GoogleIdentityProvider
Create a GoogleIdentityProvider Resource
new GoogleIdentityProvider(name: string, args: GoogleIdentityProviderArgs, opts?: CustomResourceOptions);def GoogleIdentityProvider(resource_name, opts=None, accepts_prompt_none_forward_from_client=None, add_read_token_role_on_create=None, authenticate_by_default=None, client_id=None, client_secret=None, default_scopes=None, disable_user_info=None, enabled=None, extra_config=None, first_broker_login_flow_alias=None, hide_on_login_page=None, hosted_domain=None, link_only=None, post_broker_login_flow_alias=None, provider_id=None, realm=None, request_refresh_token=None, store_token=None, trust_email=None, use_user_ip_param=None, __props__=None);func NewGoogleIdentityProvider(ctx *Context, name string, args GoogleIdentityProviderArgs, opts ...ResourceOption) (*GoogleIdentityProvider, error)public GoogleIdentityProvider(string name, GoogleIdentityProviderArgs args, CustomResourceOptions? opts = null)- name string
- The unique name of the resource.
- args GoogleIdentityProviderArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- opts ResourceOptions
- A bag of options that control this resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args GoogleIdentityProviderArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args GoogleIdentityProviderArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
GoogleIdentityProvider Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Programming Model docs.
Inputs
The GoogleIdentityProvider resource accepts the following input properties:
- Client
Id string Client ID.
- Client
Secret string Client Secret.
- Realm string
Realm Name
- Accepts
Prompt boolNone Forward From Client This is just used together with Identity Provider Authenticator or when kc_idp_hint points to this identity provider. In case that client sends a request with prompt=none and user is not yet authenticated, the error will not be directly returned to client, but the request with prompt=none will be forwarded to this identity provider.
- Add
Read boolToken Role On Create Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role.
- Authenticate
By boolDefault Enable/disable authenticate users by default.
- Default
Scopes string The scopes to be sent when asking for authorization. See the documentation for possible values, separator and default value’. Default: ‘openid profile email’
- Disable
User boolInfo Disable usage of User Info service to obtain additional user information? Default is to use this OIDC service.
- Enabled bool
Enable/disable this identity provider.
- Extra
Config Dictionary<string, object> - First
Broker stringLogin Flow Alias Alias of authentication flow, which is triggered after first login with this identity provider. Term ‘First Login’ means that there is not yet existing Keycloak account linked with the authenticated identity provider account.
- Hide
On boolLogin Page Hide On Login Page.
- Hosted
Domain string Set ‘hd’ query parameter when logging in with Google. Google will list accounts only for this domain. Keycloak validates that the returned identity token has a claim for this domain. When ‘*’ is entered, any hosted account can be used.
- Link
Only bool If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don’t want to allow login from the provider, but want to integrate with a provider
- Post
Broker stringLogin Flow Alias Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don’t want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it.
- Provider
Id string provider id, is always google, unless you have a extended custom implementation
- Request
Refresh boolToken Set ‘access_type’ query parameter to ‘offline’ when redirecting to google authorization endpoint, to get a refresh token back. Useful if planning to use Token Exchange to retrieve Google token to access Google APIs when the user is not at the browser.
- Store
Token bool Enable/disable if tokens must be stored after authenticating users.
- Trust
Email bool If enabled then email provided by this provider is not verified even if verification is enabled for the realm.
- Use
User boolIp Param Set ‘userIp’ query parameter when invoking on Google’s User Info service. This will use the user’s ip address. Useful if Google is throttling access to the User Info service.
- Client
Id string Client ID.
- Client
Secret string Client Secret.
- Realm string
Realm Name
- Accepts
Prompt boolNone Forward From Client This is just used together with Identity Provider Authenticator or when kc_idp_hint points to this identity provider. In case that client sends a request with prompt=none and user is not yet authenticated, the error will not be directly returned to client, but the request with prompt=none will be forwarded to this identity provider.
- Add
Read boolToken Role On Create Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role.
- Authenticate
By boolDefault Enable/disable authenticate users by default.
- Default
Scopes string The scopes to be sent when asking for authorization. See the documentation for possible values, separator and default value’. Default: ‘openid profile email’
- Disable
User boolInfo Disable usage of User Info service to obtain additional user information? Default is to use this OIDC service.
- Enabled bool
Enable/disable this identity provider.
- Extra
Config map[string]interface{} - First
Broker stringLogin Flow Alias Alias of authentication flow, which is triggered after first login with this identity provider. Term ‘First Login’ means that there is not yet existing Keycloak account linked with the authenticated identity provider account.
- Hide
On boolLogin Page Hide On Login Page.
- Hosted
Domain string Set ‘hd’ query parameter when logging in with Google. Google will list accounts only for this domain. Keycloak validates that the returned identity token has a claim for this domain. When ‘*’ is entered, any hosted account can be used.
- Link
Only bool If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don’t want to allow login from the provider, but want to integrate with a provider
- Post
Broker stringLogin Flow Alias Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don’t want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it.
- Provider
Id string provider id, is always google, unless you have a extended custom implementation
- Request
Refresh boolToken Set ‘access_type’ query parameter to ‘offline’ when redirecting to google authorization endpoint, to get a refresh token back. Useful if planning to use Token Exchange to retrieve Google token to access Google APIs when the user is not at the browser.
- Store
Token bool Enable/disable if tokens must be stored after authenticating users.
- Trust
Email bool If enabled then email provided by this provider is not verified even if verification is enabled for the realm.
- Use
User boolIp Param Set ‘userIp’ query parameter when invoking on Google’s User Info service. This will use the user’s ip address. Useful if Google is throttling access to the User Info service.
- client
Id string Client ID.
- client
Secret string Client Secret.
- realm string
Realm Name
- accepts
Prompt booleanNone Forward From Client This is just used together with Identity Provider Authenticator or when kc_idp_hint points to this identity provider. In case that client sends a request with prompt=none and user is not yet authenticated, the error will not be directly returned to client, but the request with prompt=none will be forwarded to this identity provider.
- add
Read booleanToken Role On Create Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role.
- authenticate
By booleanDefault Enable/disable authenticate users by default.
- default
Scopes string The scopes to be sent when asking for authorization. See the documentation for possible values, separator and default value’. Default: ‘openid profile email’
- disable
User booleanInfo Disable usage of User Info service to obtain additional user information? Default is to use this OIDC service.
- enabled boolean
Enable/disable this identity provider.
- extra
Config {[key: string]: any} - first
Broker stringLogin Flow Alias Alias of authentication flow, which is triggered after first login with this identity provider. Term ‘First Login’ means that there is not yet existing Keycloak account linked with the authenticated identity provider account.
- hide
On booleanLogin Page Hide On Login Page.
- hosted
Domain string Set ‘hd’ query parameter when logging in with Google. Google will list accounts only for this domain. Keycloak validates that the returned identity token has a claim for this domain. When ‘*’ is entered, any hosted account can be used.
- link
Only boolean If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don’t want to allow login from the provider, but want to integrate with a provider
- post
Broker stringLogin Flow Alias Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don’t want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it.
- provider
Id string provider id, is always google, unless you have a extended custom implementation
- request
Refresh booleanToken Set ‘access_type’ query parameter to ‘offline’ when redirecting to google authorization endpoint, to get a refresh token back. Useful if planning to use Token Exchange to retrieve Google token to access Google APIs when the user is not at the browser.
- store
Token boolean Enable/disable if tokens must be stored after authenticating users.
- trust
Email boolean If enabled then email provided by this provider is not verified even if verification is enabled for the realm.
- use
User booleanIp Param Set ‘userIp’ query parameter when invoking on Google’s User Info service. This will use the user’s ip address. Useful if Google is throttling access to the User Info service.
- client_
id str Client ID.
- client_
secret str Client Secret.
- realm str
Realm Name
- accepts_
prompt_ boolnone_ forward_ from_ client This is just used together with Identity Provider Authenticator or when kc_idp_hint points to this identity provider. In case that client sends a request with prompt=none and user is not yet authenticated, the error will not be directly returned to client, but the request with prompt=none will be forwarded to this identity provider.
- add_
read_ booltoken_ role_ on_ create Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role.
- authenticate_
by_ booldefault Enable/disable authenticate users by default.
- default_
scopes str The scopes to be sent when asking for authorization. See the documentation for possible values, separator and default value’. Default: ‘openid profile email’
- disable_
user_ boolinfo Disable usage of User Info service to obtain additional user information? Default is to use this OIDC service.
- enabled bool
Enable/disable this identity provider.
- extra_
config Dict[str, Any] - first_
broker_ strlogin_ flow_ alias Alias of authentication flow, which is triggered after first login with this identity provider. Term ‘First Login’ means that there is not yet existing Keycloak account linked with the authenticated identity provider account.
- hide_
on_ boollogin_ page Hide On Login Page.
- hosted_
domain str Set ‘hd’ query parameter when logging in with Google. Google will list accounts only for this domain. Keycloak validates that the returned identity token has a claim for this domain. When ‘*’ is entered, any hosted account can be used.
- link_
only bool If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don’t want to allow login from the provider, but want to integrate with a provider
- post_
broker_ strlogin_ flow_ alias Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don’t want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it.
- provider_
id str provider id, is always google, unless you have a extended custom implementation
- request_
refresh_ booltoken Set ‘access_type’ query parameter to ‘offline’ when redirecting to google authorization endpoint, to get a refresh token back. Useful if planning to use Token Exchange to retrieve Google token to access Google APIs when the user is not at the browser.
- store_
token bool Enable/disable if tokens must be stored after authenticating users.
- trust_
email bool If enabled then email provided by this provider is not verified even if verification is enabled for the realm.
- use_
user_ boolip_ param Set ‘userIp’ query parameter when invoking on Google’s User Info service. This will use the user’s ip address. Useful if Google is throttling access to the User Info service.
Outputs
All input properties are implicitly available as output properties. Additionally, the GoogleIdentityProvider resource produces the following output properties:
- Alias string
The alias uniquely identifies an identity provider and it is also used to build the redirect uri. In case of google this is computed and always google
- Display
Name string Not used by this provider, Will be implicitly Google
- Id string
- The provider-assigned unique ID for this managed resource.
- Internal
Id string Internal Identity Provider Id
- Alias string
The alias uniquely identifies an identity provider and it is also used to build the redirect uri. In case of google this is computed and always google
- Display
Name string Not used by this provider, Will be implicitly Google
- Id string
- The provider-assigned unique ID for this managed resource.
- Internal
Id string Internal Identity Provider Id
- alias string
The alias uniquely identifies an identity provider and it is also used to build the redirect uri. In case of google this is computed and always google
- display
Name string Not used by this provider, Will be implicitly Google
- id string
- The provider-assigned unique ID for this managed resource.
- internal
Id string Internal Identity Provider Id
- alias str
The alias uniquely identifies an identity provider and it is also used to build the redirect uri. In case of google this is computed and always google
- display_
name str Not used by this provider, Will be implicitly Google
- id str
- The provider-assigned unique ID for this managed resource.
- internal_
id str Internal Identity Provider Id
Look up an Existing GoogleIdentityProvider Resource
Get an existing GoogleIdentityProvider resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: GoogleIdentityProviderState, opts?: CustomResourceOptions): GoogleIdentityProviderstatic get(resource_name, id, opts=None, accepts_prompt_none_forward_from_client=None, add_read_token_role_on_create=None, alias=None, authenticate_by_default=None, client_id=None, client_secret=None, default_scopes=None, disable_user_info=None, display_name=None, enabled=None, extra_config=None, first_broker_login_flow_alias=None, hide_on_login_page=None, hosted_domain=None, internal_id=None, link_only=None, post_broker_login_flow_alias=None, provider_id=None, realm=None, request_refresh_token=None, store_token=None, trust_email=None, use_user_ip_param=None, __props__=None);func GetGoogleIdentityProvider(ctx *Context, name string, id IDInput, state *GoogleIdentityProviderState, opts ...ResourceOption) (*GoogleIdentityProvider, error)public static GoogleIdentityProvider Get(string name, Input<string> id, GoogleIdentityProviderState? state, CustomResourceOptions? opts = null)- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
The following state arguments are supported:
- Accepts
Prompt boolNone Forward From Client This is just used together with Identity Provider Authenticator or when kc_idp_hint points to this identity provider. In case that client sends a request with prompt=none and user is not yet authenticated, the error will not be directly returned to client, but the request with prompt=none will be forwarded to this identity provider.
- Add
Read boolToken Role On Create Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role.
- Alias string
The alias uniquely identifies an identity provider and it is also used to build the redirect uri. In case of google this is computed and always google
- Authenticate
By boolDefault Enable/disable authenticate users by default.
- Client
Id string Client ID.
- Client
Secret string Client Secret.
- Default
Scopes string The scopes to be sent when asking for authorization. See the documentation for possible values, separator and default value’. Default: ‘openid profile email’
- Disable
User boolInfo Disable usage of User Info service to obtain additional user information? Default is to use this OIDC service.
- Display
Name string Not used by this provider, Will be implicitly Google
- Enabled bool
Enable/disable this identity provider.
- Extra
Config Dictionary<string, object> - First
Broker stringLogin Flow Alias Alias of authentication flow, which is triggered after first login with this identity provider. Term ‘First Login’ means that there is not yet existing Keycloak account linked with the authenticated identity provider account.
- Hide
On boolLogin Page Hide On Login Page.
- Hosted
Domain string Set ‘hd’ query parameter when logging in with Google. Google will list accounts only for this domain. Keycloak validates that the returned identity token has a claim for this domain. When ‘*’ is entered, any hosted account can be used.
- Internal
Id string Internal Identity Provider Id
- Link
Only bool If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don’t want to allow login from the provider, but want to integrate with a provider
- Post
Broker stringLogin Flow Alias Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don’t want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it.
- Provider
Id string provider id, is always google, unless you have a extended custom implementation
- Realm string
Realm Name
- Request
Refresh boolToken Set ‘access_type’ query parameter to ‘offline’ when redirecting to google authorization endpoint, to get a refresh token back. Useful if planning to use Token Exchange to retrieve Google token to access Google APIs when the user is not at the browser.
- Store
Token bool Enable/disable if tokens must be stored after authenticating users.
- Trust
Email bool If enabled then email provided by this provider is not verified even if verification is enabled for the realm.
- Use
User boolIp Param Set ‘userIp’ query parameter when invoking on Google’s User Info service. This will use the user’s ip address. Useful if Google is throttling access to the User Info service.
- Accepts
Prompt boolNone Forward From Client This is just used together with Identity Provider Authenticator or when kc_idp_hint points to this identity provider. In case that client sends a request with prompt=none and user is not yet authenticated, the error will not be directly returned to client, but the request with prompt=none will be forwarded to this identity provider.
- Add
Read boolToken Role On Create Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role.
- Alias string
The alias uniquely identifies an identity provider and it is also used to build the redirect uri. In case of google this is computed and always google
- Authenticate
By boolDefault Enable/disable authenticate users by default.
- Client
Id string Client ID.
- Client
Secret string Client Secret.
- Default
Scopes string The scopes to be sent when asking for authorization. See the documentation for possible values, separator and default value’. Default: ‘openid profile email’
- Disable
User boolInfo Disable usage of User Info service to obtain additional user information? Default is to use this OIDC service.
- Display
Name string Not used by this provider, Will be implicitly Google
- Enabled bool
Enable/disable this identity provider.
- Extra
Config map[string]interface{} - First
Broker stringLogin Flow Alias Alias of authentication flow, which is triggered after first login with this identity provider. Term ‘First Login’ means that there is not yet existing Keycloak account linked with the authenticated identity provider account.
- Hide
On boolLogin Page Hide On Login Page.
- Hosted
Domain string Set ‘hd’ query parameter when logging in with Google. Google will list accounts only for this domain. Keycloak validates that the returned identity token has a claim for this domain. When ‘*’ is entered, any hosted account can be used.
- Internal
Id string Internal Identity Provider Id
- Link
Only bool If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don’t want to allow login from the provider, but want to integrate with a provider
- Post
Broker stringLogin Flow Alias Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don’t want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it.
- Provider
Id string provider id, is always google, unless you have a extended custom implementation
- Realm string
Realm Name
- Request
Refresh boolToken Set ‘access_type’ query parameter to ‘offline’ when redirecting to google authorization endpoint, to get a refresh token back. Useful if planning to use Token Exchange to retrieve Google token to access Google APIs when the user is not at the browser.
- Store
Token bool Enable/disable if tokens must be stored after authenticating users.
- Trust
Email bool If enabled then email provided by this provider is not verified even if verification is enabled for the realm.
- Use
User boolIp Param Set ‘userIp’ query parameter when invoking on Google’s User Info service. This will use the user’s ip address. Useful if Google is throttling access to the User Info service.
- accepts
Prompt booleanNone Forward From Client This is just used together with Identity Provider Authenticator or when kc_idp_hint points to this identity provider. In case that client sends a request with prompt=none and user is not yet authenticated, the error will not be directly returned to client, but the request with prompt=none will be forwarded to this identity provider.
- add
Read booleanToken Role On Create Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role.
- alias string
The alias uniquely identifies an identity provider and it is also used to build the redirect uri. In case of google this is computed and always google
- authenticate
By booleanDefault Enable/disable authenticate users by default.
- client
Id string Client ID.
- client
Secret string Client Secret.
- default
Scopes string The scopes to be sent when asking for authorization. See the documentation for possible values, separator and default value’. Default: ‘openid profile email’
- disable
User booleanInfo Disable usage of User Info service to obtain additional user information? Default is to use this OIDC service.
- display
Name string Not used by this provider, Will be implicitly Google
- enabled boolean
Enable/disable this identity provider.
- extra
Config {[key: string]: any} - first
Broker stringLogin Flow Alias Alias of authentication flow, which is triggered after first login with this identity provider. Term ‘First Login’ means that there is not yet existing Keycloak account linked with the authenticated identity provider account.
- hide
On booleanLogin Page Hide On Login Page.
- hosted
Domain string Set ‘hd’ query parameter when logging in with Google. Google will list accounts only for this domain. Keycloak validates that the returned identity token has a claim for this domain. When ‘*’ is entered, any hosted account can be used.
- internal
Id string Internal Identity Provider Id
- link
Only boolean If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don’t want to allow login from the provider, but want to integrate with a provider
- post
Broker stringLogin Flow Alias Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don’t want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it.
- provider
Id string provider id, is always google, unless you have a extended custom implementation
- realm string
Realm Name
- request
Refresh booleanToken Set ‘access_type’ query parameter to ‘offline’ when redirecting to google authorization endpoint, to get a refresh token back. Useful if planning to use Token Exchange to retrieve Google token to access Google APIs when the user is not at the browser.
- store
Token boolean Enable/disable if tokens must be stored after authenticating users.
- trust
Email boolean If enabled then email provided by this provider is not verified even if verification is enabled for the realm.
- use
User booleanIp Param Set ‘userIp’ query parameter when invoking on Google’s User Info service. This will use the user’s ip address. Useful if Google is throttling access to the User Info service.
- accepts_
prompt_ boolnone_ forward_ from_ client This is just used together with Identity Provider Authenticator or when kc_idp_hint points to this identity provider. In case that client sends a request with prompt=none and user is not yet authenticated, the error will not be directly returned to client, but the request with prompt=none will be forwarded to this identity provider.
- add_
read_ booltoken_ role_ on_ create Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role.
- alias str
The alias uniquely identifies an identity provider and it is also used to build the redirect uri. In case of google this is computed and always google
- authenticate_
by_ booldefault Enable/disable authenticate users by default.
- client_
id str Client ID.
- client_
secret str Client Secret.
- default_
scopes str The scopes to be sent when asking for authorization. See the documentation for possible values, separator and default value’. Default: ‘openid profile email’
- disable_
user_ boolinfo Disable usage of User Info service to obtain additional user information? Default is to use this OIDC service.
- display_
name str Not used by this provider, Will be implicitly Google
- enabled bool
Enable/disable this identity provider.
- extra_
config Dict[str, Any] - first_
broker_ strlogin_ flow_ alias Alias of authentication flow, which is triggered after first login with this identity provider. Term ‘First Login’ means that there is not yet existing Keycloak account linked with the authenticated identity provider account.
- hide_
on_ boollogin_ page Hide On Login Page.
- hosted_
domain str Set ‘hd’ query parameter when logging in with Google. Google will list accounts only for this domain. Keycloak validates that the returned identity token has a claim for this domain. When ‘*’ is entered, any hosted account can be used.
- internal_
id str Internal Identity Provider Id
- link_
only bool If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don’t want to allow login from the provider, but want to integrate with a provider
- post_
broker_ strlogin_ flow_ alias Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don’t want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it.
- provider_
id str provider id, is always google, unless you have a extended custom implementation
- realm str
Realm Name
- request_
refresh_ booltoken Set ‘access_type’ query parameter to ‘offline’ when redirecting to google authorization endpoint, to get a refresh token back. Useful if planning to use Token Exchange to retrieve Google token to access Google APIs when the user is not at the browser.
- store_
token bool Enable/disable if tokens must be stored after authenticating users.
- trust_
email bool If enabled then email provided by this provider is not verified even if verification is enabled for the realm.
- use_
user_ boolip_ param Set ‘userIp’ query parameter when invoking on Google’s User Info service. This will use the user’s ip address. Useful if Google is throttling access to the User Info service.
Package Details
- Repository
- https://github.com/pulumi/pulumi-keycloak
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
keycloakTerraform Provider.