pulumi-keycloak-kotlin/com.pulumi.keycloak.oidc.kotlin/GoogleIdentityProvider

GoogleIdentityProvider

class GoogleIdentityProvider : KotlinCustomResource

Allows for creating and managing OIDC Identity Providers within Keycloak. OIDC (OpenID Connect) identity providers allows users to authenticate through a third party system using the OIDC standard.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as keycloak from "@pulumi/keycloak";
const realm = new keycloak.Realm("realm", {
    realm: "my-realm",
    enabled: true,
});
const google = new keycloak.oidc.GoogleIdentityProvider("google", {
    realm: realm.id,
    clientId: googleIdentityProviderClientId,
    clientSecret: googleIdentityProviderClientSecret,
    trustEmail: true,
    hostedDomain: "example.com",
    syncMode: "IMPORT",
    extraConfig: {
        myCustomConfigKey: "myValue",
    },
});
Content copied to clipboard
import pulumi
import pulumi_keycloak as keycloak
realm = keycloak.Realm("realm",
    realm="my-realm",
    enabled=True)
google = keycloak.oidc.GoogleIdentityProvider("google",
    realm=realm.id,
    client_id=google_identity_provider_client_id,
    client_secret=google_identity_provider_client_secret,
    trust_email=True,
    hosted_domain="example.com",
    sync_mode="IMPORT",
    extra_config={
        "myCustomConfigKey": "myValue",
    })
Content copied to clipboard
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Keycloak = Pulumi.Keycloak;
return await Deployment.RunAsync(() =>
{
    var realm = new Keycloak.Realm("realm", new()
    {
        RealmName = "my-realm",
        Enabled = true,
    });
    var google = new Keycloak.Oidc.GoogleIdentityProvider("google", new()
    {
        Realm = realm.Id,
        ClientId = googleIdentityProviderClientId,
        ClientSecret = googleIdentityProviderClientSecret,
        TrustEmail = true,
        HostedDomain = "example.com",
        SyncMode = "IMPORT",
        ExtraConfig =
        {
            { "myCustomConfigKey", "myValue" },
        },
    });
});
Content copied to clipboard
package main
import (
	"github.com/pulumi/pulumi-keycloak/sdk/v6/go/keycloak"
	"github.com/pulumi/pulumi-keycloak/sdk/v6/go/keycloak/oidc"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		realm, err := keycloak.NewRealm(ctx, "realm", &keycloak.RealmArgs{
			Realm:   pulumi.String("my-realm"),
			Enabled: pulumi.Bool(true),
		})
		if err != nil {
			return err
		}
		_, err = oidc.NewGoogleIdentityProvider(ctx, "google", &oidc.GoogleIdentityProviderArgs{
			Realm:        realm.ID(),
			ClientId:     pulumi.Any(googleIdentityProviderClientId),
			ClientSecret: pulumi.Any(googleIdentityProviderClientSecret),
			TrustEmail:   pulumi.Bool(true),
			HostedDomain: pulumi.String("example.com"),
			SyncMode:     pulumi.String("IMPORT"),
			ExtraConfig: pulumi.StringMap{
				"myCustomConfigKey": pulumi.String("myValue"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}
Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.keycloak.Realm;
import com.pulumi.keycloak.RealmArgs;
import com.pulumi.keycloak.oidc.GoogleIdentityProvider;
import com.pulumi.keycloak.oidc.GoogleIdentityProviderArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        var realm = new Realm("realm", RealmArgs.builder()
            .realm("my-realm")
            .enabled(true)
            .build());
        var google = new GoogleIdentityProvider("google", GoogleIdentityProviderArgs.builder()
            .realm(realm.id())
            .clientId(googleIdentityProviderClientId)
            .clientSecret(googleIdentityProviderClientSecret)
            .trustEmail(true)
            .hostedDomain("example.com")
            .syncMode("IMPORT")
            .extraConfig(Map.of("myCustomConfigKey", "myValue"))
            .build());
    }
}
Content copied to clipboard
resources:
  realm:
    type: keycloak:Realm
    properties:
      realm: my-realm
      enabled: true
  google:
    type: keycloak:oidc:GoogleIdentityProvider
    properties:
      realm: ${realm.id}
      clientId: ${googleIdentityProviderClientId}
      clientSecret: ${googleIdentityProviderClientSecret}
      trustEmail: true
      hostedDomain: example.com
      syncMode: IMPORT
      extraConfig:
        myCustomConfigKey: myValue
Content copied to clipboard

Import

Google Identity providers can be imported using the format {{realm_id}}/{{idp_alias}}, where idp_alias is the identity provider alias. Example: bash

$ pulumi import keycloak:oidc/googleIdentityProvider:GoogleIdentityProvider google_identity_provider my-realm/my-google-idp
Content copied to clipboard

Properties

Link copied to clipboard
val acceptsPromptNoneForwardFromClient: Output<Boolean>?

When true, unauthenticated requests with prompt=none will be forwarded to Google instead of returning an error. Defaults to false.

Link copied to clipboard
val addReadTokenRoleOnCreate: Output<Boolean>?

When true, new users will be able to read stored tokens. This will automatically assign the broker.read-token role. Defaults to false.

Link copied to clipboard
val alias: Output<String>

The alias for the Google identity provider.

Link copied to clipboard
val authenticateByDefault: Output<Boolean>?

Enable/disable authenticate users by default.

Link copied to clipboard
val clientId: Output<String>

The client or client identifier registered within the identity provider.

Link copied to clipboard
val clientSecret: Output<String>

The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format.

Link copied to clipboard
val defaultScopes: Output<String>?

The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to openid profile email.

Link copied to clipboard
val disableUserInfo: Output<Boolean>?

When true, disables the usage of the user info service to obtain additional user information. Defaults to false.

Link copied to clipboard
val displayName: Output<String>

Display name for the Google identity provider in the GUI.

Link copied to clipboard
val enabled: Output<Boolean>?

When true, users will be able to log in to this realm using this identity provider. Defaults to true.

Link copied to clipboard
val extraConfig: Output<Map<String, String>>?
Link copied to clipboard
val firstBrokerLoginFlowAlias: Output<String>?

The authentication flow to use when users log in for the first time through this identity provider. Defaults to first broker login.

Link copied to clipboard
val guiOrder: Output<String>?

A number defining the order of this identity provider in the GUI.

Link copied to clipboard
val hideOnLoginPage: Output<Boolean>?

When true, this identity provider will be hidden on the login page. Defaults to false.

Link copied to clipboard
val hostedDomain: Output<String>?

Sets the "hd" query parameter when logging in with Google. Google will only list accounts for this domain. Keycloak will validate that the returned identity token has a claim for this domain. When * is entered, an account from any domain can be used.

Link copied to clipboard
val id: Output<String>
Link copied to clipboard
val internalId: Output<String>

(Computed) The unique ID that Keycloak assigns to the identity provider upon creation.

Link copied to clipboard
val linkOnly: Output<Boolean>?

When true, users cannot sign-in using this provider, but their existing accounts will be linked when possible. Defaults to false.

Link copied to clipboard
val postBrokerLoginFlowAlias: Output<String>?

The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.

Link copied to clipboard
val providerId: Output<String>?

The ID of the identity provider to use. Defaults to google, which should be used unless you have extended Keycloak and provided your own implementation.

Link copied to clipboard
val pulumiChildResources: Set<KotlinResource>
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
val realm: Output<String>

The name of the realm. This is unique across Keycloak.

Link copied to clipboard
val requestRefreshToken: Output<Boolean>?

Sets the "access_type" query parameter to "offline" when redirecting to google authorization endpoint,to get a refresh token back. This is useful for using Token Exchange to retrieve a Google token to access Google APIs when the user is offline.

Link copied to clipboard
val storeToken: Output<Boolean>?

When true, tokens will be stored after authenticating users. Defaults to true.

Link copied to clipboard
val syncMode: Output<String>?

The default sync mode to use for all mappers attached to this identity provider. Can be once of IMPORT, FORCE, or LEGACY.

Link copied to clipboard
val trustEmail: Output<Boolean>?

When true, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to false.

Link copied to clipboard
val urn: Output<String>
Link copied to clipboard
val useUserIpParam: Output<Boolean>?

Sets the "userIp" query parameter when querying Google's User Info service. This will use the user's IP address. This is useful if Google is throttling Keycloak's access to the User Info service.