IdentityProvider
Create a IdentityProvider Resource
new IdentityProvider(name: string, args: IdentityProviderArgs, opts?: CustomResourceOptions);def IdentityProvider(resource_name, opts=None, accepts_prompt_none_forward_from_client=None, add_read_token_role_on_create=None, alias=None, authenticate_by_default=None, authorization_url=None, backchannel_supported=None, client_id=None, client_secret=None, default_scopes=None, display_name=None, enabled=None, extra_config=None, first_broker_login_flow_alias=None, hide_on_login_page=None, jwks_url=None, link_only=None, login_hint=None, logout_url=None, post_broker_login_flow_alias=None, provider_id=None, realm=None, store_token=None, token_url=None, trust_email=None, ui_locales=None, user_info_url=None, validate_signature=None, __props__=None);func NewIdentityProvider(ctx *Context, name string, args IdentityProviderArgs, opts ...ResourceOption) (*IdentityProvider, error)public IdentityProvider(string name, IdentityProviderArgs args, CustomResourceOptions? opts = null)- name string
- The unique name of the resource.
- args IdentityProviderArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- opts ResourceOptions
- A bag of options that control this resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args IdentityProviderArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args IdentityProviderArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
IdentityProvider Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Programming Model docs.
Inputs
The IdentityProvider resource accepts the following input properties:
- Alias string
The alias uniquely identifies an identity provider and it is also used to build the redirect uri.
- string
OIDC authorization URL.
- Client
Id string Client ID.
- Client
Secret string Client Secret.
- Realm string
Realm Name
- Token
Url string Token URL.
- Accepts
Prompt boolNone Forward From Client This is just used together with Identity Provider Authenticator or when kc_idp_hint points to this identity provider. In case that client sends a request with prompt=none and user is not yet authenticated, the error will not be directly returned to client, but the request with prompt=none will be forwarded to this identity provider.
- Add
Read boolToken Role On Create Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role.
- Authenticate
By boolDefault Enable/disable authenticate users by default.
- Backchannel
Supported bool Does the external IDP support backchannel logout?
- Default
Scopes string The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to ‘openid’.
- Display
Name string Friendly name for Identity Providers.
- Enabled bool
Enable/disable this identity provider.
- Extra
Config Dictionary<string, object> - First
Broker stringLogin Flow Alias Alias of authentication flow, which is triggered after first login with this identity provider. Term ‘First Login’ means that there is not yet existing Keycloak account linked with the authenticated identity provider account.
- Hide
On boolLogin Page Hide On Login Page.
- Jwks
Url string JSON Web Key Set URL
- Link
Only bool If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don’t want to allow login from the provider, but want to integrate with a provider
- Login
Hint string Login Hint.
- Logout
Url string Logout URL
- Post
Broker stringLogin Flow Alias Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don’t want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it.
- Provider
Id string provider id, is always oidc, unless you have a custom implementation
- Store
Token bool Enable/disable if tokens must be stored after authenticating users.
- Trust
Email bool If enabled then email provided by this provider is not verified even if verification is enabled for the realm.
- Ui
Locales bool Pass current locale to identity provider
- User
Info stringUrl User Info URL
- Validate
Signature bool Enable/disable signature validation of external IDP signatures.
- Alias string
The alias uniquely identifies an identity provider and it is also used to build the redirect uri.
- string
OIDC authorization URL.
- Client
Id string Client ID.
- Client
Secret string Client Secret.
- Realm string
Realm Name
- Token
Url string Token URL.
- Accepts
Prompt boolNone Forward From Client This is just used together with Identity Provider Authenticator or when kc_idp_hint points to this identity provider. In case that client sends a request with prompt=none and user is not yet authenticated, the error will not be directly returned to client, but the request with prompt=none will be forwarded to this identity provider.
- Add
Read boolToken Role On Create Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role.
- Authenticate
By boolDefault Enable/disable authenticate users by default.
- Backchannel
Supported bool Does the external IDP support backchannel logout?
- Default
Scopes string The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to ‘openid’.
- Display
Name string Friendly name for Identity Providers.
- Enabled bool
Enable/disable this identity provider.
- Extra
Config map[string]interface{} - First
Broker stringLogin Flow Alias Alias of authentication flow, which is triggered after first login with this identity provider. Term ‘First Login’ means that there is not yet existing Keycloak account linked with the authenticated identity provider account.
- Hide
On boolLogin Page Hide On Login Page.
- Jwks
Url string JSON Web Key Set URL
- Link
Only bool If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don’t want to allow login from the provider, but want to integrate with a provider
- Login
Hint string Login Hint.
- Logout
Url string Logout URL
- Post
Broker stringLogin Flow Alias Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don’t want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it.
- Provider
Id string provider id, is always oidc, unless you have a custom implementation
- Store
Token bool Enable/disable if tokens must be stored after authenticating users.
- Trust
Email bool If enabled then email provided by this provider is not verified even if verification is enabled for the realm.
- Ui
Locales bool Pass current locale to identity provider
- User
Info stringUrl User Info URL
- Validate
Signature bool Enable/disable signature validation of external IDP signatures.
- alias string
The alias uniquely identifies an identity provider and it is also used to build the redirect uri.
- string
OIDC authorization URL.
- client
Id string Client ID.
- client
Secret string Client Secret.
- realm string
Realm Name
- token
Url string Token URL.
- accepts
Prompt booleanNone Forward From Client This is just used together with Identity Provider Authenticator or when kc_idp_hint points to this identity provider. In case that client sends a request with prompt=none and user is not yet authenticated, the error will not be directly returned to client, but the request with prompt=none will be forwarded to this identity provider.
- add
Read booleanToken Role On Create Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role.
- authenticate
By booleanDefault Enable/disable authenticate users by default.
- backchannel
Supported boolean Does the external IDP support backchannel logout?
- default
Scopes string The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to ‘openid’.
- display
Name string Friendly name for Identity Providers.
- enabled boolean
Enable/disable this identity provider.
- extra
Config {[key: string]: any} - first
Broker stringLogin Flow Alias Alias of authentication flow, which is triggered after first login with this identity provider. Term ‘First Login’ means that there is not yet existing Keycloak account linked with the authenticated identity provider account.
- hide
On booleanLogin Page Hide On Login Page.
- jwks
Url string JSON Web Key Set URL
- link
Only boolean If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don’t want to allow login from the provider, but want to integrate with a provider
- login
Hint string Login Hint.
- logout
Url string Logout URL
- post
Broker stringLogin Flow Alias Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don’t want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it.
- provider
Id string provider id, is always oidc, unless you have a custom implementation
- store
Token boolean Enable/disable if tokens must be stored after authenticating users.
- trust
Email boolean If enabled then email provided by this provider is not verified even if verification is enabled for the realm.
- ui
Locales boolean Pass current locale to identity provider
- user
Info stringUrl User Info URL
- validate
Signature boolean Enable/disable signature validation of external IDP signatures.
- alias str
The alias uniquely identifies an identity provider and it is also used to build the redirect uri.
- str
OIDC authorization URL.
- client_
id str Client ID.
- client_
secret str Client Secret.
- realm str
Realm Name
- token_
url str Token URL.
- accepts_
prompt_ boolnone_ forward_ from_ client This is just used together with Identity Provider Authenticator or when kc_idp_hint points to this identity provider. In case that client sends a request with prompt=none and user is not yet authenticated, the error will not be directly returned to client, but the request with prompt=none will be forwarded to this identity provider.
- add_
read_ booltoken_ role_ on_ create Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role.
- authenticate_
by_ booldefault Enable/disable authenticate users by default.
- backchannel_
supported bool Does the external IDP support backchannel logout?
- default_
scopes str The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to ‘openid’.
- display_
name str Friendly name for Identity Providers.
- enabled bool
Enable/disable this identity provider.
- extra_
config Dict[str, Any] - first_
broker_ strlogin_ flow_ alias Alias of authentication flow, which is triggered after first login with this identity provider. Term ‘First Login’ means that there is not yet existing Keycloak account linked with the authenticated identity provider account.
- hide_
on_ boollogin_ page Hide On Login Page.
- jwks_
url str JSON Web Key Set URL
- link_
only bool If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don’t want to allow login from the provider, but want to integrate with a provider
- login_
hint str Login Hint.
- logout_
url str Logout URL
- post_
broker_ strlogin_ flow_ alias Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don’t want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it.
- provider_
id str provider id, is always oidc, unless you have a custom implementation
- store_
token bool Enable/disable if tokens must be stored after authenticating users.
- trust_
email bool If enabled then email provided by this provider is not verified even if verification is enabled for the realm.
- ui_
locales bool Pass current locale to identity provider
- user_
info_ strurl User Info URL
- validate_
signature bool Enable/disable signature validation of external IDP signatures.
Outputs
All input properties are implicitly available as output properties. Additionally, the IdentityProvider resource produces the following output properties:
- Id string
- The provider-assigned unique ID for this managed resource.
- Internal
Id string Internal Identity Provider Id
- Id string
- The provider-assigned unique ID for this managed resource.
- Internal
Id string Internal Identity Provider Id
- id string
- The provider-assigned unique ID for this managed resource.
- internal
Id string Internal Identity Provider Id
- id str
- The provider-assigned unique ID for this managed resource.
- internal_
id str Internal Identity Provider Id
Look up an Existing IdentityProvider Resource
Get an existing IdentityProvider resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: IdentityProviderState, opts?: CustomResourceOptions): IdentityProviderstatic get(resource_name, id, opts=None, accepts_prompt_none_forward_from_client=None, add_read_token_role_on_create=None, alias=None, authenticate_by_default=None, authorization_url=None, backchannel_supported=None, client_id=None, client_secret=None, default_scopes=None, display_name=None, enabled=None, extra_config=None, first_broker_login_flow_alias=None, hide_on_login_page=None, internal_id=None, jwks_url=None, link_only=None, login_hint=None, logout_url=None, post_broker_login_flow_alias=None, provider_id=None, realm=None, store_token=None, token_url=None, trust_email=None, ui_locales=None, user_info_url=None, validate_signature=None, __props__=None);func GetIdentityProvider(ctx *Context, name string, id IDInput, state *IdentityProviderState, opts ...ResourceOption) (*IdentityProvider, error)public static IdentityProvider Get(string name, Input<string> id, IdentityProviderState? state, CustomResourceOptions? opts = null)- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
The following state arguments are supported:
- Accepts
Prompt boolNone Forward From Client This is just used together with Identity Provider Authenticator or when kc_idp_hint points to this identity provider. In case that client sends a request with prompt=none and user is not yet authenticated, the error will not be directly returned to client, but the request with prompt=none will be forwarded to this identity provider.
- Add
Read boolToken Role On Create Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role.
- Alias string
The alias uniquely identifies an identity provider and it is also used to build the redirect uri.
- Authenticate
By boolDefault Enable/disable authenticate users by default.
- string
OIDC authorization URL.
- Backchannel
Supported bool Does the external IDP support backchannel logout?
- Client
Id string Client ID.
- Client
Secret string Client Secret.
- Default
Scopes string The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to ‘openid’.
- Display
Name string Friendly name for Identity Providers.
- Enabled bool
Enable/disable this identity provider.
- Extra
Config Dictionary<string, object> - First
Broker stringLogin Flow Alias Alias of authentication flow, which is triggered after first login with this identity provider. Term ‘First Login’ means that there is not yet existing Keycloak account linked with the authenticated identity provider account.
- Hide
On boolLogin Page Hide On Login Page.
- Internal
Id string Internal Identity Provider Id
- Jwks
Url string JSON Web Key Set URL
- Link
Only bool If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don’t want to allow login from the provider, but want to integrate with a provider
- Login
Hint string Login Hint.
- Logout
Url string Logout URL
- Post
Broker stringLogin Flow Alias Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don’t want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it.
- Provider
Id string provider id, is always oidc, unless you have a custom implementation
- Realm string
Realm Name
- Store
Token bool Enable/disable if tokens must be stored after authenticating users.
- Token
Url string Token URL.
- Trust
Email bool If enabled then email provided by this provider is not verified even if verification is enabled for the realm.
- Ui
Locales bool Pass current locale to identity provider
- User
Info stringUrl User Info URL
- Validate
Signature bool Enable/disable signature validation of external IDP signatures.
- Accepts
Prompt boolNone Forward From Client This is just used together with Identity Provider Authenticator or when kc_idp_hint points to this identity provider. In case that client sends a request with prompt=none and user is not yet authenticated, the error will not be directly returned to client, but the request with prompt=none will be forwarded to this identity provider.
- Add
Read boolToken Role On Create Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role.
- Alias string
The alias uniquely identifies an identity provider and it is also used to build the redirect uri.
- Authenticate
By boolDefault Enable/disable authenticate users by default.
- string
OIDC authorization URL.
- Backchannel
Supported bool Does the external IDP support backchannel logout?
- Client
Id string Client ID.
- Client
Secret string Client Secret.
- Default
Scopes string The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to ‘openid’.
- Display
Name string Friendly name for Identity Providers.
- Enabled bool
Enable/disable this identity provider.
- Extra
Config map[string]interface{} - First
Broker stringLogin Flow Alias Alias of authentication flow, which is triggered after first login with this identity provider. Term ‘First Login’ means that there is not yet existing Keycloak account linked with the authenticated identity provider account.
- Hide
On boolLogin Page Hide On Login Page.
- Internal
Id string Internal Identity Provider Id
- Jwks
Url string JSON Web Key Set URL
- Link
Only bool If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don’t want to allow login from the provider, but want to integrate with a provider
- Login
Hint string Login Hint.
- Logout
Url string Logout URL
- Post
Broker stringLogin Flow Alias Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don’t want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it.
- Provider
Id string provider id, is always oidc, unless you have a custom implementation
- Realm string
Realm Name
- Store
Token bool Enable/disable if tokens must be stored after authenticating users.
- Token
Url string Token URL.
- Trust
Email bool If enabled then email provided by this provider is not verified even if verification is enabled for the realm.
- Ui
Locales bool Pass current locale to identity provider
- User
Info stringUrl User Info URL
- Validate
Signature bool Enable/disable signature validation of external IDP signatures.
- accepts
Prompt booleanNone Forward From Client This is just used together with Identity Provider Authenticator or when kc_idp_hint points to this identity provider. In case that client sends a request with prompt=none and user is not yet authenticated, the error will not be directly returned to client, but the request with prompt=none will be forwarded to this identity provider.
- add
Read booleanToken Role On Create Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role.
- alias string
The alias uniquely identifies an identity provider and it is also used to build the redirect uri.
- authenticate
By booleanDefault Enable/disable authenticate users by default.
- string
OIDC authorization URL.
- backchannel
Supported boolean Does the external IDP support backchannel logout?
- client
Id string Client ID.
- client
Secret string Client Secret.
- default
Scopes string The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to ‘openid’.
- display
Name string Friendly name for Identity Providers.
- enabled boolean
Enable/disable this identity provider.
- extra
Config {[key: string]: any} - first
Broker stringLogin Flow Alias Alias of authentication flow, which is triggered after first login with this identity provider. Term ‘First Login’ means that there is not yet existing Keycloak account linked with the authenticated identity provider account.
- hide
On booleanLogin Page Hide On Login Page.
- internal
Id string Internal Identity Provider Id
- jwks
Url string JSON Web Key Set URL
- link
Only boolean If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don’t want to allow login from the provider, but want to integrate with a provider
- login
Hint string Login Hint.
- logout
Url string Logout URL
- post
Broker stringLogin Flow Alias Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don’t want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it.
- provider
Id string provider id, is always oidc, unless you have a custom implementation
- realm string
Realm Name
- store
Token boolean Enable/disable if tokens must be stored after authenticating users.
- token
Url string Token URL.
- trust
Email boolean If enabled then email provided by this provider is not verified even if verification is enabled for the realm.
- ui
Locales boolean Pass current locale to identity provider
- user
Info stringUrl User Info URL
- validate
Signature boolean Enable/disable signature validation of external IDP signatures.
- accepts_
prompt_ boolnone_ forward_ from_ client This is just used together with Identity Provider Authenticator or when kc_idp_hint points to this identity provider. In case that client sends a request with prompt=none and user is not yet authenticated, the error will not be directly returned to client, but the request with prompt=none will be forwarded to this identity provider.
- add_
read_ booltoken_ role_ on_ create Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role.
- alias str
The alias uniquely identifies an identity provider and it is also used to build the redirect uri.
- authenticate_
by_ booldefault Enable/disable authenticate users by default.
- str
OIDC authorization URL.
- backchannel_
supported bool Does the external IDP support backchannel logout?
- client_
id str Client ID.
- client_
secret str Client Secret.
- default_
scopes str The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to ‘openid’.
- display_
name str Friendly name for Identity Providers.
- enabled bool
Enable/disable this identity provider.
- extra_
config Dict[str, Any] - first_
broker_ strlogin_ flow_ alias Alias of authentication flow, which is triggered after first login with this identity provider. Term ‘First Login’ means that there is not yet existing Keycloak account linked with the authenticated identity provider account.
- hide_
on_ boollogin_ page Hide On Login Page.
- internal_
id str Internal Identity Provider Id
- jwks_
url str JSON Web Key Set URL
- link_
only bool If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don’t want to allow login from the provider, but want to integrate with a provider
- login_
hint str Login Hint.
- logout_
url str Logout URL
- post_
broker_ strlogin_ flow_ alias Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don’t want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it.
- provider_
id str provider id, is always oidc, unless you have a custom implementation
- realm str
Realm Name
- store_
token bool Enable/disable if tokens must be stored after authenticating users.
- token_
url str Token URL.
- trust_
email bool If enabled then email provided by this provider is not verified even if verification is enabled for the realm.
- ui_
locales bool Pass current locale to identity provider
- user_
info_ strurl User Info URL
- validate_
signature bool Enable/disable signature validation of external IDP signatures.
Package Details
- Repository
- https://github.com/pulumi/pulumi-keycloak
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
keycloakTerraform Provider.