Identity
Allows for creating and managing OIDC Identity Providers within Keycloak. OIDC (OpenID Connect) identity providers allows users to authenticate through a third party system using the OIDC standard.
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as keycloak from "@pulumi/keycloak";
const realm = new keycloak.Realm("realm", {
realm: "my-realm",
enabled: true,
});
const realmIdentityProvider = new keycloak.oidc.IdentityProvider("realm_identity_provider", {
realm: realm.id,
alias: "my-idp",
authorizationUrl: "https://authorizationurl.com",
clientId: "clientID",
clientSecret: "clientSecret",
tokenUrl: "https://tokenurl.com",
extraConfig: {
clientAuthMethod: "client_secret_post",
},
});import pulumi
import pulumi_keycloak as keycloak
realm = keycloak.Realm("realm",
realm="my-realm",
enabled=True)
realm_identity_provider = keycloak.oidc.IdentityProvider("realm_identity_provider",
realm=realm.id,
alias="my-idp",
authorization_url="https://authorizationurl.com",
client_id="clientID",
client_secret="clientSecret",
token_url="https://tokenurl.com",
extra_config={
"clientAuthMethod": "client_secret_post",
})using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Keycloak = Pulumi.Keycloak;
return await Deployment.RunAsync(() =>
{
var realm = new Keycloak.Realm("realm", new()
{
RealmName = "my-realm",
Enabled = true,
});
var realmIdentityProvider = new Keycloak.Oidc.IdentityProvider("realm_identity_provider", new()
{
Realm = realm.Id,
Alias = "my-idp",
AuthorizationUrl = "https://authorizationurl.com",
ClientId = "clientID",
ClientSecret = "clientSecret",
TokenUrl = "https://tokenurl.com",
ExtraConfig =
{
{ "clientAuthMethod", "client_secret_post" },
},
});
});package main
import (
"github.com/pulumi/pulumi-keycloak/sdk/v6/go/keycloak"
"github.com/pulumi/pulumi-keycloak/sdk/v6/go/keycloak/oidc"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
realm, err := keycloak.NewRealm(ctx, "realm", &keycloak.RealmArgs{
Realm: pulumi.String("my-realm"),
Enabled: pulumi.Bool(true),
})
if err != nil {
return err
}
_, err = oidc.NewIdentityProvider(ctx, "realm_identity_provider", &oidc.IdentityProviderArgs{
Realm: realm.ID(),
Alias: pulumi.String("my-idp"),
AuthorizationUrl: pulumi.String("https://authorizationurl.com"),
ClientId: pulumi.String("clientID"),
ClientSecret: pulumi.String("clientSecret"),
TokenUrl: pulumi.String("https://tokenurl.com"),
ExtraConfig: pulumi.StringMap{
"clientAuthMethod": pulumi.String("client_secret_post"),
},
})
if err != nil {
return err
}
return nil
})
}package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.keycloak.Realm;
import com.pulumi.keycloak.RealmArgs;
import com.pulumi.keycloak.oidc.IdentityProvider;
import com.pulumi.keycloak.oidc.IdentityProviderArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var realm = new Realm("realm", RealmArgs.builder()
.realm("my-realm")
.enabled(true)
.build());
var realmIdentityProvider = new IdentityProvider("realmIdentityProvider", IdentityProviderArgs.builder()
.realm(realm.id())
.alias("my-idp")
.authorizationUrl("https://authorizationurl.com")
.clientId("clientID")
.clientSecret("clientSecret")
.tokenUrl("https://tokenurl.com")
.extraConfig(Map.of("clientAuthMethod", "client_secret_post"))
.build());
}
}resources:
realm:
type: keycloak:Realm
properties:
realm: my-realm
enabled: true
realmIdentityProvider:
type: keycloak:oidc:IdentityProvider
name: realm_identity_provider
properties:
realm: ${realm.id}
alias: my-idp
authorizationUrl: https://authorizationurl.com
clientId: clientID
clientSecret: clientSecret
tokenUrl: https://tokenurl.com
extraConfig:
clientAuthMethod: client_secret_postImport
Identity providers can be imported using the format {{realm_id}}/{{idp_alias}}, where idp_alias is the identity provider alias. Example: bash
$ pulumi import keycloak:oidc/identityProvider:IdentityProvider realm_identity_provider my-realm/my-idpConstructors
Properties
When true, the IDP will accept forwarded authentication requests that contain the prompt=none query parameter. Defaults to false.
When true, new users will be able to read stored tokens. This will automatically assign the broker.read-token role. Defaults to false.
Enable/disable authenticate users by default.
The Authorization Url.
Does the external IDP support backchannel logout? Defaults to true.
The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format.
The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to openid.
When true, disables the usage of the user info service to obtain additional user information. Defaults to false.
Display name for the identity provider in the GUI.
The authentication flow to use when users log in for the first time through this identity provider. Defaults to first broker login.
When true, this provider will be hidden on the login page, and is only accessible when requested explicitly. Defaults to false.
The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.
The ID of the identity provider to use. Defaults to oidc, which should be used unless you have extended Keycloak and provided your own implementation.
When true, tokens will be stored after authenticating users. Defaults to true.
When true, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to false.
User Info URL.
Enable/disable signature validation of external IDP signatures. Defaults to false.