pulumi-keycloak-kotlin/com.pulumi.keycloak.oidc.kotlin/IdentityProvider

IdentityProvider

class IdentityProvider : KotlinCustomResource

Allows for creating and managing OIDC Identity Providers within Keycloak. OIDC (OpenID Connect) identity providers allows users to authenticate through a third party system using the OIDC standard.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as keycloak from "@pulumi/keycloak";
const realm = new keycloak.Realm("realm", {
    realm: "my-realm",
    enabled: true,
});
const realmIdentityProvider = new keycloak.oidc.IdentityProvider("realm_identity_provider", {
    realm: realm.id,
    alias: "my-idp",
    authorizationUrl: "https://authorizationurl.com",
    clientId: "clientID",
    clientSecret: "clientSecret",
    tokenUrl: "https://tokenurl.com",
    extraConfig: {
        clientAuthMethod: "client_secret_post",
    },
});

import pulumi
import pulumi_keycloak as keycloak
realm = keycloak.Realm("realm",
    realm="my-realm",
    enabled=True)
realm_identity_provider = keycloak.oidc.IdentityProvider("realm_identity_provider",
    realm=realm.id,
    alias="my-idp",
    authorization_url="https://authorizationurl.com",
    client_id="clientID",
    client_secret="clientSecret",
    token_url="https://tokenurl.com",
    extra_config={
        "clientAuthMethod": "client_secret_post",
    })

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Keycloak = Pulumi.Keycloak;
return await Deployment.RunAsync(() =>
{
    var realm = new Keycloak.Realm("realm", new()
    {
        RealmName = "my-realm",
        Enabled = true,
    });
    var realmIdentityProvider = new Keycloak.Oidc.IdentityProvider("realm_identity_provider", new()
    {
        Realm = realm.Id,
        Alias = "my-idp",
        AuthorizationUrl = "https://authorizationurl.com",
        ClientId = "clientID",
        ClientSecret = "clientSecret",
        TokenUrl = "https://tokenurl.com",
        ExtraConfig =
        {
            { "clientAuthMethod", "client_secret_post" },
        },
    });
});

package main
import (
	"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak"
	"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak/oidc"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		realm, err := keycloak.NewRealm(ctx, "realm", &keycloak.RealmArgs{
			Realm:   pulumi.String("my-realm"),
			Enabled: pulumi.Bool(true),
		})
		if err != nil {
			return err
		}
		_, err = oidc.NewIdentityProvider(ctx, "realm_identity_provider", &oidc.IdentityProviderArgs{
			Realm:            realm.ID(),
			Alias:            pulumi.String("my-idp"),
			AuthorizationUrl: pulumi.String("https://authorizationurl.com"),
			ClientId:         pulumi.String("clientID"),
			ClientSecret:     pulumi.String("clientSecret"),
			TokenUrl:         pulumi.String("https://tokenurl.com"),
			ExtraConfig: pulumi.StringMap{
				"clientAuthMethod": pulumi.String("client_secret_post"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.keycloak.Realm;
import com.pulumi.keycloak.RealmArgs;
import com.pulumi.keycloak.oidc.IdentityProvider;
import com.pulumi.keycloak.oidc.IdentityProviderArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        var realm = new Realm("realm", RealmArgs.builder()
            .realm("my-realm")
            .enabled(true)
            .build());
        var realmIdentityProvider = new IdentityProvider("realmIdentityProvider", IdentityProviderArgs.builder()
            .realm(realm.id())
            .alias("my-idp")
            .authorizationUrl("https://authorizationurl.com")
            .clientId("clientID")
            .clientSecret("clientSecret")
            .tokenUrl("https://tokenurl.com")
            .extraConfig(Map.of("clientAuthMethod", "client_secret_post"))
            .build());
    }
}

resources:
  realm:
    type: keycloak:Realm
    properties:
      realm: my-realm
      enabled: true
  realmIdentityProvider:
    type: keycloak:oidc:IdentityProvider
    name: realm_identity_provider
    properties:
      realm: ${realm.id}
      alias: my-idp
      authorizationUrl: https://authorizationurl.com
      clientId: clientID
      clientSecret: clientSecret
      tokenUrl: https://tokenurl.com
      extraConfig:
        clientAuthMethod: client_secret_post

Import

Identity providers can be imported using the format {{realm_id}}/{{idp_alias}}, where idp_alias is the identity provider alias. Example: bash

$ pulumi import keycloak:oidc/identityProvider:IdentityProvider realm_identity_provider my-realm/my-idp

Properties

acceptsPromptNoneForwardFromClient

val acceptsPromptNoneForwardFromClient: Output<Boolean>?

When true, the IDP will accept forwarded authentication requests that contain the prompt=none query parameter. Defaults to false.

addReadTokenRoleOnCreate

val addReadTokenRoleOnCreate: Output<Boolean>?

When true, new users will be able to read stored tokens. This will automatically assign the broker.read-token role. Defaults to false.

alias

val alias: Output<String>

The alias uniquely identifies an identity provider and it is also used to build the redirect uri.

authenticateByDefault

val authenticateByDefault: Output<Boolean>?

Enable/disable authenticate users by default.

authorizationUrl

val authorizationUrl: Output<String>

The Authorization Url.

backchannelSupported

val backchannelSupported: Output<Boolean>?

Does the external IDP support backchannel logout? Defaults to true.

clientId

val clientId: Output<String>

The client or client identifier registered within the identity provider.

clientSecret

val clientSecret: Output<String>

The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format.

defaultScopes

val defaultScopes: Output<String>?

The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to openid.

disableUserInfo

val disableUserInfo: Output<Boolean>?

When true, disables the usage of the user info service to obtain additional user information. Defaults to false.

displayName

val displayName: Output<String>?

Display name for the identity provider in the GUI.

enabled

val enabled: Output<Boolean>?

When true, users will be able to log in to this realm using this identity provider. Defaults to true.

extraConfig

val extraConfig: Output<Map<String, String>>?

firstBrokerLoginFlowAlias

val firstBrokerLoginFlowAlias: Output<String>?

The authentication flow to use when users log in for the first time through this identity provider. Defaults to first broker login.

guiOrder

val guiOrder: Output<String>?

A number defining the order of this identity provider in the GUI.

hideOnLoginPage

val hideOnLoginPage: Output<Boolean>?

When true, this provider will be hidden on the login page, and is only accessible when requested explicitly. Defaults to false.

val id: Output<String>

internalId

val internalId: Output<String>

(Computed) The unique ID that Keycloak assigns to the identity provider upon creation.

issuer

val issuer: Output<String>?

The issuer identifier for the issuer of the response. If not provided, no validation will be performed.

jwksUrl

val jwksUrl: Output<String>?

JSON Web Key Set URL.

linkOnly

val linkOnly: Output<Boolean>?

When true, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults to false.

loginHint

val loginHint: Output<String>?

Pass login hint to identity provider.

logoutUrl

val logoutUrl: Output<String>?

The Logout URL is the end session endpoint to use to logout user from external identity provider.

postBrokerLoginFlowAlias

val postBrokerLoginFlowAlias: Output<String>?

The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.

providerId

val providerId: Output<String>?

The ID of the identity provider to use. Defaults to oidc, which should be used unless you have extended Keycloak and provided your own implementation.

pulumiChildResources

val pulumiChildResources: Set<KotlinResource>

pulumiResourceName

val pulumiResourceName: String

pulumiResourceType

val pulumiResourceType: String

realm

val realm: Output<String>

The name of the realm. This is unique across Keycloak.

storeToken

val storeToken: Output<Boolean>?

When true, tokens will be stored after authenticating users. Defaults to true.

syncMode

val syncMode: Output<String>?

The default sync mode to use for all mappers attached to this identity provider. Can be once of IMPORT, FORCE, or LEGACY.

tokenUrl

val tokenUrl: Output<String>

The Token URL.

trustEmail

val trustEmail: Output<Boolean>?

When true, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to false.

uiLocales

val uiLocales: Output<Boolean>?

Pass current locale to identity provider. Defaults to false.

urn

val urn: Output<String>

userInfoUrl

val userInfoUrl: Output<String>?

User Info URL.

validateSignature

val validateSignature: Output<Boolean>?

Enable/disable signature validation of external IDP signatures. Defaults to false.