token` role. Defaults to `false`.
	AddReadTokenRoleOnCreate pulumi.BoolPtrInput
	// The alias uniquely identifies an identity provider and it is also used to build the redirect uri.
	Alias pulumi.StringPtrInput
	// Enable/disable authenticate users by default.
	AuthenticateByDefault pulumi.BoolPtrInput
	// The Authorization Url.
	AuthorizationUrl pulumi.StringPtrInput
	// Does the external IDP support backchannel logout? Defaults to `true`.
	BackchannelSupported pulumi.BoolPtrInput
	// The client or client identifier registered within the identity provider.
	ClientId pulumi.StringPtrInput
	// The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format.
	ClientSecret pulumi.StringPtrInput
	// The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to `openid`.
	DefaultScopes pulumi.StringPtrInput
	// When `true`, disables the usage of the user info service to obtain additional user information. Defaults to `false`.
	DisableUserInfo pulumi.BoolPtrInput
	// Display name for the identity provider in the GUI.
	DisplayName pulumi.StringPtrInput
	// When `true`, users will be able to log in to this realm using this identity provider. Defaults to `true`.
	Enabled     pulumi.BoolPtrInput
	ExtraConfig pulumi.MapInput
	// The authentication flow to use when users log in for the first time through this identity provider. Defaults to `first broker login`.
	FirstBrokerLoginFlowAlias pulumi.StringPtrInput
	// A number defining the order of this identity provider in the GUI.
	GuiOrder pulumi.StringPtrInput
	// When `true`, this provider will be hidden on the login page, and is only accessible when requested explicitly. Defaults to `false`.
	HideOnLoginPage pulumi.BoolPtrInput
	// (Computed) The unique ID that Keycloak assigns to the identity provider upon creation.
	InternalId pulumi.StringPtrInput
	// JSON Web Key Set URL.
	JwksUrl pulumi.StringPtrInput
	// When `true`, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults to `false`.
	LinkOnly pulumi.BoolPtrInput
	// Pass login hint to identity provider.
	LoginHint pulumi.StringPtrInput
	// The Logout URL is the end session endpoint to use to logout user from external identity provider.
	LogoutUrl pulumi.StringPtrInput
	// The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.
	PostBrokerLoginFlowAlias pulumi.StringPtrInput
	// The ID of the identity provider to use. Defaults to `oidc`, which should be used unless you have extended Keycloak and provided your own implementation.
	ProviderId pulumi.StringPtrInput
	// The name of the realm. This is unique across Keycloak.
	Realm pulumi.StringPtrInput
	// When `true`, tokens will be stored after authenticating users. Defaults to `true`.
	StoreToken pulumi.BoolPtrInput
	// The default sync mode to use for all mappers attached to this identity provider. Can be once of `IMPORT`, `FORCE`, or `LEGACY`.
	SyncMode pulumi.StringPtrInput
	// The Token URL.
	TokenUrl pulumi.StringPtrInput
	// When `true`, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to `false`.
	TrustEmail pulumi.BoolPtrInput
	// Pass current locale to identity provider. Defaults to `false`.
	UiLocales pulumi.BoolPtrInput
	// User Info URL.
	UserInfoUrl pulumi.StringPtrInput
	// Enable/disable signature validation of external IDP signatures. Defaults to `false`.
	ValidateSignature pulumi.BoolPtrInput
}

func (IdentityProviderState) ElementType 

func (IdentityProviderState) ElementType() reflect.Type

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.