1. Packages
  2. Keycloak Provider
  3. API Docs
  4. oidc
  5. IdentityProvider
Keycloak v6.3.0 published on Tuesday, Apr 15, 2025 by Pulumi

keycloak.oidc.IdentityProvider

Explore with Pulumi AI

Allows for creating and managing OIDC Identity Providers within Keycloak.

OIDC (OpenID Connect) identity providers allows users to authenticate through a third party system using the OIDC standard.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as keycloak from "@pulumi/keycloak";

const realm = new keycloak.Realm("realm", {
    realm: "my-realm",
    enabled: true,
});
const realmIdentityProvider = new keycloak.oidc.IdentityProvider("realm_identity_provider", {
    realm: realm.id,
    alias: "my-idp",
    authorizationUrl: "https://authorizationurl.com",
    clientId: "clientID",
    clientSecret: "clientSecret",
    tokenUrl: "https://tokenurl.com",
    extraConfig: {
        clientAuthMethod: "client_secret_post",
    },
});
Copy
import pulumi
import pulumi_keycloak as keycloak

realm = keycloak.Realm("realm",
    realm="my-realm",
    enabled=True)
realm_identity_provider = keycloak.oidc.IdentityProvider("realm_identity_provider",
    realm=realm.id,
    alias="my-idp",
    authorization_url="https://authorizationurl.com",
    client_id="clientID",
    client_secret="clientSecret",
    token_url="https://tokenurl.com",
    extra_config={
        "clientAuthMethod": "client_secret_post",
    })
Copy
package main

import (
	"github.com/pulumi/pulumi-keycloak/sdk/v6/go/keycloak"
	"github.com/pulumi/pulumi-keycloak/sdk/v6/go/keycloak/oidc"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		realm, err := keycloak.NewRealm(ctx, "realm", &keycloak.RealmArgs{
			Realm:   pulumi.String("my-realm"),
			Enabled: pulumi.Bool(true),
		})
		if err != nil {
			return err
		}
		_, err = oidc.NewIdentityProvider(ctx, "realm_identity_provider", &oidc.IdentityProviderArgs{
			Realm:            realm.ID(),
			Alias:            pulumi.String("my-idp"),
			AuthorizationUrl: pulumi.String("https://authorizationurl.com"),
			ClientId:         pulumi.String("clientID"),
			ClientSecret:     pulumi.String("clientSecret"),
			TokenUrl:         pulumi.String("https://tokenurl.com"),
			ExtraConfig: pulumi.StringMap{
				"clientAuthMethod": pulumi.String("client_secret_post"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}
Copy
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Keycloak = Pulumi.Keycloak;

return await Deployment.RunAsync(() => 
{
    var realm = new Keycloak.Realm("realm", new()
    {
        RealmName = "my-realm",
        Enabled = true,
    });

    var realmIdentityProvider = new Keycloak.Oidc.IdentityProvider("realm_identity_provider", new()
    {
        Realm = realm.Id,
        Alias = "my-idp",
        AuthorizationUrl = "https://authorizationurl.com",
        ClientId = "clientID",
        ClientSecret = "clientSecret",
        TokenUrl = "https://tokenurl.com",
        ExtraConfig = 
        {
            { "clientAuthMethod", "client_secret_post" },
        },
    });

});
Copy
package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.keycloak.Realm;
import com.pulumi.keycloak.RealmArgs;
import com.pulumi.keycloak.oidc.IdentityProvider;
import com.pulumi.keycloak.oidc.IdentityProviderArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var realm = new Realm("realm", RealmArgs.builder()
            .realm("my-realm")
            .enabled(true)
            .build());

        var realmIdentityProvider = new IdentityProvider("realmIdentityProvider", IdentityProviderArgs.builder()
            .realm(realm.id())
            .alias("my-idp")
            .authorizationUrl("https://authorizationurl.com")
            .clientId("clientID")
            .clientSecret("clientSecret")
            .tokenUrl("https://tokenurl.com")
            .extraConfig(Map.of("clientAuthMethod", "client_secret_post"))
            .build());

    }
}
Copy
resources:
  realm:
    type: keycloak:Realm
    properties:
      realm: my-realm
      enabled: true
  realmIdentityProvider:
    type: keycloak:oidc:IdentityProvider
    name: realm_identity_provider
    properties:
      realm: ${realm.id}
      alias: my-idp
      authorizationUrl: https://authorizationurl.com
      clientId: clientID
      clientSecret: clientSecret
      tokenUrl: https://tokenurl.com
      extraConfig:
        clientAuthMethod: client_secret_post
Copy

Create IdentityProvider Resource

Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

Constructor syntax

new IdentityProvider(name: string, args: IdentityProviderArgs, opts?: CustomResourceOptions);
@overload
def IdentityProvider(resource_name: str,
                     args: IdentityProviderArgs,
                     opts: Optional[ResourceOptions] = None)

@overload
def IdentityProvider(resource_name: str,
                     opts: Optional[ResourceOptions] = None,
                     client_id: Optional[str] = None,
                     token_url: Optional[str] = None,
                     alias: Optional[str] = None,
                     realm: Optional[str] = None,
                     authorization_url: Optional[str] = None,
                     client_secret: Optional[str] = None,
                     gui_order: Optional[str] = None,
                     login_hint: Optional[str] = None,
                     default_scopes: Optional[str] = None,
                     disable_user_info: Optional[bool] = None,
                     display_name: Optional[str] = None,
                     enabled: Optional[bool] = None,
                     extra_config: Optional[Mapping[str, str]] = None,
                     first_broker_login_flow_alias: Optional[str] = None,
                     accepts_prompt_none_forward_from_client: Optional[bool] = None,
                     hide_on_login_page: Optional[bool] = None,
                     issuer: Optional[str] = None,
                     jwks_url: Optional[str] = None,
                     link_only: Optional[bool] = None,
                     backchannel_supported: Optional[bool] = None,
                     logout_url: Optional[str] = None,
                     post_broker_login_flow_alias: Optional[str] = None,
                     provider_id: Optional[str] = None,
                     authenticate_by_default: Optional[bool] = None,
                     store_token: Optional[bool] = None,
                     sync_mode: Optional[str] = None,
                     add_read_token_role_on_create: Optional[bool] = None,
                     trust_email: Optional[bool] = None,
                     ui_locales: Optional[bool] = None,
                     user_info_url: Optional[str] = None,
                     validate_signature: Optional[bool] = None)
func NewIdentityProvider(ctx *Context, name string, args IdentityProviderArgs, opts ...ResourceOption) (*IdentityProvider, error)
public IdentityProvider(string name, IdentityProviderArgs args, CustomResourceOptions? opts = null)
public IdentityProvider(String name, IdentityProviderArgs args)
public IdentityProvider(String name, IdentityProviderArgs args, CustomResourceOptions options)
type: keycloak:oidc:IdentityProvider
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

Parameters

name This property is required. string
The unique name of the resource.
args This property is required. IdentityProviderArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
resource_name This property is required. str
The unique name of the resource.
args This property is required. IdentityProviderArgs
The arguments to resource properties.
opts ResourceOptions
Bag of options to control resource's behavior.
ctx Context
Context object for the current deployment.
name This property is required. string
The unique name of the resource.
args This property is required. IdentityProviderArgs
The arguments to resource properties.
opts ResourceOption
Bag of options to control resource's behavior.
name This property is required. string
The unique name of the resource.
args This property is required. IdentityProviderArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
name This property is required. String
The unique name of the resource.
args This property is required. IdentityProviderArgs
The arguments to resource properties.
options CustomResourceOptions
Bag of options to control resource's behavior.

Constructor example

The following reference example uses placeholder values for all input properties.

var identityProviderResource = new Keycloak.Oidc.IdentityProvider("identityProviderResource", new()
{
    ClientId = "string",
    TokenUrl = "string",
    Alias = "string",
    Realm = "string",
    AuthorizationUrl = "string",
    ClientSecret = "string",
    GuiOrder = "string",
    LoginHint = "string",
    DefaultScopes = "string",
    DisableUserInfo = false,
    DisplayName = "string",
    Enabled = false,
    ExtraConfig = 
    {
        { "string", "string" },
    },
    FirstBrokerLoginFlowAlias = "string",
    AcceptsPromptNoneForwardFromClient = false,
    HideOnLoginPage = false,
    Issuer = "string",
    JwksUrl = "string",
    LinkOnly = false,
    BackchannelSupported = false,
    LogoutUrl = "string",
    PostBrokerLoginFlowAlias = "string",
    ProviderId = "string",
    AuthenticateByDefault = false,
    StoreToken = false,
    SyncMode = "string",
    AddReadTokenRoleOnCreate = false,
    TrustEmail = false,
    UiLocales = false,
    UserInfoUrl = "string",
    ValidateSignature = false,
});
Copy
example, err := oidc.NewIdentityProvider(ctx, "identityProviderResource", &oidc.IdentityProviderArgs{
	ClientId:         pulumi.String("string"),
	TokenUrl:         pulumi.String("string"),
	Alias:            pulumi.String("string"),
	Realm:            pulumi.String("string"),
	AuthorizationUrl: pulumi.String("string"),
	ClientSecret:     pulumi.String("string"),
	GuiOrder:         pulumi.String("string"),
	LoginHint:        pulumi.String("string"),
	DefaultScopes:    pulumi.String("string"),
	DisableUserInfo:  pulumi.Bool(false),
	DisplayName:      pulumi.String("string"),
	Enabled:          pulumi.Bool(false),
	ExtraConfig: pulumi.StringMap{
		"string": pulumi.String("string"),
	},
	FirstBrokerLoginFlowAlias:          pulumi.String("string"),
	AcceptsPromptNoneForwardFromClient: pulumi.Bool(false),
	HideOnLoginPage:                    pulumi.Bool(false),
	Issuer:                             pulumi.String("string"),
	JwksUrl:                            pulumi.String("string"),
	LinkOnly:                           pulumi.Bool(false),
	BackchannelSupported:               pulumi.Bool(false),
	LogoutUrl:                          pulumi.String("string"),
	PostBrokerLoginFlowAlias:           pulumi.String("string"),
	ProviderId:                         pulumi.String("string"),
	AuthenticateByDefault:              pulumi.Bool(false),
	StoreToken:                         pulumi.Bool(false),
	SyncMode:                           pulumi.String("string"),
	AddReadTokenRoleOnCreate:           pulumi.Bool(false),
	TrustEmail:                         pulumi.Bool(false),
	UiLocales:                          pulumi.Bool(false),
	UserInfoUrl:                        pulumi.String("string"),
	ValidateSignature:                  pulumi.Bool(false),
})
Copy
var identityProviderResource = new IdentityProvider("identityProviderResource", IdentityProviderArgs.builder()
    .clientId("string")
    .tokenUrl("string")
    .alias("string")
    .realm("string")
    .authorizationUrl("string")
    .clientSecret("string")
    .guiOrder("string")
    .loginHint("string")
    .defaultScopes("string")
    .disableUserInfo(false)
    .displayName("string")
    .enabled(false)
    .extraConfig(Map.of("string", "string"))
    .firstBrokerLoginFlowAlias("string")
    .acceptsPromptNoneForwardFromClient(false)
    .hideOnLoginPage(false)
    .issuer("string")
    .jwksUrl("string")
    .linkOnly(false)
    .backchannelSupported(false)
    .logoutUrl("string")
    .postBrokerLoginFlowAlias("string")
    .providerId("string")
    .authenticateByDefault(false)
    .storeToken(false)
    .syncMode("string")
    .addReadTokenRoleOnCreate(false)
    .trustEmail(false)
    .uiLocales(false)
    .userInfoUrl("string")
    .validateSignature(false)
    .build());
Copy
identity_provider_resource = keycloak.oidc.IdentityProvider("identityProviderResource",
    client_id="string",
    token_url="string",
    alias="string",
    realm="string",
    authorization_url="string",
    client_secret="string",
    gui_order="string",
    login_hint="string",
    default_scopes="string",
    disable_user_info=False,
    display_name="string",
    enabled=False,
    extra_config={
        "string": "string",
    },
    first_broker_login_flow_alias="string",
    accepts_prompt_none_forward_from_client=False,
    hide_on_login_page=False,
    issuer="string",
    jwks_url="string",
    link_only=False,
    backchannel_supported=False,
    logout_url="string",
    post_broker_login_flow_alias="string",
    provider_id="string",
    authenticate_by_default=False,
    store_token=False,
    sync_mode="string",
    add_read_token_role_on_create=False,
    trust_email=False,
    ui_locales=False,
    user_info_url="string",
    validate_signature=False)
Copy
const identityProviderResource = new keycloak.oidc.IdentityProvider("identityProviderResource", {
    clientId: "string",
    tokenUrl: "string",
    alias: "string",
    realm: "string",
    authorizationUrl: "string",
    clientSecret: "string",
    guiOrder: "string",
    loginHint: "string",
    defaultScopes: "string",
    disableUserInfo: false,
    displayName: "string",
    enabled: false,
    extraConfig: {
        string: "string",
    },
    firstBrokerLoginFlowAlias: "string",
    acceptsPromptNoneForwardFromClient: false,
    hideOnLoginPage: false,
    issuer: "string",
    jwksUrl: "string",
    linkOnly: false,
    backchannelSupported: false,
    logoutUrl: "string",
    postBrokerLoginFlowAlias: "string",
    providerId: "string",
    authenticateByDefault: false,
    storeToken: false,
    syncMode: "string",
    addReadTokenRoleOnCreate: false,
    trustEmail: false,
    uiLocales: false,
    userInfoUrl: "string",
    validateSignature: false,
});
Copy
type: keycloak:oidc:IdentityProvider
properties:
    acceptsPromptNoneForwardFromClient: false
    addReadTokenRoleOnCreate: false
    alias: string
    authenticateByDefault: false
    authorizationUrl: string
    backchannelSupported: false
    clientId: string
    clientSecret: string
    defaultScopes: string
    disableUserInfo: false
    displayName: string
    enabled: false
    extraConfig:
        string: string
    firstBrokerLoginFlowAlias: string
    guiOrder: string
    hideOnLoginPage: false
    issuer: string
    jwksUrl: string
    linkOnly: false
    loginHint: string
    logoutUrl: string
    postBrokerLoginFlowAlias: string
    providerId: string
    realm: string
    storeToken: false
    syncMode: string
    tokenUrl: string
    trustEmail: false
    uiLocales: false
    userInfoUrl: string
    validateSignature: false
Copy

IdentityProvider Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

The IdentityProvider resource accepts the following input properties:

Alias
This property is required.
Changes to this property will trigger replacement.
string
The alias uniquely identifies an identity provider, and it is also used to build the redirect uri.
AuthorizationUrl This property is required. string
The Authorization Url.
ClientId This property is required. string
The client or client identifier registered within the identity provider.
ClientSecret This property is required. string
The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format.
Realm
This property is required.
Changes to this property will trigger replacement.
string
The name of the realm. This is unique across Keycloak.
TokenUrl This property is required. string
The Token URL.
AcceptsPromptNoneForwardFromClient bool
When true, the IDP will accept forwarded authentication requests that contain the prompt=none query parameter. Defaults to false.
AddReadTokenRoleOnCreate Changes to this property will trigger replacement. bool
When true, new users will be able to read stored tokens. This will automatically assign the broker.read-token role. Defaults to false.
AuthenticateByDefault bool
Enable/disable authenticate users by default.
BackchannelSupported bool
Does the external IDP support backchannel logout? Defaults to true.
DefaultScopes string
The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to openid.
DisableUserInfo bool
When true, disables the usage of the user info service to obtain additional user information. Defaults to false.
DisplayName string
Display name for the identity provider in the GUI.
Enabled bool
When true, users will be able to log in to this realm using this identity provider. Defaults to true.
ExtraConfig Dictionary<string, string>
FirstBrokerLoginFlowAlias string
The authentication flow to use when users log in for the first time through this identity provider. Defaults to first broker login.
GuiOrder string
A number defining the order of this identity provider in the GUI.
HideOnLoginPage bool
When true, this provider will be hidden on the login page, and is only accessible when requested explicitly. Defaults to false.
Issuer string
The issuer identifier for the issuer of the response. If not provided, no validation will be performed.
JwksUrl string
JSON Web Key Set URL.
LinkOnly bool
When true, users cannot sign-in using this provider, but their existing accounts will be linked when possible. Defaults to false.
LoginHint string
Pass login hint to identity provider.
LogoutUrl string
The Logout URL is the end session endpoint to use to sign-out the user from external identity provider.
PostBrokerLoginFlowAlias string
The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.
ProviderId string
The ID of the identity provider to use. Defaults to oidc, which should be used unless you have extended Keycloak and provided your own implementation.
StoreToken bool
When true, tokens will be stored after authenticating users. Defaults to true.
SyncMode string
The default sync mode to use for all mappers attached to this identity provider. Can be once of IMPORT, FORCE, or LEGACY.
TrustEmail bool
When true, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to false.
UiLocales bool
Pass current locale to identity provider. Defaults to false.
UserInfoUrl string
User Info URL.
ValidateSignature bool
Enable/disable signature validation of external IDP signatures. Defaults to false.
Alias
This property is required.
Changes to this property will trigger replacement.
string
The alias uniquely identifies an identity provider, and it is also used to build the redirect uri.
AuthorizationUrl This property is required. string
The Authorization Url.
ClientId This property is required. string
The client or client identifier registered within the identity provider.
ClientSecret This property is required. string
The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format.
Realm
This property is required.
Changes to this property will trigger replacement.
string
The name of the realm. This is unique across Keycloak.
TokenUrl This property is required. string
The Token URL.
AcceptsPromptNoneForwardFromClient bool
When true, the IDP will accept forwarded authentication requests that contain the prompt=none query parameter. Defaults to false.
AddReadTokenRoleOnCreate Changes to this property will trigger replacement. bool
When true, new users will be able to read stored tokens. This will automatically assign the broker.read-token role. Defaults to false.
AuthenticateByDefault bool
Enable/disable authenticate users by default.
BackchannelSupported bool
Does the external IDP support backchannel logout? Defaults to true.
DefaultScopes string
The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to openid.
DisableUserInfo bool
When true, disables the usage of the user info service to obtain additional user information. Defaults to false.
DisplayName string
Display name for the identity provider in the GUI.
Enabled bool
When true, users will be able to log in to this realm using this identity provider. Defaults to true.
ExtraConfig map[string]string
FirstBrokerLoginFlowAlias string
The authentication flow to use when users log in for the first time through this identity provider. Defaults to first broker login.
GuiOrder string
A number defining the order of this identity provider in the GUI.
HideOnLoginPage bool
When true, this provider will be hidden on the login page, and is only accessible when requested explicitly. Defaults to false.
Issuer string
The issuer identifier for the issuer of the response. If not provided, no validation will be performed.
JwksUrl string
JSON Web Key Set URL.
LinkOnly bool
When true, users cannot sign-in using this provider, but their existing accounts will be linked when possible. Defaults to false.
LoginHint string
Pass login hint to identity provider.
LogoutUrl string
The Logout URL is the end session endpoint to use to sign-out the user from external identity provider.
PostBrokerLoginFlowAlias string
The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.
ProviderId string
The ID of the identity provider to use. Defaults to oidc, which should be used unless you have extended Keycloak and provided your own implementation.
StoreToken bool
When true, tokens will be stored after authenticating users. Defaults to true.
SyncMode string
The default sync mode to use for all mappers attached to this identity provider. Can be once of IMPORT, FORCE, or LEGACY.
TrustEmail bool
When true, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to false.
UiLocales bool
Pass current locale to identity provider. Defaults to false.
UserInfoUrl string
User Info URL.
ValidateSignature bool
Enable/disable signature validation of external IDP signatures. Defaults to false.
alias
This property is required.
Changes to this property will trigger replacement.
String
The alias uniquely identifies an identity provider, and it is also used to build the redirect uri.
authorizationUrl This property is required. String
The Authorization Url.
clientId This property is required. String
The client or client identifier registered within the identity provider.
clientSecret This property is required. String
The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format.
realm
This property is required.
Changes to this property will trigger replacement.
String
The name of the realm. This is unique across Keycloak.
tokenUrl This property is required. String
The Token URL.
acceptsPromptNoneForwardFromClient Boolean
When true, the IDP will accept forwarded authentication requests that contain the prompt=none query parameter. Defaults to false.
addReadTokenRoleOnCreate Changes to this property will trigger replacement. Boolean
When true, new users will be able to read stored tokens. This will automatically assign the broker.read-token role. Defaults to false.
authenticateByDefault Boolean
Enable/disable authenticate users by default.
backchannelSupported Boolean
Does the external IDP support backchannel logout? Defaults to true.
defaultScopes String
The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to openid.
disableUserInfo Boolean
When true, disables the usage of the user info service to obtain additional user information. Defaults to false.
displayName String
Display name for the identity provider in the GUI.
enabled Boolean
When true, users will be able to log in to this realm using this identity provider. Defaults to true.
extraConfig Map<String,String>
firstBrokerLoginFlowAlias String
The authentication flow to use when users log in for the first time through this identity provider. Defaults to first broker login.
guiOrder String
A number defining the order of this identity provider in the GUI.
hideOnLoginPage Boolean
When true, this provider will be hidden on the login page, and is only accessible when requested explicitly. Defaults to false.
issuer String
The issuer identifier for the issuer of the response. If not provided, no validation will be performed.
jwksUrl String
JSON Web Key Set URL.
linkOnly Boolean
When true, users cannot sign-in using this provider, but their existing accounts will be linked when possible. Defaults to false.
loginHint String
Pass login hint to identity provider.
logoutUrl String
The Logout URL is the end session endpoint to use to sign-out the user from external identity provider.
postBrokerLoginFlowAlias String
The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.
providerId String
The ID of the identity provider to use. Defaults to oidc, which should be used unless you have extended Keycloak and provided your own implementation.
storeToken Boolean
When true, tokens will be stored after authenticating users. Defaults to true.
syncMode String
The default sync mode to use for all mappers attached to this identity provider. Can be once of IMPORT, FORCE, or LEGACY.
trustEmail Boolean
When true, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to false.
uiLocales Boolean
Pass current locale to identity provider. Defaults to false.
userInfoUrl String
User Info URL.
validateSignature Boolean
Enable/disable signature validation of external IDP signatures. Defaults to false.
alias
This property is required.
Changes to this property will trigger replacement.
string
The alias uniquely identifies an identity provider, and it is also used to build the redirect uri.
authorizationUrl This property is required. string
The Authorization Url.
clientId This property is required. string
The client or client identifier registered within the identity provider.
clientSecret This property is required. string
The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format.
realm
This property is required.
Changes to this property will trigger replacement.
string
The name of the realm. This is unique across Keycloak.
tokenUrl This property is required. string
The Token URL.
acceptsPromptNoneForwardFromClient boolean
When true, the IDP will accept forwarded authentication requests that contain the prompt=none query parameter. Defaults to false.
addReadTokenRoleOnCreate Changes to this property will trigger replacement. boolean
When true, new users will be able to read stored tokens. This will automatically assign the broker.read-token role. Defaults to false.
authenticateByDefault boolean
Enable/disable authenticate users by default.
backchannelSupported boolean
Does the external IDP support backchannel logout? Defaults to true.
defaultScopes string
The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to openid.
disableUserInfo boolean
When true, disables the usage of the user info service to obtain additional user information. Defaults to false.
displayName string
Display name for the identity provider in the GUI.
enabled boolean
When true, users will be able to log in to this realm using this identity provider. Defaults to true.
extraConfig {[key: string]: string}
firstBrokerLoginFlowAlias string
The authentication flow to use when users log in for the first time through this identity provider. Defaults to first broker login.
guiOrder string
A number defining the order of this identity provider in the GUI.
hideOnLoginPage boolean
When true, this provider will be hidden on the login page, and is only accessible when requested explicitly. Defaults to false.
issuer string
The issuer identifier for the issuer of the response. If not provided, no validation will be performed.
jwksUrl string
JSON Web Key Set URL.
linkOnly boolean
When true, users cannot sign-in using this provider, but their existing accounts will be linked when possible. Defaults to false.
loginHint string
Pass login hint to identity provider.
logoutUrl string
The Logout URL is the end session endpoint to use to sign-out the user from external identity provider.
postBrokerLoginFlowAlias string
The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.
providerId string
The ID of the identity provider to use. Defaults to oidc, which should be used unless you have extended Keycloak and provided your own implementation.
storeToken boolean
When true, tokens will be stored after authenticating users. Defaults to true.
syncMode string
The default sync mode to use for all mappers attached to this identity provider. Can be once of IMPORT, FORCE, or LEGACY.
trustEmail boolean
When true, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to false.
uiLocales boolean
Pass current locale to identity provider. Defaults to false.
userInfoUrl string
User Info URL.
validateSignature boolean
Enable/disable signature validation of external IDP signatures. Defaults to false.
alias
This property is required.
Changes to this property will trigger replacement.
str
The alias uniquely identifies an identity provider, and it is also used to build the redirect uri.
authorization_url This property is required. str
The Authorization Url.
client_id This property is required. str
The client or client identifier registered within the identity provider.
client_secret This property is required. str
The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format.
realm
This property is required.
Changes to this property will trigger replacement.
str
The name of the realm. This is unique across Keycloak.
token_url This property is required. str
The Token URL.
accepts_prompt_none_forward_from_client bool
When true, the IDP will accept forwarded authentication requests that contain the prompt=none query parameter. Defaults to false.
add_read_token_role_on_create Changes to this property will trigger replacement. bool
When true, new users will be able to read stored tokens. This will automatically assign the broker.read-token role. Defaults to false.
authenticate_by_default bool
Enable/disable authenticate users by default.
backchannel_supported bool
Does the external IDP support backchannel logout? Defaults to true.
default_scopes str
The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to openid.
disable_user_info bool
When true, disables the usage of the user info service to obtain additional user information. Defaults to false.
display_name str
Display name for the identity provider in the GUI.
enabled bool
When true, users will be able to log in to this realm using this identity provider. Defaults to true.
extra_config Mapping[str, str]
first_broker_login_flow_alias str
The authentication flow to use when users log in for the first time through this identity provider. Defaults to first broker login.
gui_order str
A number defining the order of this identity provider in the GUI.
hide_on_login_page bool
When true, this provider will be hidden on the login page, and is only accessible when requested explicitly. Defaults to false.
issuer str
The issuer identifier for the issuer of the response. If not provided, no validation will be performed.
jwks_url str
JSON Web Key Set URL.
link_only bool
When true, users cannot sign-in using this provider, but their existing accounts will be linked when possible. Defaults to false.
login_hint str
Pass login hint to identity provider.
logout_url str
The Logout URL is the end session endpoint to use to sign-out the user from external identity provider.
post_broker_login_flow_alias str
The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.
provider_id str
The ID of the identity provider to use. Defaults to oidc, which should be used unless you have extended Keycloak and provided your own implementation.
store_token bool
When true, tokens will be stored after authenticating users. Defaults to true.
sync_mode str
The default sync mode to use for all mappers attached to this identity provider. Can be once of IMPORT, FORCE, or LEGACY.
trust_email bool
When true, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to false.
ui_locales bool
Pass current locale to identity provider. Defaults to false.
user_info_url str
User Info URL.
validate_signature bool
Enable/disable signature validation of external IDP signatures. Defaults to false.
alias
This property is required.
Changes to this property will trigger replacement.
String
The alias uniquely identifies an identity provider, and it is also used to build the redirect uri.
authorizationUrl This property is required. String
The Authorization Url.
clientId This property is required. String
The client or client identifier registered within the identity provider.
clientSecret This property is required. String
The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format.
realm
This property is required.
Changes to this property will trigger replacement.
String
The name of the realm. This is unique across Keycloak.
tokenUrl This property is required. String
The Token URL.
acceptsPromptNoneForwardFromClient Boolean
When true, the IDP will accept forwarded authentication requests that contain the prompt=none query parameter. Defaults to false.
addReadTokenRoleOnCreate Changes to this property will trigger replacement. Boolean
When true, new users will be able to read stored tokens. This will automatically assign the broker.read-token role. Defaults to false.
authenticateByDefault Boolean
Enable/disable authenticate users by default.
backchannelSupported Boolean
Does the external IDP support backchannel logout? Defaults to true.
defaultScopes String
The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to openid.
disableUserInfo Boolean
When true, disables the usage of the user info service to obtain additional user information. Defaults to false.
displayName String
Display name for the identity provider in the GUI.
enabled Boolean
When true, users will be able to log in to this realm using this identity provider. Defaults to true.
extraConfig Map<String>
firstBrokerLoginFlowAlias String
The authentication flow to use when users log in for the first time through this identity provider. Defaults to first broker login.
guiOrder String
A number defining the order of this identity provider in the GUI.
hideOnLoginPage Boolean
When true, this provider will be hidden on the login page, and is only accessible when requested explicitly. Defaults to false.
issuer String
The issuer identifier for the issuer of the response. If not provided, no validation will be performed.
jwksUrl String
JSON Web Key Set URL.
linkOnly Boolean
When true, users cannot sign-in using this provider, but their existing accounts will be linked when possible. Defaults to false.
loginHint String
Pass login hint to identity provider.
logoutUrl String
The Logout URL is the end session endpoint to use to sign-out the user from external identity provider.
postBrokerLoginFlowAlias String
The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.
providerId String
The ID of the identity provider to use. Defaults to oidc, which should be used unless you have extended Keycloak and provided your own implementation.
storeToken Boolean
When true, tokens will be stored after authenticating users. Defaults to true.
syncMode String
The default sync mode to use for all mappers attached to this identity provider. Can be once of IMPORT, FORCE, or LEGACY.
trustEmail Boolean
When true, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to false.
uiLocales Boolean
Pass current locale to identity provider. Defaults to false.
userInfoUrl String
User Info URL.
validateSignature Boolean
Enable/disable signature validation of external IDP signatures. Defaults to false.

Outputs

All input properties are implicitly available as output properties. Additionally, the IdentityProvider resource produces the following output properties:

Id string
The provider-assigned unique ID for this managed resource.
InternalId string
(Computed) The unique ID that Keycloak assigns to the identity provider upon creation.
Id string
The provider-assigned unique ID for this managed resource.
InternalId string
(Computed) The unique ID that Keycloak assigns to the identity provider upon creation.
id String
The provider-assigned unique ID for this managed resource.
internalId String
(Computed) The unique ID that Keycloak assigns to the identity provider upon creation.
id string
The provider-assigned unique ID for this managed resource.
internalId string
(Computed) The unique ID that Keycloak assigns to the identity provider upon creation.
id str
The provider-assigned unique ID for this managed resource.
internal_id str
(Computed) The unique ID that Keycloak assigns to the identity provider upon creation.
id String
The provider-assigned unique ID for this managed resource.
internalId String
(Computed) The unique ID that Keycloak assigns to the identity provider upon creation.

Look up Existing IdentityProvider Resource

Get an existing IdentityProvider resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: IdentityProviderState, opts?: CustomResourceOptions): IdentityProvider
@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        accepts_prompt_none_forward_from_client: Optional[bool] = None,
        add_read_token_role_on_create: Optional[bool] = None,
        alias: Optional[str] = None,
        authenticate_by_default: Optional[bool] = None,
        authorization_url: Optional[str] = None,
        backchannel_supported: Optional[bool] = None,
        client_id: Optional[str] = None,
        client_secret: Optional[str] = None,
        default_scopes: Optional[str] = None,
        disable_user_info: Optional[bool] = None,
        display_name: Optional[str] = None,
        enabled: Optional[bool] = None,
        extra_config: Optional[Mapping[str, str]] = None,
        first_broker_login_flow_alias: Optional[str] = None,
        gui_order: Optional[str] = None,
        hide_on_login_page: Optional[bool] = None,
        internal_id: Optional[str] = None,
        issuer: Optional[str] = None,
        jwks_url: Optional[str] = None,
        link_only: Optional[bool] = None,
        login_hint: Optional[str] = None,
        logout_url: Optional[str] = None,
        post_broker_login_flow_alias: Optional[str] = None,
        provider_id: Optional[str] = None,
        realm: Optional[str] = None,
        store_token: Optional[bool] = None,
        sync_mode: Optional[str] = None,
        token_url: Optional[str] = None,
        trust_email: Optional[bool] = None,
        ui_locales: Optional[bool] = None,
        user_info_url: Optional[str] = None,
        validate_signature: Optional[bool] = None) -> IdentityProvider
func GetIdentityProvider(ctx *Context, name string, id IDInput, state *IdentityProviderState, opts ...ResourceOption) (*IdentityProvider, error)
public static IdentityProvider Get(string name, Input<string> id, IdentityProviderState? state, CustomResourceOptions? opts = null)
public static IdentityProvider get(String name, Output<String> id, IdentityProviderState state, CustomResourceOptions options)
resources:  _:    type: keycloak:oidc:IdentityProvider    get:      id: ${id}
name This property is required.
The unique name of the resulting resource.
id This property is required.
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
resource_name This property is required.
The unique name of the resulting resource.
id This property is required.
The unique provider ID of the resource to lookup.
name This property is required.
The unique name of the resulting resource.
id This property is required.
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
name This property is required.
The unique name of the resulting resource.
id This property is required.
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
name This property is required.
The unique name of the resulting resource.
id This property is required.
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
The following state arguments are supported:
AcceptsPromptNoneForwardFromClient bool
When true, the IDP will accept forwarded authentication requests that contain the prompt=none query parameter. Defaults to false.
AddReadTokenRoleOnCreate Changes to this property will trigger replacement. bool
When true, new users will be able to read stored tokens. This will automatically assign the broker.read-token role. Defaults to false.
Alias Changes to this property will trigger replacement. string
The alias uniquely identifies an identity provider, and it is also used to build the redirect uri.
AuthenticateByDefault bool
Enable/disable authenticate users by default.
AuthorizationUrl string
The Authorization Url.
BackchannelSupported bool
Does the external IDP support backchannel logout? Defaults to true.
ClientId string
The client or client identifier registered within the identity provider.
ClientSecret string
The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format.
DefaultScopes string
The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to openid.
DisableUserInfo bool
When true, disables the usage of the user info service to obtain additional user information. Defaults to false.
DisplayName string
Display name for the identity provider in the GUI.
Enabled bool
When true, users will be able to log in to this realm using this identity provider. Defaults to true.
ExtraConfig Dictionary<string, string>
FirstBrokerLoginFlowAlias string
The authentication flow to use when users log in for the first time through this identity provider. Defaults to first broker login.
GuiOrder string
A number defining the order of this identity provider in the GUI.
HideOnLoginPage bool
When true, this provider will be hidden on the login page, and is only accessible when requested explicitly. Defaults to false.
InternalId string
(Computed) The unique ID that Keycloak assigns to the identity provider upon creation.
Issuer string
The issuer identifier for the issuer of the response. If not provided, no validation will be performed.
JwksUrl string
JSON Web Key Set URL.
LinkOnly bool
When true, users cannot sign-in using this provider, but their existing accounts will be linked when possible. Defaults to false.
LoginHint string
Pass login hint to identity provider.
LogoutUrl string
The Logout URL is the end session endpoint to use to sign-out the user from external identity provider.
PostBrokerLoginFlowAlias string
The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.
ProviderId string
The ID of the identity provider to use. Defaults to oidc, which should be used unless you have extended Keycloak and provided your own implementation.
Realm Changes to this property will trigger replacement. string
The name of the realm. This is unique across Keycloak.
StoreToken bool
When true, tokens will be stored after authenticating users. Defaults to true.
SyncMode string
The default sync mode to use for all mappers attached to this identity provider. Can be once of IMPORT, FORCE, or LEGACY.
TokenUrl string
The Token URL.
TrustEmail bool
When true, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to false.
UiLocales bool
Pass current locale to identity provider. Defaults to false.
UserInfoUrl string
User Info URL.
ValidateSignature bool
Enable/disable signature validation of external IDP signatures. Defaults to false.
AcceptsPromptNoneForwardFromClient bool
When true, the IDP will accept forwarded authentication requests that contain the prompt=none query parameter. Defaults to false.
AddReadTokenRoleOnCreate Changes to this property will trigger replacement. bool
When true, new users will be able to read stored tokens. This will automatically assign the broker.read-token role. Defaults to false.
Alias Changes to this property will trigger replacement. string
The alias uniquely identifies an identity provider, and it is also used to build the redirect uri.
AuthenticateByDefault bool
Enable/disable authenticate users by default.
AuthorizationUrl string
The Authorization Url.
BackchannelSupported bool
Does the external IDP support backchannel logout? Defaults to true.
ClientId string
The client or client identifier registered within the identity provider.
ClientSecret string
The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format.
DefaultScopes string
The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to openid.
DisableUserInfo bool
When true, disables the usage of the user info service to obtain additional user information. Defaults to false.
DisplayName string
Display name for the identity provider in the GUI.
Enabled bool
When true, users will be able to log in to this realm using this identity provider. Defaults to true.
ExtraConfig map[string]string
FirstBrokerLoginFlowAlias string
The authentication flow to use when users log in for the first time through this identity provider. Defaults to first broker login.
GuiOrder string
A number defining the order of this identity provider in the GUI.
HideOnLoginPage bool
When true, this provider will be hidden on the login page, and is only accessible when requested explicitly. Defaults to false.
InternalId string
(Computed) The unique ID that Keycloak assigns to the identity provider upon creation.
Issuer string
The issuer identifier for the issuer of the response. If not provided, no validation will be performed.
JwksUrl string
JSON Web Key Set URL.
LinkOnly bool
When true, users cannot sign-in using this provider, but their existing accounts will be linked when possible. Defaults to false.
LoginHint string
Pass login hint to identity provider.
LogoutUrl string
The Logout URL is the end session endpoint to use to sign-out the user from external identity provider.
PostBrokerLoginFlowAlias string
The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.
ProviderId string
The ID of the identity provider to use. Defaults to oidc, which should be used unless you have extended Keycloak and provided your own implementation.
Realm Changes to this property will trigger replacement. string
The name of the realm. This is unique across Keycloak.
StoreToken bool
When true, tokens will be stored after authenticating users. Defaults to true.
SyncMode string
The default sync mode to use for all mappers attached to this identity provider. Can be once of IMPORT, FORCE, or LEGACY.
TokenUrl string
The Token URL.
TrustEmail bool
When true, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to false.
UiLocales bool
Pass current locale to identity provider. Defaults to false.
UserInfoUrl string
User Info URL.
ValidateSignature bool
Enable/disable signature validation of external IDP signatures. Defaults to false.
acceptsPromptNoneForwardFromClient Boolean
When true, the IDP will accept forwarded authentication requests that contain the prompt=none query parameter. Defaults to false.
addReadTokenRoleOnCreate Changes to this property will trigger replacement. Boolean
When true, new users will be able to read stored tokens. This will automatically assign the broker.read-token role. Defaults to false.
alias Changes to this property will trigger replacement. String
The alias uniquely identifies an identity provider, and it is also used to build the redirect uri.
authenticateByDefault Boolean
Enable/disable authenticate users by default.
authorizationUrl String
The Authorization Url.
backchannelSupported Boolean
Does the external IDP support backchannel logout? Defaults to true.
clientId String
The client or client identifier registered within the identity provider.
clientSecret String
The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format.
defaultScopes String
The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to openid.
disableUserInfo Boolean
When true, disables the usage of the user info service to obtain additional user information. Defaults to false.
displayName String
Display name for the identity provider in the GUI.
enabled Boolean
When true, users will be able to log in to this realm using this identity provider. Defaults to true.
extraConfig Map<String,String>
firstBrokerLoginFlowAlias String
The authentication flow to use when users log in for the first time through this identity provider. Defaults to first broker login.
guiOrder String
A number defining the order of this identity provider in the GUI.
hideOnLoginPage Boolean
When true, this provider will be hidden on the login page, and is only accessible when requested explicitly. Defaults to false.
internalId String
(Computed) The unique ID that Keycloak assigns to the identity provider upon creation.
issuer String
The issuer identifier for the issuer of the response. If not provided, no validation will be performed.
jwksUrl String
JSON Web Key Set URL.
linkOnly Boolean
When true, users cannot sign-in using this provider, but their existing accounts will be linked when possible. Defaults to false.
loginHint String
Pass login hint to identity provider.
logoutUrl String
The Logout URL is the end session endpoint to use to sign-out the user from external identity provider.
postBrokerLoginFlowAlias String
The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.
providerId String
The ID of the identity provider to use. Defaults to oidc, which should be used unless you have extended Keycloak and provided your own implementation.
realm Changes to this property will trigger replacement. String
The name of the realm. This is unique across Keycloak.
storeToken Boolean
When true, tokens will be stored after authenticating users. Defaults to true.
syncMode String
The default sync mode to use for all mappers attached to this identity provider. Can be once of IMPORT, FORCE, or LEGACY.
tokenUrl String
The Token URL.
trustEmail Boolean
When true, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to false.
uiLocales Boolean
Pass current locale to identity provider. Defaults to false.
userInfoUrl String
User Info URL.
validateSignature Boolean
Enable/disable signature validation of external IDP signatures. Defaults to false.
acceptsPromptNoneForwardFromClient boolean
When true, the IDP will accept forwarded authentication requests that contain the prompt=none query parameter. Defaults to false.
addReadTokenRoleOnCreate Changes to this property will trigger replacement. boolean
When true, new users will be able to read stored tokens. This will automatically assign the broker.read-token role. Defaults to false.
alias Changes to this property will trigger replacement. string
The alias uniquely identifies an identity provider, and it is also used to build the redirect uri.
authenticateByDefault boolean
Enable/disable authenticate users by default.
authorizationUrl string
The Authorization Url.
backchannelSupported boolean
Does the external IDP support backchannel logout? Defaults to true.
clientId string
The client or client identifier registered within the identity provider.
clientSecret string
The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format.
defaultScopes string
The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to openid.
disableUserInfo boolean
When true, disables the usage of the user info service to obtain additional user information. Defaults to false.
displayName string
Display name for the identity provider in the GUI.
enabled boolean
When true, users will be able to log in to this realm using this identity provider. Defaults to true.
extraConfig {[key: string]: string}
firstBrokerLoginFlowAlias string
The authentication flow to use when users log in for the first time through this identity provider. Defaults to first broker login.
guiOrder string
A number defining the order of this identity provider in the GUI.
hideOnLoginPage boolean
When true, this provider will be hidden on the login page, and is only accessible when requested explicitly. Defaults to false.
internalId string
(Computed) The unique ID that Keycloak assigns to the identity provider upon creation.
issuer string
The issuer identifier for the issuer of the response. If not provided, no validation will be performed.
jwksUrl string
JSON Web Key Set URL.
linkOnly boolean
When true, users cannot sign-in using this provider, but their existing accounts will be linked when possible. Defaults to false.
loginHint string
Pass login hint to identity provider.
logoutUrl string
The Logout URL is the end session endpoint to use to sign-out the user from external identity provider.
postBrokerLoginFlowAlias string
The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.
providerId string
The ID of the identity provider to use. Defaults to oidc, which should be used unless you have extended Keycloak and provided your own implementation.
realm Changes to this property will trigger replacement. string
The name of the realm. This is unique across Keycloak.
storeToken boolean
When true, tokens will be stored after authenticating users. Defaults to true.
syncMode string
The default sync mode to use for all mappers attached to this identity provider. Can be once of IMPORT, FORCE, or LEGACY.
tokenUrl string
The Token URL.
trustEmail boolean
When true, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to false.
uiLocales boolean
Pass current locale to identity provider. Defaults to false.
userInfoUrl string
User Info URL.
validateSignature boolean
Enable/disable signature validation of external IDP signatures. Defaults to false.
accepts_prompt_none_forward_from_client bool
When true, the IDP will accept forwarded authentication requests that contain the prompt=none query parameter. Defaults to false.
add_read_token_role_on_create Changes to this property will trigger replacement. bool
When true, new users will be able to read stored tokens. This will automatically assign the broker.read-token role. Defaults to false.
alias Changes to this property will trigger replacement. str
The alias uniquely identifies an identity provider, and it is also used to build the redirect uri.
authenticate_by_default bool
Enable/disable authenticate users by default.
authorization_url str
The Authorization Url.
backchannel_supported bool
Does the external IDP support backchannel logout? Defaults to true.
client_id str
The client or client identifier registered within the identity provider.
client_secret str
The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format.
default_scopes str
The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to openid.
disable_user_info bool
When true, disables the usage of the user info service to obtain additional user information. Defaults to false.
display_name str
Display name for the identity provider in the GUI.
enabled bool
When true, users will be able to log in to this realm using this identity provider. Defaults to true.
extra_config Mapping[str, str]
first_broker_login_flow_alias str
The authentication flow to use when users log in for the first time through this identity provider. Defaults to first broker login.
gui_order str
A number defining the order of this identity provider in the GUI.
hide_on_login_page bool
When true, this provider will be hidden on the login page, and is only accessible when requested explicitly. Defaults to false.
internal_id str
(Computed) The unique ID that Keycloak assigns to the identity provider upon creation.
issuer str
The issuer identifier for the issuer of the response. If not provided, no validation will be performed.
jwks_url str
JSON Web Key Set URL.
link_only bool
When true, users cannot sign-in using this provider, but their existing accounts will be linked when possible. Defaults to false.
login_hint str
Pass login hint to identity provider.
logout_url str
The Logout URL is the end session endpoint to use to sign-out the user from external identity provider.
post_broker_login_flow_alias str
The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.
provider_id str
The ID of the identity provider to use. Defaults to oidc, which should be used unless you have extended Keycloak and provided your own implementation.
realm Changes to this property will trigger replacement. str
The name of the realm. This is unique across Keycloak.
store_token bool
When true, tokens will be stored after authenticating users. Defaults to true.
sync_mode str
The default sync mode to use for all mappers attached to this identity provider. Can be once of IMPORT, FORCE, or LEGACY.
token_url str
The Token URL.
trust_email bool
When true, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to false.
ui_locales bool
Pass current locale to identity provider. Defaults to false.
user_info_url str
User Info URL.
validate_signature bool
Enable/disable signature validation of external IDP signatures. Defaults to false.
acceptsPromptNoneForwardFromClient Boolean
When true, the IDP will accept forwarded authentication requests that contain the prompt=none query parameter. Defaults to false.
addReadTokenRoleOnCreate Changes to this property will trigger replacement. Boolean
When true, new users will be able to read stored tokens. This will automatically assign the broker.read-token role. Defaults to false.
alias Changes to this property will trigger replacement. String
The alias uniquely identifies an identity provider, and it is also used to build the redirect uri.
authenticateByDefault Boolean
Enable/disable authenticate users by default.
authorizationUrl String
The Authorization Url.
backchannelSupported Boolean
Does the external IDP support backchannel logout? Defaults to true.
clientId String
The client or client identifier registered within the identity provider.
clientSecret String
The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format.
defaultScopes String
The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to openid.
disableUserInfo Boolean
When true, disables the usage of the user info service to obtain additional user information. Defaults to false.
displayName String
Display name for the identity provider in the GUI.
enabled Boolean
When true, users will be able to log in to this realm using this identity provider. Defaults to true.
extraConfig Map<String>
firstBrokerLoginFlowAlias String
The authentication flow to use when users log in for the first time through this identity provider. Defaults to first broker login.
guiOrder String
A number defining the order of this identity provider in the GUI.
hideOnLoginPage Boolean
When true, this provider will be hidden on the login page, and is only accessible when requested explicitly. Defaults to false.
internalId String
(Computed) The unique ID that Keycloak assigns to the identity provider upon creation.
issuer String
The issuer identifier for the issuer of the response. If not provided, no validation will be performed.
jwksUrl String
JSON Web Key Set URL.
linkOnly Boolean
When true, users cannot sign-in using this provider, but their existing accounts will be linked when possible. Defaults to false.
loginHint String
Pass login hint to identity provider.
logoutUrl String
The Logout URL is the end session endpoint to use to sign-out the user from external identity provider.
postBrokerLoginFlowAlias String
The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.
providerId String
The ID of the identity provider to use. Defaults to oidc, which should be used unless you have extended Keycloak and provided your own implementation.
realm Changes to this property will trigger replacement. String
The name of the realm. This is unique across Keycloak.
storeToken Boolean
When true, tokens will be stored after authenticating users. Defaults to true.
syncMode String
The default sync mode to use for all mappers attached to this identity provider. Can be once of IMPORT, FORCE, or LEGACY.
tokenUrl String
The Token URL.
trustEmail Boolean
When true, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to false.
uiLocales Boolean
Pass current locale to identity provider. Defaults to false.
userInfoUrl String
User Info URL.
validateSignature Boolean
Enable/disable signature validation of external IDP signatures. Defaults to false.

Import

Identity providers can be imported using the format {{realm_id}}/{{idp_alias}}, where idp_alias is the identity provider alias.

Example:

bash

$ pulumi import keycloak:oidc/identityProvider:IdentityProvider realm_identity_provider my-realm/my-idp
Copy

To learn more about importing existing cloud resources, see Importing resources.

Package Details

Repository
Keycloak pulumi/pulumi-keycloak
License
Apache-2.0
Notes
This Pulumi package is based on the keycloak Terraform Provider.