oidc

package
v3.7.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Apr 12, 2021 License: Apache-2.0 Imports: 7 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type GoogleIdentityProvider

type GoogleIdentityProvider struct {
	pulumi.CustomResourceState

	// When `true`, unauthenticated requests with `prompt=none` will be forwarded to Google instead of returning an error. Defaults to `false`.
	AcceptsPromptNoneForwardFromClient pulumi.BoolPtrOutput `pulumi:"acceptsPromptNoneForwardFromClient"`
	// When `true`, new users will be able to read stored tokens. This will automatically assign the `broker.read-token` role. Defaults to `false`.
	AddReadTokenRoleOnCreate pulumi.BoolPtrOutput `pulumi:"addReadTokenRoleOnCreate"`
	// (Computed) The alias for the Google identity provider.
	Alias pulumi.StringOutput `pulumi:"alias"`
	// Enable/disable authenticate users by default.
	AuthenticateByDefault pulumi.BoolPtrOutput `pulumi:"authenticateByDefault"`
	// The client or client identifier registered within the identity provider.
	ClientId pulumi.StringOutput `pulumi:"clientId"`
	// The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format.
	ClientSecret pulumi.StringOutput `pulumi:"clientSecret"`
	// The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to `openid profile email`.
	DefaultScopes pulumi.StringPtrOutput `pulumi:"defaultScopes"`
	// When `true`, disables the usage of the user info service to obtain additional user information. Defaults to `false`.
	DisableUserInfo pulumi.BoolPtrOutput `pulumi:"disableUserInfo"`
	// (Computed) Display name for the Google identity provider in the GUI.
	DisplayName pulumi.StringOutput `pulumi:"displayName"`
	// When `true`, users will be able to log in to this realm using this identity provider. Defaults to `true`.
	Enabled     pulumi.BoolPtrOutput `pulumi:"enabled"`
	ExtraConfig pulumi.MapOutput     `pulumi:"extraConfig"`
	// The authentication flow to use when users log in for the first time through this identity provider. Defaults to `first broker login`.
	FirstBrokerLoginFlowAlias pulumi.StringPtrOutput `pulumi:"firstBrokerLoginFlowAlias"`
	// When `true`, this identity provider will be hidden on the login page. Defaults to `false`.
	HideOnLoginPage pulumi.BoolPtrOutput `pulumi:"hideOnLoginPage"`
	// Sets the "hd" query parameter when logging in with Google. Google will only list accounts for this domain. Keycloak will validate that the returned identity token has a claim for this domain. When `*` is entered, an account from any domain can be used.
	HostedDomain pulumi.StringPtrOutput `pulumi:"hostedDomain"`
	// (Computed) The unique ID that Keycloak assigns to the identity provider upon creation.
	InternalId pulumi.StringOutput `pulumi:"internalId"`
	// When `true`, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults to `false`.
	LinkOnly pulumi.BoolPtrOutput `pulumi:"linkOnly"`
	// The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.
	PostBrokerLoginFlowAlias pulumi.StringPtrOutput `pulumi:"postBrokerLoginFlowAlias"`
	// The ID of the identity provider to use. Defaults to `google`, which should be used unless you have extended Keycloak and provided your own implementation.
	ProviderId pulumi.StringPtrOutput `pulumi:"providerId"`
	// The name of the realm. This is unique across Keycloak.
	Realm pulumi.StringOutput `pulumi:"realm"`
	// Sets the "accessType" query parameter to "offline" when redirecting to google authorization endpoint,to get a refresh token back. This is useful for using Token Exchange to retrieve a Google token to access Google APIs when the user is offline.
	RequestRefreshToken pulumi.BoolPtrOutput `pulumi:"requestRefreshToken"`
	// When `true`, tokens will be stored after authenticating users. Defaults to `true`.
	StoreToken pulumi.BoolPtrOutput `pulumi:"storeToken"`
	// When `true`, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to `false`.
	TrustEmail pulumi.BoolPtrOutput `pulumi:"trustEmail"`
	// Sets the "userIp" query parameter when querying Google's User Info service. This will use the user's IP address. This is useful if Google is throttling Keycloak's access to the User Info service.
	UseUserIpParam pulumi.BoolPtrOutput `pulumi:"useUserIpParam"`
}

Allows for creating and managing OIDC Identity Providers within Keycloak.

OIDC (OpenID Connect) identity providers allows users to authenticate through a third party system using the OIDC standard.

## Example Usage

```go package main

import (

"github.com/pulumi/pulumi-keycloak/sdk/v3/go/keycloak"
"github.com/pulumi/pulumi-keycloak/sdk/v3/go/keycloak/oidc"
"github.com/pulumi/pulumi/sdk/v2/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		realm, err := keycloak.NewRealm(ctx, "realm", &keycloak.RealmArgs{
			Realm:   pulumi.String("my-realm"),
			Enabled: pulumi.Bool(true),
		})
		if err != nil {
			return err
		}
		_, err = oidc.NewGoogleIdentityProvider(ctx, "google", &oidc.GoogleIdentityProviderArgs{
			Realm:        realm.ID(),
			ClientId:     pulumi.Any(_var.Google_identity_provider_client_id),
			ClientSecret: pulumi.Any(_var.Google_identity_provider_client_secret),
			TrustEmail:   pulumi.Bool(true),
			HostedDomain: pulumi.String("example.com"),
			ExtraConfig: pulumi.StringMap{
				"syncMode": pulumi.String("IMPORT"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## Import

This resource does not yet support importing.

func GetGoogleIdentityProvider

func GetGoogleIdentityProvider(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *GoogleIdentityProviderState, opts ...pulumi.ResourceOption) (*GoogleIdentityProvider, error)

GetGoogleIdentityProvider gets an existing GoogleIdentityProvider resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewGoogleIdentityProvider

func NewGoogleIdentityProvider(ctx *pulumi.Context,
	name string, args *GoogleIdentityProviderArgs, opts ...pulumi.ResourceOption) (*GoogleIdentityProvider, error)

NewGoogleIdentityProvider registers a new resource with the given unique name, arguments, and options.

func (*GoogleIdentityProvider) ElementType added in v3.1.1

func (*GoogleIdentityProvider) ElementType() reflect.Type

func (*GoogleIdentityProvider) ToGoogleIdentityProviderOutput added in v3.1.1

func (i *GoogleIdentityProvider) ToGoogleIdentityProviderOutput() GoogleIdentityProviderOutput

func (*GoogleIdentityProvider) ToGoogleIdentityProviderOutputWithContext added in v3.1.1

func (i *GoogleIdentityProvider) ToGoogleIdentityProviderOutputWithContext(ctx context.Context) GoogleIdentityProviderOutput

func (*GoogleIdentityProvider) ToGoogleIdentityProviderPtrOutput added in v3.4.1

func (i *GoogleIdentityProvider) ToGoogleIdentityProviderPtrOutput() GoogleIdentityProviderPtrOutput

func (*GoogleIdentityProvider) ToGoogleIdentityProviderPtrOutputWithContext added in v3.4.1

func (i *GoogleIdentityProvider) ToGoogleIdentityProviderPtrOutputWithContext(ctx context.Context) GoogleIdentityProviderPtrOutput

type GoogleIdentityProviderArgs

type GoogleIdentityProviderArgs struct {
	// When `true`, unauthenticated requests with `prompt=none` will be forwarded to Google instead of returning an error. Defaults to `false`.
	AcceptsPromptNoneForwardFromClient pulumi.BoolPtrInput
	// When `true`, new users will be able to read stored tokens. This will automatically assign the `broker.read-token` role. Defaults to `false`.
	AddReadTokenRoleOnCreate pulumi.BoolPtrInput
	// Enable/disable authenticate users by default.
	AuthenticateByDefault pulumi.BoolPtrInput
	// The client or client identifier registered within the identity provider.
	ClientId pulumi.StringInput
	// The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format.
	ClientSecret pulumi.StringInput
	// The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to `openid profile email`.
	DefaultScopes pulumi.StringPtrInput
	// When `true`, disables the usage of the user info service to obtain additional user information. Defaults to `false`.
	DisableUserInfo pulumi.BoolPtrInput
	// When `true`, users will be able to log in to this realm using this identity provider. Defaults to `true`.
	Enabled     pulumi.BoolPtrInput
	ExtraConfig pulumi.MapInput
	// The authentication flow to use when users log in for the first time through this identity provider. Defaults to `first broker login`.
	FirstBrokerLoginFlowAlias pulumi.StringPtrInput
	// When `true`, this identity provider will be hidden on the login page. Defaults to `false`.
	HideOnLoginPage pulumi.BoolPtrInput
	// Sets the "hd" query parameter when logging in with Google. Google will only list accounts for this domain. Keycloak will validate that the returned identity token has a claim for this domain. When `*` is entered, an account from any domain can be used.
	HostedDomain pulumi.StringPtrInput
	// When `true`, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults to `false`.
	LinkOnly pulumi.BoolPtrInput
	// The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.
	PostBrokerLoginFlowAlias pulumi.StringPtrInput
	// The ID of the identity provider to use. Defaults to `google`, which should be used unless you have extended Keycloak and provided your own implementation.
	ProviderId pulumi.StringPtrInput
	// The name of the realm. This is unique across Keycloak.
	Realm pulumi.StringInput
	// Sets the "accessType" query parameter to "offline" when redirecting to google authorization endpoint,to get a refresh token back. This is useful for using Token Exchange to retrieve a Google token to access Google APIs when the user is offline.
	RequestRefreshToken pulumi.BoolPtrInput
	// When `true`, tokens will be stored after authenticating users. Defaults to `true`.
	StoreToken pulumi.BoolPtrInput
	// When `true`, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to `false`.
	TrustEmail pulumi.BoolPtrInput
	// Sets the "userIp" query parameter when querying Google's User Info service. This will use the user's IP address. This is useful if Google is throttling Keycloak's access to the User Info service.
	UseUserIpParam pulumi.BoolPtrInput
}

The set of arguments for constructing a GoogleIdentityProvider resource.

func (GoogleIdentityProviderArgs) ElementType

func (GoogleIdentityProviderArgs) ElementType() reflect.Type

type GoogleIdentityProviderArray added in v3.4.1

type GoogleIdentityProviderArray []GoogleIdentityProviderInput

func (GoogleIdentityProviderArray) ElementType added in v3.4.1

func (GoogleIdentityProviderArray) ToGoogleIdentityProviderArrayOutput added in v3.4.1

func (i GoogleIdentityProviderArray) ToGoogleIdentityProviderArrayOutput() GoogleIdentityProviderArrayOutput

func (GoogleIdentityProviderArray) ToGoogleIdentityProviderArrayOutputWithContext added in v3.4.1

func (i GoogleIdentityProviderArray) ToGoogleIdentityProviderArrayOutputWithContext(ctx context.Context) GoogleIdentityProviderArrayOutput

type GoogleIdentityProviderArrayInput added in v3.4.1

type GoogleIdentityProviderArrayInput interface {
	pulumi.Input

	ToGoogleIdentityProviderArrayOutput() GoogleIdentityProviderArrayOutput
	ToGoogleIdentityProviderArrayOutputWithContext(context.Context) GoogleIdentityProviderArrayOutput
}

GoogleIdentityProviderArrayInput is an input type that accepts GoogleIdentityProviderArray and GoogleIdentityProviderArrayOutput values. You can construct a concrete instance of `GoogleIdentityProviderArrayInput` via:

GoogleIdentityProviderArray{ GoogleIdentityProviderArgs{...} }

type GoogleIdentityProviderArrayOutput added in v3.4.1

type GoogleIdentityProviderArrayOutput struct{ *pulumi.OutputState }

func (GoogleIdentityProviderArrayOutput) ElementType added in v3.4.1

func (GoogleIdentityProviderArrayOutput) Index added in v3.4.1

func (GoogleIdentityProviderArrayOutput) ToGoogleIdentityProviderArrayOutput added in v3.4.1

func (o GoogleIdentityProviderArrayOutput) ToGoogleIdentityProviderArrayOutput() GoogleIdentityProviderArrayOutput

func (GoogleIdentityProviderArrayOutput) ToGoogleIdentityProviderArrayOutputWithContext added in v3.4.1

func (o GoogleIdentityProviderArrayOutput) ToGoogleIdentityProviderArrayOutputWithContext(ctx context.Context) GoogleIdentityProviderArrayOutput

type GoogleIdentityProviderInput added in v3.1.1

type GoogleIdentityProviderInput interface {
	pulumi.Input

	ToGoogleIdentityProviderOutput() GoogleIdentityProviderOutput
	ToGoogleIdentityProviderOutputWithContext(ctx context.Context) GoogleIdentityProviderOutput
}

type GoogleIdentityProviderMap added in v3.4.1

type GoogleIdentityProviderMap map[string]GoogleIdentityProviderInput

func (GoogleIdentityProviderMap) ElementType added in v3.4.1

func (GoogleIdentityProviderMap) ElementType() reflect.Type

func (GoogleIdentityProviderMap) ToGoogleIdentityProviderMapOutput added in v3.4.1

func (i GoogleIdentityProviderMap) ToGoogleIdentityProviderMapOutput() GoogleIdentityProviderMapOutput

func (GoogleIdentityProviderMap) ToGoogleIdentityProviderMapOutputWithContext added in v3.4.1

func (i GoogleIdentityProviderMap) ToGoogleIdentityProviderMapOutputWithContext(ctx context.Context) GoogleIdentityProviderMapOutput

type GoogleIdentityProviderMapInput added in v3.4.1

type GoogleIdentityProviderMapInput interface {
	pulumi.Input

	ToGoogleIdentityProviderMapOutput() GoogleIdentityProviderMapOutput
	ToGoogleIdentityProviderMapOutputWithContext(context.Context) GoogleIdentityProviderMapOutput
}

GoogleIdentityProviderMapInput is an input type that accepts GoogleIdentityProviderMap and GoogleIdentityProviderMapOutput values. You can construct a concrete instance of `GoogleIdentityProviderMapInput` via:

GoogleIdentityProviderMap{ "key": GoogleIdentityProviderArgs{...} }

type GoogleIdentityProviderMapOutput added in v3.4.1

type GoogleIdentityProviderMapOutput struct{ *pulumi.OutputState }

func (GoogleIdentityProviderMapOutput) ElementType added in v3.4.1

func (GoogleIdentityProviderMapOutput) MapIndex added in v3.4.1

func (GoogleIdentityProviderMapOutput) ToGoogleIdentityProviderMapOutput added in v3.4.1

func (o GoogleIdentityProviderMapOutput) ToGoogleIdentityProviderMapOutput() GoogleIdentityProviderMapOutput

func (GoogleIdentityProviderMapOutput) ToGoogleIdentityProviderMapOutputWithContext added in v3.4.1

func (o GoogleIdentityProviderMapOutput) ToGoogleIdentityProviderMapOutputWithContext(ctx context.Context) GoogleIdentityProviderMapOutput

type GoogleIdentityProviderOutput added in v3.1.1

type GoogleIdentityProviderOutput struct {
	*pulumi.OutputState
}

func (GoogleIdentityProviderOutput) ElementType added in v3.1.1

func (GoogleIdentityProviderOutput) ToGoogleIdentityProviderOutput added in v3.1.1

func (o GoogleIdentityProviderOutput) ToGoogleIdentityProviderOutput() GoogleIdentityProviderOutput

func (GoogleIdentityProviderOutput) ToGoogleIdentityProviderOutputWithContext added in v3.1.1

func (o GoogleIdentityProviderOutput) ToGoogleIdentityProviderOutputWithContext(ctx context.Context) GoogleIdentityProviderOutput

func (GoogleIdentityProviderOutput) ToGoogleIdentityProviderPtrOutput added in v3.4.1

func (o GoogleIdentityProviderOutput) ToGoogleIdentityProviderPtrOutput() GoogleIdentityProviderPtrOutput

func (GoogleIdentityProviderOutput) ToGoogleIdentityProviderPtrOutputWithContext added in v3.4.1

func (o GoogleIdentityProviderOutput) ToGoogleIdentityProviderPtrOutputWithContext(ctx context.Context) GoogleIdentityProviderPtrOutput

type GoogleIdentityProviderPtrInput added in v3.4.1

type GoogleIdentityProviderPtrInput interface {
	pulumi.Input

	ToGoogleIdentityProviderPtrOutput() GoogleIdentityProviderPtrOutput
	ToGoogleIdentityProviderPtrOutputWithContext(ctx context.Context) GoogleIdentityProviderPtrOutput
}

type GoogleIdentityProviderPtrOutput added in v3.4.1

type GoogleIdentityProviderPtrOutput struct {
	*pulumi.OutputState
}

func (GoogleIdentityProviderPtrOutput) ElementType added in v3.4.1

func (GoogleIdentityProviderPtrOutput) ToGoogleIdentityProviderPtrOutput added in v3.4.1

func (o GoogleIdentityProviderPtrOutput) ToGoogleIdentityProviderPtrOutput() GoogleIdentityProviderPtrOutput

func (GoogleIdentityProviderPtrOutput) ToGoogleIdentityProviderPtrOutputWithContext added in v3.4.1

func (o GoogleIdentityProviderPtrOutput) ToGoogleIdentityProviderPtrOutputWithContext(ctx context.Context) GoogleIdentityProviderPtrOutput

type GoogleIdentityProviderState

type GoogleIdentityProviderState struct {
	// When `true`, unauthenticated requests with `prompt=none` will be forwarded to Google instead of returning an error. Defaults to `false`.
	AcceptsPromptNoneForwardFromClient pulumi.BoolPtrInput
	// When `true`, new users will be able to read stored tokens. This will automatically assign the `broker.read-token` role. Defaults to `false`.
	AddReadTokenRoleOnCreate pulumi.BoolPtrInput
	// (Computed) The alias for the Google identity provider.
	Alias pulumi.StringPtrInput
	// Enable/disable authenticate users by default.
	AuthenticateByDefault pulumi.BoolPtrInput
	// The client or client identifier registered within the identity provider.
	ClientId pulumi.StringPtrInput
	// The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format.
	ClientSecret pulumi.StringPtrInput
	// The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to `openid profile email`.
	DefaultScopes pulumi.StringPtrInput
	// When `true`, disables the usage of the user info service to obtain additional user information. Defaults to `false`.
	DisableUserInfo pulumi.BoolPtrInput
	// (Computed) Display name for the Google identity provider in the GUI.
	DisplayName pulumi.StringPtrInput
	// When `true`, users will be able to log in to this realm using this identity provider. Defaults to `true`.
	Enabled     pulumi.BoolPtrInput
	ExtraConfig pulumi.MapInput
	// The authentication flow to use when users log in for the first time through this identity provider. Defaults to `first broker login`.
	FirstBrokerLoginFlowAlias pulumi.StringPtrInput
	// When `true`, this identity provider will be hidden on the login page. Defaults to `false`.
	HideOnLoginPage pulumi.BoolPtrInput
	// Sets the "hd" query parameter when logging in with Google. Google will only list accounts for this domain. Keycloak will validate that the returned identity token has a claim for this domain. When `*` is entered, an account from any domain can be used.
	HostedDomain pulumi.StringPtrInput
	// (Computed) The unique ID that Keycloak assigns to the identity provider upon creation.
	InternalId pulumi.StringPtrInput
	// When `true`, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults to `false`.
	LinkOnly pulumi.BoolPtrInput
	// The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.
	PostBrokerLoginFlowAlias pulumi.StringPtrInput
	// The ID of the identity provider to use. Defaults to `google`, which should be used unless you have extended Keycloak and provided your own implementation.
	ProviderId pulumi.StringPtrInput
	// The name of the realm. This is unique across Keycloak.
	Realm pulumi.StringPtrInput
	// Sets the "accessType" query parameter to "offline" when redirecting to google authorization endpoint,to get a refresh token back. This is useful for using Token Exchange to retrieve a Google token to access Google APIs when the user is offline.
	RequestRefreshToken pulumi.BoolPtrInput
	// When `true`, tokens will be stored after authenticating users. Defaults to `true`.
	StoreToken pulumi.BoolPtrInput
	// When `true`, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to `false`.
	TrustEmail pulumi.BoolPtrInput
	// Sets the "userIp" query parameter when querying Google's User Info service. This will use the user's IP address. This is useful if Google is throttling Keycloak's access to the User Info service.
	UseUserIpParam pulumi.BoolPtrInput
}

func (GoogleIdentityProviderState) ElementType

type IdentityProvider

type IdentityProvider struct {
	pulumi.CustomResourceState

	// When `true`, the IDP will accept forwarded authentication requests that contain the `prompt=none` query parameter. Defaults to `false`.
	AcceptsPromptNoneForwardFromClient pulumi.BoolPtrOutput `pulumi:"acceptsPromptNoneForwardFromClient"`
	// When `true`, new users will be able to read stored tokens. This will automatically assign the `broker.read-token` role. Defaults to `false`.
	AddReadTokenRoleOnCreate pulumi.BoolPtrOutput `pulumi:"addReadTokenRoleOnCreate"`
	// The alias uniquely identifies an identity provider and it is also used to build the redirect uri.
	Alias pulumi.StringOutput `pulumi:"alias"`
	// Enable/disable authenticate users by default.
	AuthenticateByDefault pulumi.BoolPtrOutput `pulumi:"authenticateByDefault"`
	// The Authorization Url.
	AuthorizationUrl pulumi.StringOutput `pulumi:"authorizationUrl"`
	// Does the external IDP support backchannel logout? Defaults to `true`.
	BackchannelSupported pulumi.BoolPtrOutput `pulumi:"backchannelSupported"`
	// The client or client identifier registered within the identity provider.
	ClientId pulumi.StringOutput `pulumi:"clientId"`
	// The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format.
	ClientSecret pulumi.StringOutput `pulumi:"clientSecret"`
	// The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to `openid`.
	DefaultScopes pulumi.StringPtrOutput `pulumi:"defaultScopes"`
	// When `true`, disables the usage of the user info service to obtain additional user information. Defaults to `false`.
	DisableUserInfo pulumi.BoolPtrOutput `pulumi:"disableUserInfo"`
	// Display name for the identity provider in the GUI.
	DisplayName pulumi.StringPtrOutput `pulumi:"displayName"`
	// When `true`, users will be able to log in to this realm using this identity provider. Defaults to `true`.
	Enabled     pulumi.BoolPtrOutput `pulumi:"enabled"`
	ExtraConfig pulumi.MapOutput     `pulumi:"extraConfig"`
	// The authentication flow to use when users log in for the first time through this identity provider. Defaults to `first broker login`.
	FirstBrokerLoginFlowAlias pulumi.StringPtrOutput `pulumi:"firstBrokerLoginFlowAlias"`
	// When `true`, this provider will be hidden on the login page, and is only accessible when requested explicitly. Defaults to `false`.
	HideOnLoginPage pulumi.BoolPtrOutput `pulumi:"hideOnLoginPage"`
	// (Computed) The unique ID that Keycloak assigns to the identity provider upon creation.
	InternalId pulumi.StringOutput `pulumi:"internalId"`
	// JSON Web Key Set URL.
	JwksUrl pulumi.StringPtrOutput `pulumi:"jwksUrl"`
	// When `true`, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults to `false`.
	LinkOnly pulumi.BoolPtrOutput `pulumi:"linkOnly"`
	// Pass login hint to identity provider.
	LoginHint pulumi.StringPtrOutput `pulumi:"loginHint"`
	// The Logout URL is the end session endpoint to use to logout user from external identity provider.
	LogoutUrl pulumi.StringPtrOutput `pulumi:"logoutUrl"`
	// The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.
	PostBrokerLoginFlowAlias pulumi.StringPtrOutput `pulumi:"postBrokerLoginFlowAlias"`
	// The ID of the identity provider to use. Defaults to `oidc`, which should be used unless you have extended Keycloak and provided your own implementation.
	ProviderId pulumi.StringPtrOutput `pulumi:"providerId"`
	// The name of the realm. This is unique across Keycloak.
	Realm pulumi.StringOutput `pulumi:"realm"`
	// When `true`, tokens will be stored after authenticating users. Defaults to `true`.
	StoreToken pulumi.BoolPtrOutput `pulumi:"storeToken"`
	// The Token URL.
	TokenUrl pulumi.StringOutput `pulumi:"tokenUrl"`
	// When `true`, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to `false`.
	TrustEmail pulumi.BoolPtrOutput `pulumi:"trustEmail"`
	// Pass current locale to identity provider. Defaults to `false`.
	UiLocales pulumi.BoolPtrOutput `pulumi:"uiLocales"`
	// User Info URL.
	UserInfoUrl pulumi.StringPtrOutput `pulumi:"userInfoUrl"`
	// Enable/disable signature validation of external IDP signatures. Defaults to `false`.
	ValidateSignature pulumi.BoolPtrOutput `pulumi:"validateSignature"`
}

Allows for creating and managing OIDC Identity Providers within Keycloak.

OIDC (OpenID Connect) identity providers allows users to authenticate through a third party system using the OIDC standard.

## Example Usage

```go package main

import (

"github.com/pulumi/pulumi-keycloak/sdk/v3/go/keycloak"
"github.com/pulumi/pulumi-keycloak/sdk/v3/go/keycloak/oidc"
"github.com/pulumi/pulumi/sdk/v2/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		realm, err := keycloak.NewRealm(ctx, "realm", &keycloak.RealmArgs{
			Realm:   pulumi.String("my-realm"),
			Enabled: pulumi.Bool(true),
		})
		if err != nil {
			return err
		}
		_, err = oidc.NewIdentityProvider(ctx, "realmIdentityProvider", &oidc.IdentityProviderArgs{
			Realm:            realm.ID(),
			Alias:            pulumi.String("my-idp"),
			AuthorizationUrl: pulumi.String("https://authorizationurl.com"),
			ClientId:         pulumi.String("clientID"),
			ClientSecret:     pulumi.String("clientSecret"),
			TokenUrl:         pulumi.String("https://tokenurl.com"),
			ExtraConfig: pulumi.StringMap{
				"clientAuthMethod": pulumi.String("client_secret_post"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## Import

Identity providers can be imported using the format `{{realm_id}}/{{idp_alias}}`, where `idp_alias` is the identity provider alias. Examplebash

```sh

$ pulumi import keycloak:oidc/identityProvider:IdentityProvider realm_identity_provider my-realm/my-idp

```

func GetIdentityProvider

func GetIdentityProvider(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *IdentityProviderState, opts ...pulumi.ResourceOption) (*IdentityProvider, error)

GetIdentityProvider gets an existing IdentityProvider resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewIdentityProvider

func NewIdentityProvider(ctx *pulumi.Context,
	name string, args *IdentityProviderArgs, opts ...pulumi.ResourceOption) (*IdentityProvider, error)

NewIdentityProvider registers a new resource with the given unique name, arguments, and options.

func (*IdentityProvider) ElementType added in v3.1.1

func (*IdentityProvider) ElementType() reflect.Type

func (*IdentityProvider) ToIdentityProviderOutput added in v3.1.1

func (i *IdentityProvider) ToIdentityProviderOutput() IdentityProviderOutput

func (*IdentityProvider) ToIdentityProviderOutputWithContext added in v3.1.1

func (i *IdentityProvider) ToIdentityProviderOutputWithContext(ctx context.Context) IdentityProviderOutput

func (*IdentityProvider) ToIdentityProviderPtrOutput added in v3.4.1

func (i *IdentityProvider) ToIdentityProviderPtrOutput() IdentityProviderPtrOutput

func (*IdentityProvider) ToIdentityProviderPtrOutputWithContext added in v3.4.1

func (i *IdentityProvider) ToIdentityProviderPtrOutputWithContext(ctx context.Context) IdentityProviderPtrOutput

type IdentityProviderArgs

type IdentityProviderArgs struct {
	// When `true`, the IDP will accept forwarded authentication requests that contain the `prompt=none` query parameter. Defaults to `false`.
	AcceptsPromptNoneForwardFromClient pulumi.BoolPtrInput
	// When `true`, new users will be able to read stored tokens. This will automatically assign the `broker.read-token` role. Defaults to `false`.
	AddReadTokenRoleOnCreate pulumi.BoolPtrInput
	// The alias uniquely identifies an identity provider and it is also used to build the redirect uri.
	Alias pulumi.StringInput
	// Enable/disable authenticate users by default.
	AuthenticateByDefault pulumi.BoolPtrInput
	// The Authorization Url.
	AuthorizationUrl pulumi.StringInput
	// Does the external IDP support backchannel logout? Defaults to `true`.
	BackchannelSupported pulumi.BoolPtrInput
	// The client or client identifier registered within the identity provider.
	ClientId pulumi.StringInput
	// The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format.
	ClientSecret pulumi.StringInput
	// The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to `openid`.
	DefaultScopes pulumi.StringPtrInput
	// When `true`, disables the usage of the user info service to obtain additional user information. Defaults to `false`.
	DisableUserInfo pulumi.BoolPtrInput
	// Display name for the identity provider in the GUI.
	DisplayName pulumi.StringPtrInput
	// When `true`, users will be able to log in to this realm using this identity provider. Defaults to `true`.
	Enabled     pulumi.BoolPtrInput
	ExtraConfig pulumi.MapInput
	// The authentication flow to use when users log in for the first time through this identity provider. Defaults to `first broker login`.
	FirstBrokerLoginFlowAlias pulumi.StringPtrInput
	// When `true`, this provider will be hidden on the login page, and is only accessible when requested explicitly. Defaults to `false`.
	HideOnLoginPage pulumi.BoolPtrInput
	// JSON Web Key Set URL.
	JwksUrl pulumi.StringPtrInput
	// When `true`, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults to `false`.
	LinkOnly pulumi.BoolPtrInput
	// Pass login hint to identity provider.
	LoginHint pulumi.StringPtrInput
	// The Logout URL is the end session endpoint to use to logout user from external identity provider.
	LogoutUrl pulumi.StringPtrInput
	// The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.
	PostBrokerLoginFlowAlias pulumi.StringPtrInput
	// The ID of the identity provider to use. Defaults to `oidc`, which should be used unless you have extended Keycloak and provided your own implementation.
	ProviderId pulumi.StringPtrInput
	// The name of the realm. This is unique across Keycloak.
	Realm pulumi.StringInput
	// When `true`, tokens will be stored after authenticating users. Defaults to `true`.
	StoreToken pulumi.BoolPtrInput
	// The Token URL.
	TokenUrl pulumi.StringInput
	// When `true`, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to `false`.
	TrustEmail pulumi.BoolPtrInput
	// Pass current locale to identity provider. Defaults to `false`.
	UiLocales pulumi.BoolPtrInput
	// User Info URL.
	UserInfoUrl pulumi.StringPtrInput
	// Enable/disable signature validation of external IDP signatures. Defaults to `false`.
	ValidateSignature pulumi.BoolPtrInput
}

The set of arguments for constructing a IdentityProvider resource.

func (IdentityProviderArgs) ElementType

func (IdentityProviderArgs) ElementType() reflect.Type

type IdentityProviderArray added in v3.4.1

type IdentityProviderArray []IdentityProviderInput

func (IdentityProviderArray) ElementType added in v3.4.1

func (IdentityProviderArray) ElementType() reflect.Type

func (IdentityProviderArray) ToIdentityProviderArrayOutput added in v3.4.1

func (i IdentityProviderArray) ToIdentityProviderArrayOutput() IdentityProviderArrayOutput

func (IdentityProviderArray) ToIdentityProviderArrayOutputWithContext added in v3.4.1

func (i IdentityProviderArray) ToIdentityProviderArrayOutputWithContext(ctx context.Context) IdentityProviderArrayOutput

type IdentityProviderArrayInput added in v3.4.1

type IdentityProviderArrayInput interface {
	pulumi.Input

	ToIdentityProviderArrayOutput() IdentityProviderArrayOutput
	ToIdentityProviderArrayOutputWithContext(context.Context) IdentityProviderArrayOutput
}

IdentityProviderArrayInput is an input type that accepts IdentityProviderArray and IdentityProviderArrayOutput values. You can construct a concrete instance of `IdentityProviderArrayInput` via:

IdentityProviderArray{ IdentityProviderArgs{...} }

type IdentityProviderArrayOutput added in v3.4.1

type IdentityProviderArrayOutput struct{ *pulumi.OutputState }

func (IdentityProviderArrayOutput) ElementType added in v3.4.1

func (IdentityProviderArrayOutput) Index added in v3.4.1

func (IdentityProviderArrayOutput) ToIdentityProviderArrayOutput added in v3.4.1

func (o IdentityProviderArrayOutput) ToIdentityProviderArrayOutput() IdentityProviderArrayOutput

func (IdentityProviderArrayOutput) ToIdentityProviderArrayOutputWithContext added in v3.4.1

func (o IdentityProviderArrayOutput) ToIdentityProviderArrayOutputWithContext(ctx context.Context) IdentityProviderArrayOutput

type IdentityProviderInput added in v3.1.1

type IdentityProviderInput interface {
	pulumi.Input

	ToIdentityProviderOutput() IdentityProviderOutput
	ToIdentityProviderOutputWithContext(ctx context.Context) IdentityProviderOutput
}

type IdentityProviderMap added in v3.4.1

type IdentityProviderMap map[string]IdentityProviderInput

func (IdentityProviderMap) ElementType added in v3.4.1

func (IdentityProviderMap) ElementType() reflect.Type

func (IdentityProviderMap) ToIdentityProviderMapOutput added in v3.4.1

func (i IdentityProviderMap) ToIdentityProviderMapOutput() IdentityProviderMapOutput

func (IdentityProviderMap) ToIdentityProviderMapOutputWithContext added in v3.4.1

func (i IdentityProviderMap) ToIdentityProviderMapOutputWithContext(ctx context.Context) IdentityProviderMapOutput

type IdentityProviderMapInput added in v3.4.1

type IdentityProviderMapInput interface {
	pulumi.Input

	ToIdentityProviderMapOutput() IdentityProviderMapOutput
	ToIdentityProviderMapOutputWithContext(context.Context) IdentityProviderMapOutput
}

IdentityProviderMapInput is an input type that accepts IdentityProviderMap and IdentityProviderMapOutput values. You can construct a concrete instance of `IdentityProviderMapInput` via:

IdentityProviderMap{ "key": IdentityProviderArgs{...} }

type IdentityProviderMapOutput added in v3.4.1

type IdentityProviderMapOutput struct{ *pulumi.OutputState }

func (IdentityProviderMapOutput) ElementType added in v3.4.1

func (IdentityProviderMapOutput) ElementType() reflect.Type

func (IdentityProviderMapOutput) MapIndex added in v3.4.1

func (IdentityProviderMapOutput) ToIdentityProviderMapOutput added in v3.4.1

func (o IdentityProviderMapOutput) ToIdentityProviderMapOutput() IdentityProviderMapOutput

func (IdentityProviderMapOutput) ToIdentityProviderMapOutputWithContext added in v3.4.1

func (o IdentityProviderMapOutput) ToIdentityProviderMapOutputWithContext(ctx context.Context) IdentityProviderMapOutput

type IdentityProviderOutput added in v3.1.1

type IdentityProviderOutput struct {
	*pulumi.OutputState
}

func (IdentityProviderOutput) ElementType added in v3.1.1

func (IdentityProviderOutput) ElementType() reflect.Type

func (IdentityProviderOutput) ToIdentityProviderOutput added in v3.1.1

func (o IdentityProviderOutput) ToIdentityProviderOutput() IdentityProviderOutput

func (IdentityProviderOutput) ToIdentityProviderOutputWithContext added in v3.1.1

func (o IdentityProviderOutput) ToIdentityProviderOutputWithContext(ctx context.Context) IdentityProviderOutput

func (IdentityProviderOutput) ToIdentityProviderPtrOutput added in v3.4.1

func (o IdentityProviderOutput) ToIdentityProviderPtrOutput() IdentityProviderPtrOutput

func (IdentityProviderOutput) ToIdentityProviderPtrOutputWithContext added in v3.4.1

func (o IdentityProviderOutput) ToIdentityProviderPtrOutputWithContext(ctx context.Context) IdentityProviderPtrOutput

type IdentityProviderPtrInput added in v3.4.1

type IdentityProviderPtrInput interface {
	pulumi.Input

	ToIdentityProviderPtrOutput() IdentityProviderPtrOutput
	ToIdentityProviderPtrOutputWithContext(ctx context.Context) IdentityProviderPtrOutput
}

type IdentityProviderPtrOutput added in v3.4.1

type IdentityProviderPtrOutput struct {
	*pulumi.OutputState
}

func (IdentityProviderPtrOutput) ElementType added in v3.4.1

func (IdentityProviderPtrOutput) ElementType() reflect.Type

func (IdentityProviderPtrOutput) ToIdentityProviderPtrOutput added in v3.4.1

func (o IdentityProviderPtrOutput) ToIdentityProviderPtrOutput() IdentityProviderPtrOutput

func (IdentityProviderPtrOutput) ToIdentityProviderPtrOutputWithContext added in v3.4.1

func (o IdentityProviderPtrOutput) ToIdentityProviderPtrOutputWithContext(ctx context.Context) IdentityProviderPtrOutput

type IdentityProviderState

type IdentityProviderState struct {
	// When `true`, the IDP will accept forwarded authentication requests that contain the `prompt=none` query parameter. Defaults to `false`.
	AcceptsPromptNoneForwardFromClient pulumi.BoolPtrInput
	// When `true`, new users will be able to read stored tokens. This will automatically assign the `broker.read-token` role. Defaults to `false`.
	AddReadTokenRoleOnCreate pulumi.BoolPtrInput
	// The alias uniquely identifies an identity provider and it is also used to build the redirect uri.
	Alias pulumi.StringPtrInput
	// Enable/disable authenticate users by default.
	AuthenticateByDefault pulumi.BoolPtrInput
	// The Authorization Url.
	AuthorizationUrl pulumi.StringPtrInput
	// Does the external IDP support backchannel logout? Defaults to `true`.
	BackchannelSupported pulumi.BoolPtrInput
	// The client or client identifier registered within the identity provider.
	ClientId pulumi.StringPtrInput
	// The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format.
	ClientSecret pulumi.StringPtrInput
	// The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to `openid`.
	DefaultScopes pulumi.StringPtrInput
	// When `true`, disables the usage of the user info service to obtain additional user information. Defaults to `false`.
	DisableUserInfo pulumi.BoolPtrInput
	// Display name for the identity provider in the GUI.
	DisplayName pulumi.StringPtrInput
	// When `true`, users will be able to log in to this realm using this identity provider. Defaults to `true`.
	Enabled     pulumi.BoolPtrInput
	ExtraConfig pulumi.MapInput
	// The authentication flow to use when users log in for the first time through this identity provider. Defaults to `first broker login`.
	FirstBrokerLoginFlowAlias pulumi.StringPtrInput
	// When `true`, this provider will be hidden on the login page, and is only accessible when requested explicitly. Defaults to `false`.
	HideOnLoginPage pulumi.BoolPtrInput
	// (Computed) The unique ID that Keycloak assigns to the identity provider upon creation.
	InternalId pulumi.StringPtrInput
	// JSON Web Key Set URL.
	JwksUrl pulumi.StringPtrInput
	// When `true`, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults to `false`.
	LinkOnly pulumi.BoolPtrInput
	// Pass login hint to identity provider.
	LoginHint pulumi.StringPtrInput
	// The Logout URL is the end session endpoint to use to logout user from external identity provider.
	LogoutUrl pulumi.StringPtrInput
	// The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.
	PostBrokerLoginFlowAlias pulumi.StringPtrInput
	// The ID of the identity provider to use. Defaults to `oidc`, which should be used unless you have extended Keycloak and provided your own implementation.
	ProviderId pulumi.StringPtrInput
	// The name of the realm. This is unique across Keycloak.
	Realm pulumi.StringPtrInput
	// When `true`, tokens will be stored after authenticating users. Defaults to `true`.
	StoreToken pulumi.BoolPtrInput
	// The Token URL.
	TokenUrl pulumi.StringPtrInput
	// When `true`, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to `false`.
	TrustEmail pulumi.BoolPtrInput
	// Pass current locale to identity provider. Defaults to `false`.
	UiLocales pulumi.BoolPtrInput
	// User Info URL.
	UserInfoUrl pulumi.StringPtrInput
	// Enable/disable signature validation of external IDP signatures. Defaults to `false`.
	ValidateSignature pulumi.BoolPtrInput
}

func (IdentityProviderState) ElementType

func (IdentityProviderState) ElementType() reflect.Type

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL