oidc¶

class pulumi_keycloak.oidc.GoogleIdentityProvider(resource_name, opts=None, accepts_prompt_none_forward_from_client=None, add_read_token_role_on_create=None, authenticate_by_default=None, client_id=None, client_secret=None, default_scopes=None, disable_user_info=None, enabled=None, extra_config=None, first_broker_login_flow_alias=None, hide_on_login_page=None, hosted_domain=None, link_only=None, post_broker_login_flow_alias=None, provider_id=None, realm=None, request_refresh_token=None, store_token=None, trust_email=None, use_user_ip_param=None, __props__=None, __name__=None, __opts__=None)¶

Create a GoogleIdentityProvider resource with the given unique name, props, and options. :param str resource_name: The name of the resource. :param pulumi.ResourceOptions opts: Options for the resource. :param pulumi.Input[bool] accepts_prompt_none_forward_from_client: This is just used together with Identity Provider Authenticator or when kc_idp_hint points to this identity provider. In

case that client sends a request with prompt=none and user is not yet authenticated, the error will not be directly returned to client, but the request with prompt=none will be forwarded to this identity provider.

Parameters

• add_read_token_role_on_create (pulumi.Input[bool]) – Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role.

• authenticate_by_default (pulumi.Input[bool]) – Enable/disable authenticate users by default.

• client_id (pulumi.Input[str]) – Client ID.

• client_secret (pulumi.Input[str]) – Client Secret.

• default_scopes (pulumi.Input[str]) – The scopes to be sent when asking for authorization. See the documentation for possible values, separator and default value’. Default: ‘openid profile email’

• disable_user_info (pulumi.Input[bool]) – Disable usage of User Info service to obtain additional user information? Default is to use this OIDC service.

• enabled (pulumi.Input[bool]) – Enable/disable this identity provider.

• first_broker_login_flow_alias (pulumi.Input[str]) – Alias of authentication flow, which is triggered after first login with this identity provider. Term ‘First Login’ means that there is not yet existing Keycloak account linked with the authenticated identity provider account.

• hide_on_login_page (pulumi.Input[bool]) – Hide On Login Page.

• hosted_domain (pulumi.Input[str]) – Set ‘hd’ query parameter when logging in with Google. Google will list accounts only for this domain. Keycloak validates that the returned identity token has a claim for this domain. When ‘*’ is entered, any hosted account can be used.

• link_only (pulumi.Input[bool]) – If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don’t want to allow login from the provider, but want to integrate with a provider

• post_broker_login_flow_alias (pulumi.Input[str]) – Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don’t want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it.

• provider_id (pulumi.Input[str]) – provider id, is always google, unless you have a extended custom implementation

• realm (pulumi.Input[str]) – Realm Name

• request_refresh_token (pulumi.Input[bool]) – Set ‘access_type’ query parameter to ‘offline’ when redirecting to google authorization endpoint, to get a refresh token back. Useful if planning to use Token Exchange to retrieve Google token to access Google APIs when the user is not at the browser.

• store_token (pulumi.Input[bool]) – Enable/disable if tokens must be stored after authenticating users.

• trust_email (pulumi.Input[bool]) – If enabled then email provided by this provider is not verified even if verification is enabled for the realm.

• use_user_ip_param (pulumi.Input[bool]) – Set ‘userIp’ query parameter when invoking on Google’s User Info service. This will use the user’s ip address. Useful if Google is throttling access to the User Info service.

accepts_prompt_none_forward_from_client: pulumi.Output[bool] = None¶

This is just used together with Identity Provider Authenticator or when kc_idp_hint points to this identity provider. In case that client sends a request with prompt=none and user is not yet authenticated, the error will not be directly returned to client, but the request with prompt=none will be forwarded to this identity provider.

add_read_token_role_on_create: pulumi.Output[bool] = None¶

Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role.

alias: pulumi.Output[str] = None¶

The alias uniquely identifies an identity provider and it is also used to build the redirect uri. In case of google this is computed and always google

authenticate_by_default: pulumi.Output[bool] = None¶

Enable/disable authenticate users by default.

client_id: pulumi.Output[str] = None¶

Client ID.

client_secret: pulumi.Output[str] = None¶

Client Secret.

default_scopes: pulumi.Output[str] = None¶

The scopes to be sent when asking for authorization. See the documentation for possible values, separator and default value’. Default: ‘openid profile email’

disable_user_info: pulumi.Output[bool] = None¶

Disable usage of User Info service to obtain additional user information? Default is to use this OIDC service.

display_name: pulumi.Output[str] = None¶

Not used by this provider, Will be implicitly Google

enabled: pulumi.Output[bool] = None¶

Enable/disable this identity provider.

first_broker_login_flow_alias: pulumi.Output[str] = None¶

Alias of authentication flow, which is triggered after first login with this identity provider. Term ‘First Login’ means that there is not yet existing Keycloak account linked with the authenticated identity provider account.

hide_on_login_page: pulumi.Output[bool] = None¶

Hide On Login Page.

hosted_domain: pulumi.Output[str] = None¶

Set ‘hd’ query parameter when logging in with Google. Google will list accounts only for this domain. Keycloak validates that the returned identity token has a claim for this domain. When ‘*’ is entered, any hosted account can be used.

internal_id: pulumi.Output[str] = None¶

Internal Identity Provider Id

link_only: pulumi.Output[bool] = None¶

If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don’t want to allow login from the provider, but want to integrate with a provider

post_broker_login_flow_alias: pulumi.Output[str] = None¶

Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don’t want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it.

provider_id: pulumi.Output[str] = None¶

provider id, is always google, unless you have a extended custom implementation

realm: pulumi.Output[str] = None¶

Realm Name

request_refresh_token: pulumi.Output[bool] = None¶

Set ‘access_type’ query parameter to ‘offline’ when redirecting to google authorization endpoint, to get a refresh token back. Useful if planning to use Token Exchange to retrieve Google token to access Google APIs when the user is not at the browser.

store_token: pulumi.Output[bool] = None¶

Enable/disable if tokens must be stored after authenticating users.

trust_email: pulumi.Output[bool] = None¶

If enabled then email provided by this provider is not verified even if verification is enabled for the realm.

use_user_ip_param: pulumi.Output[bool] = None¶

Set ‘userIp’ query parameter when invoking on Google’s User Info service. This will use the user’s ip address. Useful if Google is throttling access to the User Info service.

static get(resource_name, id, opts=None, accepts_prompt_none_forward_from_client=None, add_read_token_role_on_create=None, alias=None, authenticate_by_default=None, client_id=None, client_secret=None, default_scopes=None, disable_user_info=None, display_name=None, enabled=None, extra_config=None, first_broker_login_flow_alias=None, hide_on_login_page=None, hosted_domain=None, internal_id=None, link_only=None, post_broker_login_flow_alias=None, provider_id=None, realm=None, request_refresh_token=None, store_token=None, trust_email=None, use_user_ip_param=None)¶

Get an existing GoogleIdentityProvider resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

• resource_name (str) – The unique name of the resulting resource.

• id (str) – The unique provider ID of the resource to lookup.

• opts (pulumi.ResourceOptions) – Options for the resource.

• accepts_prompt_none_forward_from_client (pulumi.Input[bool]) – This is just used together with Identity Provider Authenticator or when kc_idp_hint points to this identity provider. In case that client sends a request with prompt=none and user is not yet authenticated, the error will not be directly returned to client, but the request with prompt=none will be forwarded to this identity provider.

• add_read_token_role_on_create (pulumi.Input[bool]) – Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role.

• alias (pulumi.Input[str]) – The alias uniquely identifies an identity provider and it is also used to build the redirect uri. In case of google this is computed and always google

• authenticate_by_default (pulumi.Input[bool]) – Enable/disable authenticate users by default.

• client_id (pulumi.Input[str]) – Client ID.

• client_secret (pulumi.Input[str]) – Client Secret.

• default_scopes (pulumi.Input[str]) – The scopes to be sent when asking for authorization. See the documentation for possible values, separator and default value’. Default: ‘openid profile email’

• disable_user_info (pulumi.Input[bool]) – Disable usage of User Info service to obtain additional user information? Default is to use this OIDC service.

• display_name (pulumi.Input[str]) – Not used by this provider, Will be implicitly Google

• enabled (pulumi.Input[bool]) – Enable/disable this identity provider.

• first_broker_login_flow_alias (pulumi.Input[str]) – Alias of authentication flow, which is triggered after first login with this identity provider. Term ‘First Login’ means that there is not yet existing Keycloak account linked with the authenticated identity provider account.

• hide_on_login_page (pulumi.Input[bool]) – Hide On Login Page.

• hosted_domain (pulumi.Input[str]) – Set ‘hd’ query parameter when logging in with Google. Google will list accounts only for this domain. Keycloak validates that the returned identity token has a claim for this domain. When ‘*’ is entered, any hosted account can be used.

• internal_id (pulumi.Input[str]) – Internal Identity Provider Id

• link_only (pulumi.Input[bool]) – If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don’t want to allow login from the provider, but want to integrate with a provider

• post_broker_login_flow_alias (pulumi.Input[str]) – Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don’t want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it.

• provider_id (pulumi.Input[str]) – provider id, is always google, unless you have a extended custom implementation

• realm (pulumi.Input[str]) – Realm Name

• request_refresh_token (pulumi.Input[bool]) – Set ‘access_type’ query parameter to ‘offline’ when redirecting to google authorization endpoint, to get a refresh token back. Useful if planning to use Token Exchange to retrieve Google token to access Google APIs when the user is not at the browser.

• store_token (pulumi.Input[bool]) – Enable/disable if tokens must be stored after authenticating users.

• trust_email (pulumi.Input[bool]) – If enabled then email provided by this provider is not verified even if verification is enabled for the realm.

• use_user_ip_param (pulumi.Input[bool]) – Set ‘userIp’ query parameter when invoking on Google’s User Info service. This will use the user’s ip address. Useful if Google is throttling access to the User Info service.

translate_output_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

class pulumi_keycloak.oidc.IdentityProvider(resource_name, opts=None, accepts_prompt_none_forward_from_client=None, add_read_token_role_on_create=None, alias=None, authenticate_by_default=None, authorization_url=None, backchannel_supported=None, client_id=None, client_secret=None, default_scopes=None, display_name=None, enabled=None, extra_config=None, first_broker_login_flow_alias=None, hide_on_login_page=None, jwks_url=None, link_only=None, login_hint=None, logout_url=None, post_broker_login_flow_alias=None, provider_id=None, realm=None, store_token=None, token_url=None, trust_email=None, ui_locales=None, user_info_url=None, validate_signature=None, __props__=None, __name__=None, __opts__=None)¶

Create a IdentityProvider resource with the given unique name, props, and options. :param str resource_name: The name of the resource. :param pulumi.ResourceOptions opts: Options for the resource. :param pulumi.Input[bool] accepts_prompt_none_forward_from_client: This is just used together with Identity Provider Authenticator or when kc_idp_hint points to this identity provider. In

case that client sends a request with prompt=none and user is not yet authenticated, the error will not be directly returned to client, but the request with prompt=none will be forwarded to this identity provider.

Parameters

• add_read_token_role_on_create (pulumi.Input[bool]) – Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role.

• alias (pulumi.Input[str]) – The alias uniquely identifies an identity provider and it is also used to build the redirect uri.

• authenticate_by_default (pulumi.Input[bool]) – Enable/disable authenticate users by default.

• authorization_url (pulumi.Input[str]) – OIDC authorization URL.

• backchannel_supported (pulumi.Input[bool]) – Does the external IDP support backchannel logout?

• client_id (pulumi.Input[str]) – Client ID.

• client_secret (pulumi.Input[str]) – Client Secret.

• default_scopes (pulumi.Input[str]) – The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to ‘openid’.

• display_name (pulumi.Input[str]) – Friendly name for Identity Providers.

• enabled (pulumi.Input[bool]) – Enable/disable this identity provider.

• first_broker_login_flow_alias (pulumi.Input[str]) – Alias of authentication flow, which is triggered after first login with this identity provider. Term ‘First Login’ means that there is not yet existing Keycloak account linked with the authenticated identity provider account.

• hide_on_login_page (pulumi.Input[bool]) – Hide On Login Page.

• jwks_url (pulumi.Input[str]) – JSON Web Key Set URL

• link_only (pulumi.Input[bool]) – If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don’t want to allow login from the provider, but want to integrate with a provider

• login_hint (pulumi.Input[str]) – Login Hint.

• logout_url (pulumi.Input[str]) – Logout URL

• post_broker_login_flow_alias (pulumi.Input[str]) – Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don’t want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it.

• provider_id (pulumi.Input[str]) – provider id, is always oidc, unless you have a custom implementation

• realm (pulumi.Input[str]) – Realm Name

• store_token (pulumi.Input[bool]) – Enable/disable if tokens must be stored after authenticating users.

• token_url (pulumi.Input[str]) – Token URL.

• trust_email (pulumi.Input[bool]) – If enabled then email provided by this provider is not verified even if verification is enabled for the realm.

• ui_locales (pulumi.Input[bool]) – Pass current locale to identity provider

• user_info_url (pulumi.Input[str]) – User Info URL

• validate_signature (pulumi.Input[bool]) – Enable/disable signature validation of external IDP signatures.

accepts_prompt_none_forward_from_client: pulumi.Output[bool] = None¶

This is just used together with Identity Provider Authenticator or when kc_idp_hint points to this identity provider. In case that client sends a request with prompt=none and user is not yet authenticated, the error will not be directly returned to client, but the request with prompt=none will be forwarded to this identity provider.

add_read_token_role_on_create: pulumi.Output[bool] = None¶

Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role.

alias: pulumi.Output[str] = None¶

The alias uniquely identifies an identity provider and it is also used to build the redirect uri.

authenticate_by_default: pulumi.Output[bool] = None¶

Enable/disable authenticate users by default.

authorization_url: pulumi.Output[str] = None¶

OIDC authorization URL.

backchannel_supported: pulumi.Output[bool] = None¶

Does the external IDP support backchannel logout?

client_id: pulumi.Output[str] = None¶

Client ID.

client_secret: pulumi.Output[str] = None¶

Client Secret.

default_scopes: pulumi.Output[str] = None¶

The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to ‘openid’.

display_name: pulumi.Output[str] = None¶

Friendly name for Identity Providers.

enabled: pulumi.Output[bool] = None¶

Enable/disable this identity provider.

first_broker_login_flow_alias: pulumi.Output[str] = None¶

Alias of authentication flow, which is triggered after first login with this identity provider. Term ‘First Login’ means that there is not yet existing Keycloak account linked with the authenticated identity provider account.

hide_on_login_page: pulumi.Output[bool] = None¶

Hide On Login Page.

internal_id: pulumi.Output[str] = None¶

Internal Identity Provider Id

jwks_url: pulumi.Output[str] = None¶

JSON Web Key Set URL

link_only: pulumi.Output[bool] = None¶

If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don’t want to allow login from the provider, but want to integrate with a provider

login_hint: pulumi.Output[str] = None¶

Login Hint.

logout_url: pulumi.Output[str] = None¶

Logout URL

post_broker_login_flow_alias: pulumi.Output[str] = None¶

Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don’t want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it.

provider_id: pulumi.Output[str] = None¶

provider id, is always oidc, unless you have a custom implementation

realm: pulumi.Output[str] = None¶

Realm Name

store_token: pulumi.Output[bool] = None¶

Enable/disable if tokens must be stored after authenticating users.

token_url: pulumi.Output[str] = None¶

Token URL.

trust_email: pulumi.Output[bool] = None¶

If enabled then email provided by this provider is not verified even if verification is enabled for the realm.

ui_locales: pulumi.Output[bool] = None¶

Pass current locale to identity provider

user_info_url: pulumi.Output[str] = None¶

User Info URL

validate_signature: pulumi.Output[bool] = None¶

Enable/disable signature validation of external IDP signatures.

static get(resource_name, id, opts=None, accepts_prompt_none_forward_from_client=None, add_read_token_role_on_create=None, alias=None, authenticate_by_default=None, authorization_url=None, backchannel_supported=None, client_id=None, client_secret=None, default_scopes=None, display_name=None, enabled=None, extra_config=None, first_broker_login_flow_alias=None, hide_on_login_page=None, internal_id=None, jwks_url=None, link_only=None, login_hint=None, logout_url=None, post_broker_login_flow_alias=None, provider_id=None, realm=None, store_token=None, token_url=None, trust_email=None, ui_locales=None, user_info_url=None, validate_signature=None)¶

Get an existing IdentityProvider resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

• resource_name (str) – The unique name of the resulting resource.

• id (str) – The unique provider ID of the resource to lookup.

• opts (pulumi.ResourceOptions) – Options for the resource.

• accepts_prompt_none_forward_from_client (pulumi.Input[bool]) – This is just used together with Identity Provider Authenticator or when kc_idp_hint points to this identity provider. In case that client sends a request with prompt=none and user is not yet authenticated, the error will not be directly returned to client, but the request with prompt=none will be forwarded to this identity provider.

• add_read_token_role_on_create (pulumi.Input[bool]) – Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role.

• alias (pulumi.Input[str]) – The alias uniquely identifies an identity provider and it is also used to build the redirect uri.

• authenticate_by_default (pulumi.Input[bool]) – Enable/disable authenticate users by default.

• authorization_url (pulumi.Input[str]) – OIDC authorization URL.

• backchannel_supported (pulumi.Input[bool]) – Does the external IDP support backchannel logout?

• client_id (pulumi.Input[str]) – Client ID.

• client_secret (pulumi.Input[str]) – Client Secret.

• default_scopes (pulumi.Input[str]) – The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to ‘openid’.

• display_name (pulumi.Input[str]) – Friendly name for Identity Providers.

• enabled (pulumi.Input[bool]) – Enable/disable this identity provider.

• first_broker_login_flow_alias (pulumi.Input[str]) – Alias of authentication flow, which is triggered after first login with this identity provider. Term ‘First Login’ means that there is not yet existing Keycloak account linked with the authenticated identity provider account.

• hide_on_login_page (pulumi.Input[bool]) – Hide On Login Page.

• internal_id (pulumi.Input[str]) – Internal Identity Provider Id

• jwks_url (pulumi.Input[str]) – JSON Web Key Set URL

• link_only (pulumi.Input[bool]) – If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don’t want to allow login from the provider, but want to integrate with a provider

• login_hint (pulumi.Input[str]) – Login Hint.

• logout_url (pulumi.Input[str]) – Logout URL

• post_broker_login_flow_alias (pulumi.Input[str]) – Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don’t want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it.

• provider_id (pulumi.Input[str]) – provider id, is always oidc, unless you have a custom implementation

• realm (pulumi.Input[str]) – Realm Name

• store_token (pulumi.Input[bool]) – Enable/disable if tokens must be stored after authenticating users.

• token_url (pulumi.Input[str]) – Token URL.

• trust_email (pulumi.Input[bool]) – If enabled then email provided by this provider is not verified even if verification is enabled for the realm.

• ui_locales (pulumi.Input[bool]) – Pass current locale to identity provider

• user_info_url (pulumi.Input[str]) – User Info URL

• validate_signature (pulumi.Input[bool]) – Enable/disable signature validation of external IDP signatures.

translate_output_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str