Docs Home
Packages
FusionAuth v5.0.4 published on Tuesday, Jul 9, 2024 by Theo Gravity
fusionauth.FusionAuthIdpOpenIdConnect
Explore with Pulumi AI
# OpenID Connect Identity Provider Resource
OpenID Connect identity providers connect to external OpenID Connect login systems. This type of login will optionally provide a Login with … button on FusionAuth’s login page. This button is customizable by using different properties of the identity provider.
Optionally, this identity provider can define one or more domains it is associated with. This is useful for allowing employees to log in with their corporate credentials. As long as the company has an identity solution that provides OpenID Connect, you can leverage this feature. This is referred to as a Domain Based Identity Provider. If you enable domains for an identity provider, the Login with … button will not be displayed. Instead, only the email form field will be displayed initially on the FusionAuth login page. Once the user types in their email address, FusionAuth will determine if the user is logging in locally or if they should be redirected to this identity provider. This is determined by extracting the domain from their email address and comparing it to the domains associated with the identity provider.
FusionAuth will also leverage the /userinfo API that is part of the OpenID Connect specification. The email address returned from the Userinfo response will be used to create or lookup the existing user. Additional claims from the Userinfo response can be used to reconcile the User in FusionAuth by using an OpenID Connect Reconcile Lambda. Unless you assign a reconcile lambda to this provider, on the email address will be used from the available claims returned by the OpenID Connect identity provider.
If the external OpenID Connect identity provider returns a refresh token, it will be stored in the UserRegistration object inside the tokens Map. This Map stores the tokens from the various identity providers so that you can use them in your application to call their APIs.
OpenID Connect Identity Providers API
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as fusionauth from "pulumi-fusionauth";
const openID = new fusionauth.FusionAuthIdpOpenIdConnect("openID", {
applicationConfigurations: [{
applicationId: fusionauth_application.myapp.id,
createRegistration: true,
enabled: true,
}],
oauth2AuthorizationEndpoint: "https://acme.com/oauth2/authorization",
oauth2ClientId: "191c23dc-b772-4558-bd21-dc1cbf74ae21",
oauth2ClientSecret: "SUsnoP0pWUYfXvWbSe5pvj8Di5nAxOvO",
oauth2ClientAuthenticationMethod: "client_secret_basic",
oauth2Scope: "openid offline_access",
oauth2TokenEndpoint: "https://acme.com/oauth2/token",
oauth2UserInfoEndpoint: "https://acme.com/oauth2/userinfo",
buttonText: "Login with OpenID Connect",
debug: false,
enabled: true,
tenantConfigurations: [{
tenantId: fusionauth_tenant.example.id,
limitUserLinkCountEnabled: false,
limitUserLinkCountMaximumLinks: 42,
}],
});
import pulumi
import theogravity_pulumi-fusionauth as fusionauth
open_id = fusionauth.FusionAuthIdpOpenIdConnect("openID",
application_configurations=[fusionauth.FusionAuthIdpOpenIdConnectApplicationConfigurationArgs(
application_id=fusionauth_application["myapp"]["id"],
create_registration=True,
enabled=True,
)],
oauth2_authorization_endpoint="https://acme.com/oauth2/authorization",
oauth2_client_id="191c23dc-b772-4558-bd21-dc1cbf74ae21",
oauth2_client_secret="SUsnoP0pWUYfXvWbSe5pvj8Di5nAxOvO",
oauth2_client_authentication_method="client_secret_basic",
oauth2_scope="openid offline_access",
oauth2_token_endpoint="https://acme.com/oauth2/token",
oauth2_user_info_endpoint="https://acme.com/oauth2/userinfo",
button_text="Login with OpenID Connect",
debug=False,
enabled=True,
tenant_configurations=[fusionauth.FusionAuthIdpOpenIdConnectTenantConfigurationArgs(
tenant_id=fusionauth_tenant["example"]["id"],
limit_user_link_count_enabled=False,
limit_user_link_count_maximum_links=42,
)])
package main
import (
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
"github.com/theogravity/pulumi-fusionauth/sdk/go/fusionauth"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := fusionauth.NewFusionAuthIdpOpenIdConnect(ctx, "openID", &fusionauth.FusionAuthIdpOpenIdConnectArgs{
ApplicationConfigurations: fusionauth.FusionAuthIdpOpenIdConnectApplicationConfigurationArray{
&fusionauth.FusionAuthIdpOpenIdConnectApplicationConfigurationArgs{
ApplicationId: pulumi.Any(fusionauth_application.Myapp.Id),
CreateRegistration: pulumi.Bool(true),
Enabled: pulumi.Bool(true),
},
},
Oauth2AuthorizationEndpoint: pulumi.String("https://acme.com/oauth2/authorization"),
Oauth2ClientId: pulumi.String("191c23dc-b772-4558-bd21-dc1cbf74ae21"),
Oauth2ClientSecret: pulumi.String("SUsnoP0pWUYfXvWbSe5pvj8Di5nAxOvO"),
Oauth2ClientAuthenticationMethod: pulumi.String("client_secret_basic"),
Oauth2Scope: pulumi.String("openid offline_access"),
Oauth2TokenEndpoint: pulumi.String("https://acme.com/oauth2/token"),
Oauth2UserInfoEndpoint: pulumi.String("https://acme.com/oauth2/userinfo"),
ButtonText: pulumi.String("Login with OpenID Connect"),
Debug: pulumi.Bool(false),
Enabled: pulumi.Bool(true),
TenantConfigurations: fusionauth.FusionAuthIdpOpenIdConnectTenantConfigurationArray{
&fusionauth.FusionAuthIdpOpenIdConnectTenantConfigurationArgs{
TenantId: pulumi.Any(fusionauth_tenant.Example.Id),
LimitUserLinkCountEnabled: pulumi.Bool(false),
LimitUserLinkCountMaximumLinks: pulumi.Int(42),
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Fusionauth = theogravity.Fusionauth;
return await Deployment.RunAsync(() =>
{
var openID = new Fusionauth.FusionAuthIdpOpenIdConnect("openID", new()
{
ApplicationConfigurations = new[]
{
new Fusionauth.Inputs.FusionAuthIdpOpenIdConnectApplicationConfigurationArgs
{
ApplicationId = fusionauth_application.Myapp.Id,
CreateRegistration = true,
Enabled = true,
},
},
Oauth2AuthorizationEndpoint = "https://acme.com/oauth2/authorization",
Oauth2ClientId = "191c23dc-b772-4558-bd21-dc1cbf74ae21",
Oauth2ClientSecret = "SUsnoP0pWUYfXvWbSe5pvj8Di5nAxOvO",
Oauth2ClientAuthenticationMethod = "client_secret_basic",
Oauth2Scope = "openid offline_access",
Oauth2TokenEndpoint = "https://acme.com/oauth2/token",
Oauth2UserInfoEndpoint = "https://acme.com/oauth2/userinfo",
ButtonText = "Login with OpenID Connect",
Debug = false,
Enabled = true,
TenantConfigurations = new[]
{
new Fusionauth.Inputs.FusionAuthIdpOpenIdConnectTenantConfigurationArgs
{
TenantId = fusionauth_tenant.Example.Id,
LimitUserLinkCountEnabled = false,
LimitUserLinkCountMaximumLinks = 42,
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.fusionauth.FusionAuthIdpOpenIdConnect;
import com.pulumi.fusionauth.FusionAuthIdpOpenIdConnectArgs;
import com.pulumi.fusionauth.inputs.FusionAuthIdpOpenIdConnectApplicationConfigurationArgs;
import com.pulumi.fusionauth.inputs.FusionAuthIdpOpenIdConnectTenantConfigurationArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var openID = new FusionAuthIdpOpenIdConnect("openID", FusionAuthIdpOpenIdConnectArgs.builder()
.applicationConfigurations(FusionAuthIdpOpenIdConnectApplicationConfigurationArgs.builder()
.applicationId(fusionauth_application.myapp().id())
.createRegistration(true)
.enabled(true)
.build())
.oauth2AuthorizationEndpoint("https://acme.com/oauth2/authorization")
.oauth2ClientId("191c23dc-b772-4558-bd21-dc1cbf74ae21")
.oauth2ClientSecret("SUsnoP0pWUYfXvWbSe5pvj8Di5nAxOvO")
.oauth2ClientAuthenticationMethod("client_secret_basic")
.oauth2Scope("openid offline_access")
.oauth2TokenEndpoint("https://acme.com/oauth2/token")
.oauth2UserInfoEndpoint("https://acme.com/oauth2/userinfo")
.buttonText("Login with OpenID Connect")
.debug(false)
.enabled(true)
.tenantConfigurations(FusionAuthIdpOpenIdConnectTenantConfigurationArgs.builder()
.tenantId(fusionauth_tenant.example().id())
.limitUserLinkCountEnabled(false)
.limitUserLinkCountMaximumLinks(42)
.build())
.build());
}
}
resources:
openID:
type: fusionauth:FusionAuthIdpOpenIdConnect
properties:
applicationConfigurations:
- applicationId: ${fusionauth_application.myapp.id}
createRegistration: true
enabled: true
oauth2AuthorizationEndpoint: https://acme.com/oauth2/authorization
oauth2ClientId: 191c23dc-b772-4558-bd21-dc1cbf74ae21
oauth2ClientSecret: SUsnoP0pWUYfXvWbSe5pvj8Di5nAxOvO
oauth2ClientAuthenticationMethod: client_secret_basic
oauth2Scope: openid offline_access
oauth2TokenEndpoint: https://acme.com/oauth2/token
oauth2UserInfoEndpoint: https://acme.com/oauth2/userinfo
buttonText: Login with OpenID Connect
debug: false
enabled: true
tenantConfigurations:
- tenantId: ${fusionauth_tenant.example.id}
limitUserLinkCountEnabled: false
limitUserLinkCountMaximumLinks: 42
Create FusionAuthIdpOpenIdConnect Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new FusionAuthIdpOpenIdConnect(name: string, args: FusionAuthIdpOpenIdConnectArgs, opts?: CustomResourceOptions);@overload
def FusionAuthIdpOpenIdConnect(resource_name: str,
args: FusionAuthIdpOpenIdConnectArgs,
opts: Optional[ResourceOptions] = None)
@overload
def FusionAuthIdpOpenIdConnect(resource_name: str,
opts: Optional[ResourceOptions] = None,
button_text: Optional[str] = None,
oauth2_client_id: Optional[str] = None,
oauth2_authorization_endpoint: Optional[str] = None,
oauth2_client_secret: Optional[str] = None,
domains: Optional[Sequence[str]] = None,
enabled: Optional[bool] = None,
idp_id: Optional[str] = None,
lambda_reconcile_id: Optional[str] = None,
linking_strategy: Optional[str] = None,
name: Optional[str] = None,
application_configurations: Optional[Sequence[FusionAuthIdpOpenIdConnectApplicationConfigurationArgs]] = None,
oauth2_client_authentication_method: Optional[str] = None,
button_image_url: Optional[str] = None,
debug: Optional[bool] = None,
oauth2_email_claim: Optional[str] = None,
oauth2_issuer: Optional[str] = None,
oauth2_scope: Optional[str] = None,
oauth2_token_endpoint: Optional[str] = None,
oauth2_unique_id_claim: Optional[str] = None,
oauth2_user_info_endpoint: Optional[str] = None,
oauth2_username_claim: Optional[str] = None,
post_request: Optional[bool] = None,
tenant_configurations: Optional[Sequence[FusionAuthIdpOpenIdConnectTenantConfigurationArgs]] = None)func NewFusionAuthIdpOpenIdConnect(ctx *Context, name string, args FusionAuthIdpOpenIdConnectArgs, opts ...ResourceOption) (*FusionAuthIdpOpenIdConnect, error)public FusionAuthIdpOpenIdConnect(string name, FusionAuthIdpOpenIdConnectArgs args, CustomResourceOptions? opts = null)
public FusionAuthIdpOpenIdConnect(String name, FusionAuthIdpOpenIdConnectArgs args)
public FusionAuthIdpOpenIdConnect(String name, FusionAuthIdpOpenIdConnectArgs args, CustomResourceOptions options)
type: fusionauth:FusionAuthIdpOpenIdConnect
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args FusionAuthIdpOpenIdConnectArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args FusionAuthIdpOpenIdConnectArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args FusionAuthIdpOpenIdConnectArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args FusionAuthIdpOpenIdConnectArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args FusionAuthIdpOpenIdConnectArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var fusionAuthIdpOpenIdConnectResource = new Fusionauth.FusionAuthIdpOpenIdConnect("fusionAuthIdpOpenIdConnectResource", new()
{
ButtonText = "string",
Oauth2ClientId = "string",
Oauth2AuthorizationEndpoint = "string",
Oauth2ClientSecret = "string",
Domains = new[]
{
"string",
},
Enabled = false,
IdpId = "string",
LambdaReconcileId = "string",
LinkingStrategy = "string",
Name = "string",
ApplicationConfigurations = new[]
{
new Fusionauth.Inputs.FusionAuthIdpOpenIdConnectApplicationConfigurationArgs
{
ApplicationId = "string",
ButtonImageUrl = "string",
ButtonText = "string",
CreateRegistration = false,
Enabled = false,
Oauth2ClientId = "string",
Oauth2ClientSecret = "string",
Oauth2Scope = "string",
},
},
Oauth2ClientAuthenticationMethod = "string",
ButtonImageUrl = "string",
Debug = false,
Oauth2EmailClaim = "string",
Oauth2Issuer = "string",
Oauth2Scope = "string",
Oauth2TokenEndpoint = "string",
Oauth2UniqueIdClaim = "string",
Oauth2UserInfoEndpoint = "string",
Oauth2UsernameClaim = "string",
PostRequest = false,
TenantConfigurations = new[]
{
new Fusionauth.Inputs.FusionAuthIdpOpenIdConnectTenantConfigurationArgs
{
LimitUserLinkCountEnabled = false,
LimitUserLinkCountMaximumLinks = 0,
TenantId = "string",
},
},
});
example, err := fusionauth.NewFusionAuthIdpOpenIdConnect(ctx, "fusionAuthIdpOpenIdConnectResource", &fusionauth.FusionAuthIdpOpenIdConnectArgs{
ButtonText: pulumi.String("string"),
Oauth2ClientId: pulumi.String("string"),
Oauth2AuthorizationEndpoint: pulumi.String("string"),
Oauth2ClientSecret: pulumi.String("string"),
Domains: pulumi.StringArray{
pulumi.String("string"),
},
Enabled: pulumi.Bool(false),
IdpId: pulumi.String("string"),
LambdaReconcileId: pulumi.String("string"),
LinkingStrategy: pulumi.String("string"),
Name: pulumi.String("string"),
ApplicationConfigurations: fusionauth.FusionAuthIdpOpenIdConnectApplicationConfigurationArray{
&fusionauth.FusionAuthIdpOpenIdConnectApplicationConfigurationArgs{
ApplicationId: pulumi.String("string"),
ButtonImageUrl: pulumi.String("string"),
ButtonText: pulumi.String("string"),
CreateRegistration: pulumi.Bool(false),
Enabled: pulumi.Bool(false),
Oauth2ClientId: pulumi.String("string"),
Oauth2ClientSecret: pulumi.String("string"),
Oauth2Scope: pulumi.String("string"),
},
},
Oauth2ClientAuthenticationMethod: pulumi.String("string"),
ButtonImageUrl: pulumi.String("string"),
Debug: pulumi.Bool(false),
Oauth2EmailClaim: pulumi.String("string"),
Oauth2Issuer: pulumi.String("string"),
Oauth2Scope: pulumi.String("string"),
Oauth2TokenEndpoint: pulumi.String("string"),
Oauth2UniqueIdClaim: pulumi.String("string"),
Oauth2UserInfoEndpoint: pulumi.String("string"),
Oauth2UsernameClaim: pulumi.String("string"),
PostRequest: pulumi.Bool(false),
TenantConfigurations: fusionauth.FusionAuthIdpOpenIdConnectTenantConfigurationArray{
&fusionauth.FusionAuthIdpOpenIdConnectTenantConfigurationArgs{
LimitUserLinkCountEnabled: pulumi.Bool(false),
LimitUserLinkCountMaximumLinks: pulumi.Int(0),
TenantId: pulumi.String("string"),
},
},
})
var fusionAuthIdpOpenIdConnectResource = new FusionAuthIdpOpenIdConnect("fusionAuthIdpOpenIdConnectResource", FusionAuthIdpOpenIdConnectArgs.builder()
.buttonText("string")
.oauth2ClientId("string")
.oauth2AuthorizationEndpoint("string")
.oauth2ClientSecret("string")
.domains("string")
.enabled(false)
.idpId("string")
.lambdaReconcileId("string")
.linkingStrategy("string")
.name("string")
.applicationConfigurations(FusionAuthIdpOpenIdConnectApplicationConfigurationArgs.builder()
.applicationId("string")
.buttonImageUrl("string")
.buttonText("string")
.createRegistration(false)
.enabled(false)
.oauth2ClientId("string")
.oauth2ClientSecret("string")
.oauth2Scope("string")
.build())
.oauth2ClientAuthenticationMethod("string")
.buttonImageUrl("string")
.debug(false)
.oauth2EmailClaim("string")
.oauth2Issuer("string")
.oauth2Scope("string")
.oauth2TokenEndpoint("string")
.oauth2UniqueIdClaim("string")
.oauth2UserInfoEndpoint("string")
.oauth2UsernameClaim("string")
.postRequest(false)
.tenantConfigurations(FusionAuthIdpOpenIdConnectTenantConfigurationArgs.builder()
.limitUserLinkCountEnabled(false)
.limitUserLinkCountMaximumLinks(0)
.tenantId("string")
.build())
.build());
fusion_auth_idp_open_id_connect_resource = fusionauth.FusionAuthIdpOpenIdConnect("fusionAuthIdpOpenIdConnectResource",
button_text="string",
oauth2_client_id="string",
oauth2_authorization_endpoint="string",
oauth2_client_secret="string",
domains=["string"],
enabled=False,
idp_id="string",
lambda_reconcile_id="string",
linking_strategy="string",
name="string",
application_configurations=[fusionauth.FusionAuthIdpOpenIdConnectApplicationConfigurationArgs(
application_id="string",
button_image_url="string",
button_text="string",
create_registration=False,
enabled=False,
oauth2_client_id="string",
oauth2_client_secret="string",
oauth2_scope="string",
)],
oauth2_client_authentication_method="string",
button_image_url="string",
debug=False,
oauth2_email_claim="string",
oauth2_issuer="string",
oauth2_scope="string",
oauth2_token_endpoint="string",
oauth2_unique_id_claim="string",
oauth2_user_info_endpoint="string",
oauth2_username_claim="string",
post_request=False,
tenant_configurations=[fusionauth.FusionAuthIdpOpenIdConnectTenantConfigurationArgs(
limit_user_link_count_enabled=False,
limit_user_link_count_maximum_links=0,
tenant_id="string",
)])
const fusionAuthIdpOpenIdConnectResource = new fusionauth.FusionAuthIdpOpenIdConnect("fusionAuthIdpOpenIdConnectResource", {
buttonText: "string",
oauth2ClientId: "string",
oauth2AuthorizationEndpoint: "string",
oauth2ClientSecret: "string",
domains: ["string"],
enabled: false,
idpId: "string",
lambdaReconcileId: "string",
linkingStrategy: "string",
name: "string",
applicationConfigurations: [{
applicationId: "string",
buttonImageUrl: "string",
buttonText: "string",
createRegistration: false,
enabled: false,
oauth2ClientId: "string",
oauth2ClientSecret: "string",
oauth2Scope: "string",
}],
oauth2ClientAuthenticationMethod: "string",
buttonImageUrl: "string",
debug: false,
oauth2EmailClaim: "string",
oauth2Issuer: "string",
oauth2Scope: "string",
oauth2TokenEndpoint: "string",
oauth2UniqueIdClaim: "string",
oauth2UserInfoEndpoint: "string",
oauth2UsernameClaim: "string",
postRequest: false,
tenantConfigurations: [{
limitUserLinkCountEnabled: false,
limitUserLinkCountMaximumLinks: 0,
tenantId: "string",
}],
});
type: fusionauth:FusionAuthIdpOpenIdConnect
properties:
applicationConfigurations:
- applicationId: string
buttonImageUrl: string
buttonText: string
createRegistration: false
enabled: false
oauth2ClientId: string
oauth2ClientSecret: string
oauth2Scope: string
buttonImageUrl: string
buttonText: string
debug: false
domains:
- string
enabled: false
idpId: string
lambdaReconcileId: string
linkingStrategy: string
name: string
oauth2AuthorizationEndpoint: string
oauth2ClientAuthenticationMethod: string
oauth2ClientId: string
oauth2ClientSecret: string
oauth2EmailClaim: string
oauth2Issuer: string
oauth2Scope: string
oauth2TokenEndpoint: string
oauth2UniqueIdClaim: string
oauth2UserInfoEndpoint: string
oauth2UsernameClaim: string
postRequest: false
tenantConfigurations:
- limitUserLinkCountEnabled: false
limitUserLinkCountMaximumLinks: 0
tenantId: string
FusionAuthIdpOpenIdConnect Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
The FusionAuthIdpOpenIdConnect resource accepts the following input properties:
- string
- The top-level button text to use on the FusionAuth login page for this Identity Provider.
- Oauth2Client
Id string - The top-level client id for your Application.
- Application
Configurations List<theogravity.Fusionauth. Inputs. Fusion Auth Idp Open Id Connect Application Configuration> - The configuration for each Application that the identity provider is enabled for.
- string
- The top-level button image (URL) to use on the FusionAuth login page for this Identity Provider.
- Debug bool
- Determines if debug is enabled for this provider. When enabled, each time this provider is invoked to reconcile a login an Event Log will be created.
- Domains List<string>
- This is an optional list of domains that this OpenID Connect provider should be used for. This converts the FusionAuth login form to a domain-based login form. This type of form first asks the user for their email. FusionAuth then uses their email to determine if an OpenID Connect identity provider should be used. If an OpenID Connect provider should be used, the browser is redirected to the authorization endpoint of that identity provider. Otherwise, the password field is revealed on the form so that the user can login using FusionAuth.
- Enabled bool
- Determines if this provider is enabled. If it is false then it will be disabled globally.
- Idp
Id string - The ID to use for the new identity provider. If not specified a secure random UUID will be generated.
- Lambda
Reconcile stringId - The unique Id of the lambda to used during the user reconcile process to map custom claims from the external identity provider to the FusionAuth user.
- Linking
Strategy string - The linking strategy to use when creating the link between the {idp_display_name} Identity Provider and the user.
- Name string
- The name of this OpenID Connect identity provider. This is only used for display purposes.
- string
- The top-level authorization endpoint for the OpenID Connect identity provider. You can leave this blank if you provide the issuer field, which will be used to make a request to the OpenID Connect .well-known endpoint in order to dynamically resolve the authorization endpoint. If you provide an issuer then this field will be ignored.
- Oauth2Client
Authentication stringMethod - The client authentication method to use with the OpenID Connect identity provider.
- Oauth2Client
Secret string - The top-level client secret to use with the OpenID Connect identity provider.
- Oauth2Email
Claim string - An optional configuration to modify the expected name of the claim returned by the IdP that contains the email address.
- Oauth2Issuer string
- The top-level issuer URI for the OpenID Connect identity provider. If this is provided, the authorization endpoint, token endpoint and userinfo endpoint will all be resolved using the issuer URI plus /.well-known/openid-configuration.
- Oauth2Scope string
- The top-level scope that you are requesting from the OpenID Connect identity provider.
- Oauth2Token
Endpoint string - The top-level token endpoint for the OpenID Connect identity provider. You can leave this blank if you provide the issuer field, which will be used to make a request to the OpenID Connect .well-known endpoint in order to dynamically resolve the token endpoint. If you provide an issuer then this field will be ignored.
- Oauth2Unique
Id stringClaim - An optional configuration to modify the expected name of the claim returned by the IdP that contains the user Id.
- Oauth2User
Info stringEndpoint - The top-level userinfo endpoint for the OpenID Connect identity provider. You can leave this blank if you provide the issuer field, which will be used to make a request to the OpenID Connect .well-known endpoint in order to dynamically resolve the userinfo endpoint. If you provide an issuer then this field will be ignored.
- Oauth2Username
Claim string - An optional configuration to modify the expected name of the claim returned by the IdP that contains the username.
- Post
Request bool - Set this value equal to true if you wish to use POST bindings with this OpenID Connect identity provider. The default value of false means that a redirect binding which uses a GET request will be used.
- Tenant
Configurations List<theogravity.Fusionauth. Inputs. Fusion Auth Idp Open Id Connect Tenant Configuration> - The configuration for each Tenant that limits the number of links a user may have for a particular identity provider.
- string
- The top-level button text to use on the FusionAuth login page for this Identity Provider.
- Oauth2Client
Id string - The top-level client id for your Application.
- Application
Configurations []FusionAuth Idp Open Id Connect Application Configuration Args - The configuration for each Application that the identity provider is enabled for.
- string
- The top-level button image (URL) to use on the FusionAuth login page for this Identity Provider.
- Debug bool
- Determines if debug is enabled for this provider. When enabled, each time this provider is invoked to reconcile a login an Event Log will be created.
- Domains []string
- This is an optional list of domains that this OpenID Connect provider should be used for. This converts the FusionAuth login form to a domain-based login form. This type of form first asks the user for their email. FusionAuth then uses their email to determine if an OpenID Connect identity provider should be used. If an OpenID Connect provider should be used, the browser is redirected to the authorization endpoint of that identity provider. Otherwise, the password field is revealed on the form so that the user can login using FusionAuth.
- Enabled bool
- Determines if this provider is enabled. If it is false then it will be disabled globally.
- Idp
Id string - The ID to use for the new identity provider. If not specified a secure random UUID will be generated.
- Lambda
Reconcile stringId - The unique Id of the lambda to used during the user reconcile process to map custom claims from the external identity provider to the FusionAuth user.
- Linking
Strategy string - The linking strategy to use when creating the link between the {idp_display_name} Identity Provider and the user.
- Name string
- The name of this OpenID Connect identity provider. This is only used for display purposes.
- string
- The top-level authorization endpoint for the OpenID Connect identity provider. You can leave this blank if you provide the issuer field, which will be used to make a request to the OpenID Connect .well-known endpoint in order to dynamically resolve the authorization endpoint. If you provide an issuer then this field will be ignored.
- Oauth2Client
Authentication stringMethod - The client authentication method to use with the OpenID Connect identity provider.
- Oauth2Client
Secret string - The top-level client secret to use with the OpenID Connect identity provider.
- Oauth2Email
Claim string - An optional configuration to modify the expected name of the claim returned by the IdP that contains the email address.
- Oauth2Issuer string
- The top-level issuer URI for the OpenID Connect identity provider. If this is provided, the authorization endpoint, token endpoint and userinfo endpoint will all be resolved using the issuer URI plus /.well-known/openid-configuration.
- Oauth2Scope string
- The top-level scope that you are requesting from the OpenID Connect identity provider.
- Oauth2Token
Endpoint string - The top-level token endpoint for the OpenID Connect identity provider. You can leave this blank if you provide the issuer field, which will be used to make a request to the OpenID Connect .well-known endpoint in order to dynamically resolve the token endpoint. If you provide an issuer then this field will be ignored.
- Oauth2Unique
Id stringClaim - An optional configuration to modify the expected name of the claim returned by the IdP that contains the user Id.
- Oauth2User
Info stringEndpoint - The top-level userinfo endpoint for the OpenID Connect identity provider. You can leave this blank if you provide the issuer field, which will be used to make a request to the OpenID Connect .well-known endpoint in order to dynamically resolve the userinfo endpoint. If you provide an issuer then this field will be ignored.
- Oauth2Username
Claim string - An optional configuration to modify the expected name of the claim returned by the IdP that contains the username.
- Post
Request bool - Set this value equal to true if you wish to use POST bindings with this OpenID Connect identity provider. The default value of false means that a redirect binding which uses a GET request will be used.
- Tenant
Configurations []FusionAuth Idp Open Id Connect Tenant Configuration Args - The configuration for each Tenant that limits the number of links a user may have for a particular identity provider.
- String
- The top-level button text to use on the FusionAuth login page for this Identity Provider.
- oauth2Client
Id String - The top-level client id for your Application.
- application
Configurations List<FusionAuth Idp Open Id Connect Application Configuration> - The configuration for each Application that the identity provider is enabled for.
- String
- The top-level button image (URL) to use on the FusionAuth login page for this Identity Provider.
- debug Boolean
- Determines if debug is enabled for this provider. When enabled, each time this provider is invoked to reconcile a login an Event Log will be created.
- domains List<String>
- This is an optional list of domains that this OpenID Connect provider should be used for. This converts the FusionAuth login form to a domain-based login form. This type of form first asks the user for their email. FusionAuth then uses their email to determine if an OpenID Connect identity provider should be used. If an OpenID Connect provider should be used, the browser is redirected to the authorization endpoint of that identity provider. Otherwise, the password field is revealed on the form so that the user can login using FusionAuth.
- enabled Boolean
- Determines if this provider is enabled. If it is false then it will be disabled globally.
- idp
Id String - The ID to use for the new identity provider. If not specified a secure random UUID will be generated.
- lambda
Reconcile StringId - The unique Id of the lambda to used during the user reconcile process to map custom claims from the external identity provider to the FusionAuth user.
- linking
Strategy String - The linking strategy to use when creating the link between the {idp_display_name} Identity Provider and the user.
- name String
- The name of this OpenID Connect identity provider. This is only used for display purposes.
- String
- The top-level authorization endpoint for the OpenID Connect identity provider. You can leave this blank if you provide the issuer field, which will be used to make a request to the OpenID Connect .well-known endpoint in order to dynamically resolve the authorization endpoint. If you provide an issuer then this field will be ignored.
- oauth2Client
Authentication StringMethod - The client authentication method to use with the OpenID Connect identity provider.
- oauth2Client
Secret String - The top-level client secret to use with the OpenID Connect identity provider.
- oauth2Email
Claim String - An optional configuration to modify the expected name of the claim returned by the IdP that contains the email address.
- oauth2Issuer String
- The top-level issuer URI for the OpenID Connect identity provider. If this is provided, the authorization endpoint, token endpoint and userinfo endpoint will all be resolved using the issuer URI plus /.well-known/openid-configuration.
- oauth2Scope String
- The top-level scope that you are requesting from the OpenID Connect identity provider.
- oauth2Token
Endpoint String - The top-level token endpoint for the OpenID Connect identity provider. You can leave this blank if you provide the issuer field, which will be used to make a request to the OpenID Connect .well-known endpoint in order to dynamically resolve the token endpoint. If you provide an issuer then this field will be ignored.
- oauth2Unique
Id StringClaim - An optional configuration to modify the expected name of the claim returned by the IdP that contains the user Id.
- oauth2User
Info StringEndpoint - The top-level userinfo endpoint for the OpenID Connect identity provider. You can leave this blank if you provide the issuer field, which will be used to make a request to the OpenID Connect .well-known endpoint in order to dynamically resolve the userinfo endpoint. If you provide an issuer then this field will be ignored.
- oauth2Username
Claim String - An optional configuration to modify the expected name of the claim returned by the IdP that contains the username.
- post
Request Boolean - Set this value equal to true if you wish to use POST bindings with this OpenID Connect identity provider. The default value of false means that a redirect binding which uses a GET request will be used.
- tenant
Configurations List<FusionAuth Idp Open Id Connect Tenant Configuration> - The configuration for each Tenant that limits the number of links a user may have for a particular identity provider.
- string
- The top-level button text to use on the FusionAuth login page for this Identity Provider.
- oauth2Client
Id string - The top-level client id for your Application.
- application
Configurations FusionAuth Idp Open Id Connect Application Configuration[] - The configuration for each Application that the identity provider is enabled for.
- string
- The top-level button image (URL) to use on the FusionAuth login page for this Identity Provider.
- debug boolean
- Determines if debug is enabled for this provider. When enabled, each time this provider is invoked to reconcile a login an Event Log will be created.
- domains string[]
- This is an optional list of domains that this OpenID Connect provider should be used for. This converts the FusionAuth login form to a domain-based login form. This type of form first asks the user for their email. FusionAuth then uses their email to determine if an OpenID Connect identity provider should be used. If an OpenID Connect provider should be used, the browser is redirected to the authorization endpoint of that identity provider. Otherwise, the password field is revealed on the form so that the user can login using FusionAuth.
- enabled boolean
- Determines if this provider is enabled. If it is false then it will be disabled globally.
- idp
Id string - The ID to use for the new identity provider. If not specified a secure random UUID will be generated.
- lambda
Reconcile stringId - The unique Id of the lambda to used during the user reconcile process to map custom claims from the external identity provider to the FusionAuth user.
- linking
Strategy string - The linking strategy to use when creating the link between the {idp_display_name} Identity Provider and the user.
- name string
- The name of this OpenID Connect identity provider. This is only used for display purposes.
- string
- The top-level authorization endpoint for the OpenID Connect identity provider. You can leave this blank if you provide the issuer field, which will be used to make a request to the OpenID Connect .well-known endpoint in order to dynamically resolve the authorization endpoint. If you provide an issuer then this field will be ignored.
- oauth2Client
Authentication stringMethod - The client authentication method to use with the OpenID Connect identity provider.
- oauth2Client
Secret string - The top-level client secret to use with the OpenID Connect identity provider.
- oauth2Email
Claim string - An optional configuration to modify the expected name of the claim returned by the IdP that contains the email address.
- oauth2Issuer string
- The top-level issuer URI for the OpenID Connect identity provider. If this is provided, the authorization endpoint, token endpoint and userinfo endpoint will all be resolved using the issuer URI plus /.well-known/openid-configuration.
- oauth2Scope string
- The top-level scope that you are requesting from the OpenID Connect identity provider.
- oauth2Token
Endpoint string - The top-level token endpoint for the OpenID Connect identity provider. You can leave this blank if you provide the issuer field, which will be used to make a request to the OpenID Connect .well-known endpoint in order to dynamically resolve the token endpoint. If you provide an issuer then this field will be ignored.
- oauth2Unique
Id stringClaim - An optional configuration to modify the expected name of the claim returned by the IdP that contains the user Id.
- oauth2User
Info stringEndpoint - The top-level userinfo endpoint for the OpenID Connect identity provider. You can leave this blank if you provide the issuer field, which will be used to make a request to the OpenID Connect .well-known endpoint in order to dynamically resolve the userinfo endpoint. If you provide an issuer then this field will be ignored.
- oauth2Username
Claim string - An optional configuration to modify the expected name of the claim returned by the IdP that contains the username.
- post
Request boolean - Set this value equal to true if you wish to use POST bindings with this OpenID Connect identity provider. The default value of false means that a redirect binding which uses a GET request will be used.
- tenant
Configurations FusionAuth Idp Open Id Connect Tenant Configuration[] - The configuration for each Tenant that limits the number of links a user may have for a particular identity provider.
- str
- The top-level button text to use on the FusionAuth login page for this Identity Provider.
- oauth2_
client_ strid - The top-level client id for your Application.
- application_
configurations Sequence[FusionAuth Idp Open Id Connect Application Configuration Args] - The configuration for each Application that the identity provider is enabled for.
- str
- The top-level button image (URL) to use on the FusionAuth login page for this Identity Provider.
- debug bool
- Determines if debug is enabled for this provider. When enabled, each time this provider is invoked to reconcile a login an Event Log will be created.
- domains Sequence[str]
- This is an optional list of domains that this OpenID Connect provider should be used for. This converts the FusionAuth login form to a domain-based login form. This type of form first asks the user for their email. FusionAuth then uses their email to determine if an OpenID Connect identity provider should be used. If an OpenID Connect provider should be used, the browser is redirected to the authorization endpoint of that identity provider. Otherwise, the password field is revealed on the form so that the user can login using FusionAuth.
- enabled bool
- Determines if this provider is enabled. If it is false then it will be disabled globally.
- idp_
id str - The ID to use for the new identity provider. If not specified a secure random UUID will be generated.
- lambda_
reconcile_ strid - The unique Id of the lambda to used during the user reconcile process to map custom claims from the external identity provider to the FusionAuth user.
- linking_
strategy str - The linking strategy to use when creating the link between the {idp_display_name} Identity Provider and the user.
- name str
- The name of this OpenID Connect identity provider. This is only used for display purposes.
- str
- The top-level authorization endpoint for the OpenID Connect identity provider. You can leave this blank if you provide the issuer field, which will be used to make a request to the OpenID Connect .well-known endpoint in order to dynamically resolve the authorization endpoint. If you provide an issuer then this field will be ignored.
- oauth2_
client_ strauthentication_ method - The client authentication method to use with the OpenID Connect identity provider.
- oauth2_
client_ strsecret - The top-level client secret to use with the OpenID Connect identity provider.
- oauth2_
email_ strclaim - An optional configuration to modify the expected name of the claim returned by the IdP that contains the email address.
- oauth2_
issuer str - The top-level issuer URI for the OpenID Connect identity provider. If this is provided, the authorization endpoint, token endpoint and userinfo endpoint will all be resolved using the issuer URI plus /.well-known/openid-configuration.
- oauth2_
scope str - The top-level scope that you are requesting from the OpenID Connect identity provider.
- oauth2_
token_ strendpoint - The top-level token endpoint for the OpenID Connect identity provider. You can leave this blank if you provide the issuer field, which will be used to make a request to the OpenID Connect .well-known endpoint in order to dynamically resolve the token endpoint. If you provide an issuer then this field will be ignored.
- oauth2_
unique_ strid_ claim - An optional configuration to modify the expected name of the claim returned by the IdP that contains the user Id.
- oauth2_
user_ strinfo_ endpoint - The top-level userinfo endpoint for the OpenID Connect identity provider. You can leave this blank if you provide the issuer field, which will be used to make a request to the OpenID Connect .well-known endpoint in order to dynamically resolve the userinfo endpoint. If you provide an issuer then this field will be ignored.
- oauth2_
username_ strclaim - An optional configuration to modify the expected name of the claim returned by the IdP that contains the username.
- post_
request bool - Set this value equal to true if you wish to use POST bindings with this OpenID Connect identity provider. The default value of false means that a redirect binding which uses a GET request will be used.
- tenant_
configurations Sequence[FusionAuth Idp Open Id Connect Tenant Configuration Args] - The configuration for each Tenant that limits the number of links a user may have for a particular identity provider.
- String
- The top-level button text to use on the FusionAuth login page for this Identity Provider.
- oauth2Client
Id String - The top-level client id for your Application.
- application
Configurations List<Property Map> - The configuration for each Application that the identity provider is enabled for.
- String
- The top-level button image (URL) to use on the FusionAuth login page for this Identity Provider.
- debug Boolean
- Determines if debug is enabled for this provider. When enabled, each time this provider is invoked to reconcile a login an Event Log will be created.
- domains List<String>
- This is an optional list of domains that this OpenID Connect provider should be used for. This converts the FusionAuth login form to a domain-based login form. This type of form first asks the user for their email. FusionAuth then uses their email to determine if an OpenID Connect identity provider should be used. If an OpenID Connect provider should be used, the browser is redirected to the authorization endpoint of that identity provider. Otherwise, the password field is revealed on the form so that the user can login using FusionAuth.
- enabled Boolean
- Determines if this provider is enabled. If it is false then it will be disabled globally.
- idp
Id String - The ID to use for the new identity provider. If not specified a secure random UUID will be generated.
- lambda
Reconcile StringId - The unique Id of the lambda to used during the user reconcile process to map custom claims from the external identity provider to the FusionAuth user.
- linking
Strategy String - The linking strategy to use when creating the link between the {idp_display_name} Identity Provider and the user.
- name String
- The name of this OpenID Connect identity provider. This is only used for display purposes.
- String
- The top-level authorization endpoint for the OpenID Connect identity provider. You can leave this blank if you provide the issuer field, which will be used to make a request to the OpenID Connect .well-known endpoint in order to dynamically resolve the authorization endpoint. If you provide an issuer then this field will be ignored.
- oauth2Client
Authentication StringMethod - The client authentication method to use with the OpenID Connect identity provider.
- oauth2Client
Secret String - The top-level client secret to use with the OpenID Connect identity provider.
- oauth2Email
Claim String - An optional configuration to modify the expected name of the claim returned by the IdP that contains the email address.
- oauth2Issuer String
- The top-level issuer URI for the OpenID Connect identity provider. If this is provided, the authorization endpoint, token endpoint and userinfo endpoint will all be resolved using the issuer URI plus /.well-known/openid-configuration.
- oauth2Scope String
- The top-level scope that you are requesting from the OpenID Connect identity provider.
- oauth2Token
Endpoint String - The top-level token endpoint for the OpenID Connect identity provider. You can leave this blank if you provide the issuer field, which will be used to make a request to the OpenID Connect .well-known endpoint in order to dynamically resolve the token endpoint. If you provide an issuer then this field will be ignored.
- oauth2Unique
Id StringClaim - An optional configuration to modify the expected name of the claim returned by the IdP that contains the user Id.
- oauth2User
Info StringEndpoint - The top-level userinfo endpoint for the OpenID Connect identity provider. You can leave this blank if you provide the issuer field, which will be used to make a request to the OpenID Connect .well-known endpoint in order to dynamically resolve the userinfo endpoint. If you provide an issuer then this field will be ignored.
- oauth2Username
Claim String - An optional configuration to modify the expected name of the claim returned by the IdP that contains the username.
- post
Request Boolean - Set this value equal to true if you wish to use POST bindings with this OpenID Connect identity provider. The default value of false means that a redirect binding which uses a GET request will be used.
- tenant
Configurations List<Property Map> - The configuration for each Tenant that limits the number of links a user may have for a particular identity provider.
Outputs
All input properties are implicitly available as output properties. Additionally, the FusionAuthIdpOpenIdConnect resource produces the following output properties:
- Id string
- The provider-assigned unique ID for this managed resource.
- Id string
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
- id string
- The provider-assigned unique ID for this managed resource.
- id str
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
Look up Existing FusionAuthIdpOpenIdConnect Resource
Get an existing FusionAuthIdpOpenIdConnect resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: FusionAuthIdpOpenIdConnectState, opts?: CustomResourceOptions): FusionAuthIdpOpenIdConnect@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
application_configurations: Optional[Sequence[FusionAuthIdpOpenIdConnectApplicationConfigurationArgs]] = None,
button_image_url: Optional[str] = None,
button_text: Optional[str] = None,
debug: Optional[bool] = None,
domains: Optional[Sequence[str]] = None,
enabled: Optional[bool] = None,
idp_id: Optional[str] = None,
lambda_reconcile_id: Optional[str] = None,
linking_strategy: Optional[str] = None,
name: Optional[str] = None,
oauth2_authorization_endpoint: Optional[str] = None,
oauth2_client_authentication_method: Optional[str] = None,
oauth2_client_id: Optional[str] = None,
oauth2_client_secret: Optional[str] = None,
oauth2_email_claim: Optional[str] = None,
oauth2_issuer: Optional[str] = None,
oauth2_scope: Optional[str] = None,
oauth2_token_endpoint: Optional[str] = None,
oauth2_unique_id_claim: Optional[str] = None,
oauth2_user_info_endpoint: Optional[str] = None,
oauth2_username_claim: Optional[str] = None,
post_request: Optional[bool] = None,
tenant_configurations: Optional[Sequence[FusionAuthIdpOpenIdConnectTenantConfigurationArgs]] = None) -> FusionAuthIdpOpenIdConnectfunc GetFusionAuthIdpOpenIdConnect(ctx *Context, name string, id IDInput, state *FusionAuthIdpOpenIdConnectState, opts ...ResourceOption) (*FusionAuthIdpOpenIdConnect, error)public static FusionAuthIdpOpenIdConnect Get(string name, Input<string> id, FusionAuthIdpOpenIdConnectState? state, CustomResourceOptions? opts = null)public static FusionAuthIdpOpenIdConnect get(String name, Output<String> id, FusionAuthIdpOpenIdConnectState state, CustomResourceOptions options)Resource lookup is not supported in YAML- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Application
Configurations List<theogravity.Fusionauth. Inputs. Fusion Auth Idp Open Id Connect Application Configuration> - The configuration for each Application that the identity provider is enabled for.
- string
- The top-level button image (URL) to use on the FusionAuth login page for this Identity Provider.
- string
- The top-level button text to use on the FusionAuth login page for this Identity Provider.
- Debug bool
- Determines if debug is enabled for this provider. When enabled, each time this provider is invoked to reconcile a login an Event Log will be created.
- Domains List<string>
- This is an optional list of domains that this OpenID Connect provider should be used for. This converts the FusionAuth login form to a domain-based login form. This type of form first asks the user for their email. FusionAuth then uses their email to determine if an OpenID Connect identity provider should be used. If an OpenID Connect provider should be used, the browser is redirected to the authorization endpoint of that identity provider. Otherwise, the password field is revealed on the form so that the user can login using FusionAuth.
- Enabled bool
- Determines if this provider is enabled. If it is false then it will be disabled globally.
- Idp
Id string - The ID to use for the new identity provider. If not specified a secure random UUID will be generated.
- Lambda
Reconcile stringId - The unique Id of the lambda to used during the user reconcile process to map custom claims from the external identity provider to the FusionAuth user.
- Linking
Strategy string - The linking strategy to use when creating the link between the {idp_display_name} Identity Provider and the user.
- Name string
- The name of this OpenID Connect identity provider. This is only used for display purposes.
- string
- The top-level authorization endpoint for the OpenID Connect identity provider. You can leave this blank if you provide the issuer field, which will be used to make a request to the OpenID Connect .well-known endpoint in order to dynamically resolve the authorization endpoint. If you provide an issuer then this field will be ignored.
- Oauth2Client
Authentication stringMethod - The client authentication method to use with the OpenID Connect identity provider.
- Oauth2Client
Id string - The top-level client id for your Application.
- Oauth2Client
Secret string - The top-level client secret to use with the OpenID Connect identity provider.
- Oauth2Email
Claim string - An optional configuration to modify the expected name of the claim returned by the IdP that contains the email address.
- Oauth2Issuer string
- The top-level issuer URI for the OpenID Connect identity provider. If this is provided, the authorization endpoint, token endpoint and userinfo endpoint will all be resolved using the issuer URI plus /.well-known/openid-configuration.
- Oauth2Scope string
- The top-level scope that you are requesting from the OpenID Connect identity provider.
- Oauth2Token
Endpoint string - The top-level token endpoint for the OpenID Connect identity provider. You can leave this blank if you provide the issuer field, which will be used to make a request to the OpenID Connect .well-known endpoint in order to dynamically resolve the token endpoint. If you provide an issuer then this field will be ignored.
- Oauth2Unique
Id stringClaim - An optional configuration to modify the expected name of the claim returned by the IdP that contains the user Id.
- Oauth2User
Info stringEndpoint - The top-level userinfo endpoint for the OpenID Connect identity provider. You can leave this blank if you provide the issuer field, which will be used to make a request to the OpenID Connect .well-known endpoint in order to dynamically resolve the userinfo endpoint. If you provide an issuer then this field will be ignored.
- Oauth2Username
Claim string - An optional configuration to modify the expected name of the claim returned by the IdP that contains the username.
- Post
Request bool - Set this value equal to true if you wish to use POST bindings with this OpenID Connect identity provider. The default value of false means that a redirect binding which uses a GET request will be used.
- Tenant
Configurations List<theogravity.Fusionauth. Inputs. Fusion Auth Idp Open Id Connect Tenant Configuration> - The configuration for each Tenant that limits the number of links a user may have for a particular identity provider.
- Application
Configurations []FusionAuth Idp Open Id Connect Application Configuration Args - The configuration for each Application that the identity provider is enabled for.
- string
- The top-level button image (URL) to use on the FusionAuth login page for this Identity Provider.
- string
- The top-level button text to use on the FusionAuth login page for this Identity Provider.
- Debug bool
- Determines if debug is enabled for this provider. When enabled, each time this provider is invoked to reconcile a login an Event Log will be created.
- Domains []string
- This is an optional list of domains that this OpenID Connect provider should be used for. This converts the FusionAuth login form to a domain-based login form. This type of form first asks the user for their email. FusionAuth then uses their email to determine if an OpenID Connect identity provider should be used. If an OpenID Connect provider should be used, the browser is redirected to the authorization endpoint of that identity provider. Otherwise, the password field is revealed on the form so that the user can login using FusionAuth.
- Enabled bool
- Determines if this provider is enabled. If it is false then it will be disabled globally.
- Idp
Id string - The ID to use for the new identity provider. If not specified a secure random UUID will be generated.
- Lambda
Reconcile stringId - The unique Id of the lambda to used during the user reconcile process to map custom claims from the external identity provider to the FusionAuth user.
- Linking
Strategy string - The linking strategy to use when creating the link between the {idp_display_name} Identity Provider and the user.
- Name string
- The name of this OpenID Connect identity provider. This is only used for display purposes.
- string
- The top-level authorization endpoint for the OpenID Connect identity provider. You can leave this blank if you provide the issuer field, which will be used to make a request to the OpenID Connect .well-known endpoint in order to dynamically resolve the authorization endpoint. If you provide an issuer then this field will be ignored.
- Oauth2Client
Authentication stringMethod - The client authentication method to use with the OpenID Connect identity provider.
- Oauth2Client
Id string - The top-level client id for your Application.
- Oauth2Client
Secret string - The top-level client secret to use with the OpenID Connect identity provider.
- Oauth2Email
Claim string - An optional configuration to modify the expected name of the claim returned by the IdP that contains the email address.
- Oauth2Issuer string
- The top-level issuer URI for the OpenID Connect identity provider. If this is provided, the authorization endpoint, token endpoint and userinfo endpoint will all be resolved using the issuer URI plus /.well-known/openid-configuration.
- Oauth2Scope string
- The top-level scope that you are requesting from the OpenID Connect identity provider.
- Oauth2Token
Endpoint string - The top-level token endpoint for the OpenID Connect identity provider. You can leave this blank if you provide the issuer field, which will be used to make a request to the OpenID Connect .well-known endpoint in order to dynamically resolve the token endpoint. If you provide an issuer then this field will be ignored.
- Oauth2Unique
Id stringClaim - An optional configuration to modify the expected name of the claim returned by the IdP that contains the user Id.
- Oauth2User
Info stringEndpoint - The top-level userinfo endpoint for the OpenID Connect identity provider. You can leave this blank if you provide the issuer field, which will be used to make a request to the OpenID Connect .well-known endpoint in order to dynamically resolve the userinfo endpoint. If you provide an issuer then this field will be ignored.
- Oauth2Username
Claim string - An optional configuration to modify the expected name of the claim returned by the IdP that contains the username.
- Post
Request bool - Set this value equal to true if you wish to use POST bindings with this OpenID Connect identity provider. The default value of false means that a redirect binding which uses a GET request will be used.
- Tenant
Configurations []FusionAuth Idp Open Id Connect Tenant Configuration Args - The configuration for each Tenant that limits the number of links a user may have for a particular identity provider.
- application
Configurations List<FusionAuth Idp Open Id Connect Application Configuration> - The configuration for each Application that the identity provider is enabled for.
- String
- The top-level button image (URL) to use on the FusionAuth login page for this Identity Provider.
- String
- The top-level button text to use on the FusionAuth login page for this Identity Provider.
- debug Boolean
- Determines if debug is enabled for this provider. When enabled, each time this provider is invoked to reconcile a login an Event Log will be created.
- domains List<String>
- This is an optional list of domains that this OpenID Connect provider should be used for. This converts the FusionAuth login form to a domain-based login form. This type of form first asks the user for their email. FusionAuth then uses their email to determine if an OpenID Connect identity provider should be used. If an OpenID Connect provider should be used, the browser is redirected to the authorization endpoint of that identity provider. Otherwise, the password field is revealed on the form so that the user can login using FusionAuth.
- enabled Boolean
- Determines if this provider is enabled. If it is false then it will be disabled globally.
- idp
Id String - The ID to use for the new identity provider. If not specified a secure random UUID will be generated.
- lambda
Reconcile StringId - The unique Id of the lambda to used during the user reconcile process to map custom claims from the external identity provider to the FusionAuth user.
- linking
Strategy String - The linking strategy to use when creating the link between the {idp_display_name} Identity Provider and the user.
- name String
- The name of this OpenID Connect identity provider. This is only used for display purposes.
- String
- The top-level authorization endpoint for the OpenID Connect identity provider. You can leave this blank if you provide the issuer field, which will be used to make a request to the OpenID Connect .well-known endpoint in order to dynamically resolve the authorization endpoint. If you provide an issuer then this field will be ignored.
- oauth2Client
Authentication StringMethod - The client authentication method to use with the OpenID Connect identity provider.
- oauth2Client
Id String - The top-level client id for your Application.
- oauth2Client
Secret String - The top-level client secret to use with the OpenID Connect identity provider.
- oauth2Email
Claim String - An optional configuration to modify the expected name of the claim returned by the IdP that contains the email address.
- oauth2Issuer String
- The top-level issuer URI for the OpenID Connect identity provider. If this is provided, the authorization endpoint, token endpoint and userinfo endpoint will all be resolved using the issuer URI plus /.well-known/openid-configuration.
- oauth2Scope String
- The top-level scope that you are requesting from the OpenID Connect identity provider.
- oauth2Token
Endpoint String - The top-level token endpoint for the OpenID Connect identity provider. You can leave this blank if you provide the issuer field, which will be used to make a request to the OpenID Connect .well-known endpoint in order to dynamically resolve the token endpoint. If you provide an issuer then this field will be ignored.
- oauth2Unique
Id StringClaim - An optional configuration to modify the expected name of the claim returned by the IdP that contains the user Id.
- oauth2User
Info StringEndpoint - The top-level userinfo endpoint for the OpenID Connect identity provider. You can leave this blank if you provide the issuer field, which will be used to make a request to the OpenID Connect .well-known endpoint in order to dynamically resolve the userinfo endpoint. If you provide an issuer then this field will be ignored.
- oauth2Username
Claim String - An optional configuration to modify the expected name of the claim returned by the IdP that contains the username.
- post
Request Boolean - Set this value equal to true if you wish to use POST bindings with this OpenID Connect identity provider. The default value of false means that a redirect binding which uses a GET request will be used.
- tenant
Configurations List<FusionAuth Idp Open Id Connect Tenant Configuration> - The configuration for each Tenant that limits the number of links a user may have for a particular identity provider.
- application
Configurations FusionAuth Idp Open Id Connect Application Configuration[] - The configuration for each Application that the identity provider is enabled for.
- string
- The top-level button image (URL) to use on the FusionAuth login page for this Identity Provider.
- string
- The top-level button text to use on the FusionAuth login page for this Identity Provider.
- debug boolean
- Determines if debug is enabled for this provider. When enabled, each time this provider is invoked to reconcile a login an Event Log will be created.
- domains string[]
- This is an optional list of domains that this OpenID Connect provider should be used for. This converts the FusionAuth login form to a domain-based login form. This type of form first asks the user for their email. FusionAuth then uses their email to determine if an OpenID Connect identity provider should be used. If an OpenID Connect provider should be used, the browser is redirected to the authorization endpoint of that identity provider. Otherwise, the password field is revealed on the form so that the user can login using FusionAuth.
- enabled boolean
- Determines if this provider is enabled. If it is false then it will be disabled globally.
- idp
Id string - The ID to use for the new identity provider. If not specified a secure random UUID will be generated.
- lambda
Reconcile stringId - The unique Id of the lambda to used during the user reconcile process to map custom claims from the external identity provider to the FusionAuth user.
- linking
Strategy string - The linking strategy to use when creating the link between the {idp_display_name} Identity Provider and the user.
- name string
- The name of this OpenID Connect identity provider. This is only used for display purposes.
- string
- The top-level authorization endpoint for the OpenID Connect identity provider. You can leave this blank if you provide the issuer field, which will be used to make a request to the OpenID Connect .well-known endpoint in order to dynamically resolve the authorization endpoint. If you provide an issuer then this field will be ignored.
- oauth2Client
Authentication stringMethod - The client authentication method to use with the OpenID Connect identity provider.
- oauth2Client
Id string - The top-level client id for your Application.
- oauth2Client
Secret string - The top-level client secret to use with the OpenID Connect identity provider.
- oauth2Email
Claim string - An optional configuration to modify the expected name of the claim returned by the IdP that contains the email address.
- oauth2Issuer string
- The top-level issuer URI for the OpenID Connect identity provider. If this is provided, the authorization endpoint, token endpoint and userinfo endpoint will all be resolved using the issuer URI plus /.well-known/openid-configuration.
- oauth2Scope string
- The top-level scope that you are requesting from the OpenID Connect identity provider.
- oauth2Token
Endpoint string - The top-level token endpoint for the OpenID Connect identity provider. You can leave this blank if you provide the issuer field, which will be used to make a request to the OpenID Connect .well-known endpoint in order to dynamically resolve the token endpoint. If you provide an issuer then this field will be ignored.
- oauth2Unique
Id stringClaim - An optional configuration to modify the expected name of the claim returned by the IdP that contains the user Id.
- oauth2User
Info stringEndpoint - The top-level userinfo endpoint for the OpenID Connect identity provider. You can leave this blank if you provide the issuer field, which will be used to make a request to the OpenID Connect .well-known endpoint in order to dynamically resolve the userinfo endpoint. If you provide an issuer then this field will be ignored.
- oauth2Username
Claim string - An optional configuration to modify the expected name of the claim returned by the IdP that contains the username.
- post
Request boolean - Set this value equal to true if you wish to use POST bindings with this OpenID Connect identity provider. The default value of false means that a redirect binding which uses a GET request will be used.
- tenant
Configurations FusionAuth Idp Open Id Connect Tenant Configuration[] - The configuration for each Tenant that limits the number of links a user may have for a particular identity provider.
- application_
configurations Sequence[FusionAuth Idp Open Id Connect Application Configuration Args] - The configuration for each Application that the identity provider is enabled for.
- str
- The top-level button image (URL) to use on the FusionAuth login page for this Identity Provider.
- str
- The top-level button text to use on the FusionAuth login page for this Identity Provider.
- debug bool
- Determines if debug is enabled for this provider. When enabled, each time this provider is invoked to reconcile a login an Event Log will be created.
- domains Sequence[str]
- This is an optional list of domains that this OpenID Connect provider should be used for. This converts the FusionAuth login form to a domain-based login form. This type of form first asks the user for their email. FusionAuth then uses their email to determine if an OpenID Connect identity provider should be used. If an OpenID Connect provider should be used, the browser is redirected to the authorization endpoint of that identity provider. Otherwise, the password field is revealed on the form so that the user can login using FusionAuth.
- enabled bool
- Determines if this provider is enabled. If it is false then it will be disabled globally.
- idp_
id str - The ID to use for the new identity provider. If not specified a secure random UUID will be generated.
- lambda_
reconcile_ strid - The unique Id of the lambda to used during the user reconcile process to map custom claims from the external identity provider to the FusionAuth user.
- linking_
strategy str - The linking strategy to use when creating the link between the {idp_display_name} Identity Provider and the user.
- name str
- The name of this OpenID Connect identity provider. This is only used for display purposes.
- str
- The top-level authorization endpoint for the OpenID Connect identity provider. You can leave this blank if you provide the issuer field, which will be used to make a request to the OpenID Connect .well-known endpoint in order to dynamically resolve the authorization endpoint. If you provide an issuer then this field will be ignored.
- oauth2_
client_ strauthentication_ method - The client authentication method to use with the OpenID Connect identity provider.
- oauth2_
client_ strid - The top-level client id for your Application.
- oauth2_
client_ strsecret - The top-level client secret to use with the OpenID Connect identity provider.
- oauth2_
email_ strclaim - An optional configuration to modify the expected name of the claim returned by the IdP that contains the email address.
- oauth2_
issuer str - The top-level issuer URI for the OpenID Connect identity provider. If this is provided, the authorization endpoint, token endpoint and userinfo endpoint will all be resolved using the issuer URI plus /.well-known/openid-configuration.
- oauth2_
scope str - The top-level scope that you are requesting from the OpenID Connect identity provider.
- oauth2_
token_ strendpoint - The top-level token endpoint for the OpenID Connect identity provider. You can leave this blank if you provide the issuer field, which will be used to make a request to the OpenID Connect .well-known endpoint in order to dynamically resolve the token endpoint. If you provide an issuer then this field will be ignored.
- oauth2_
unique_ strid_ claim - An optional configuration to modify the expected name of the claim returned by the IdP that contains the user Id.
- oauth2_
user_ strinfo_ endpoint - The top-level userinfo endpoint for the OpenID Connect identity provider. You can leave this blank if you provide the issuer field, which will be used to make a request to the OpenID Connect .well-known endpoint in order to dynamically resolve the userinfo endpoint. If you provide an issuer then this field will be ignored.
- oauth2_
username_ strclaim - An optional configuration to modify the expected name of the claim returned by the IdP that contains the username.
- post_
request bool - Set this value equal to true if you wish to use POST bindings with this OpenID Connect identity provider. The default value of false means that a redirect binding which uses a GET request will be used.
- tenant_
configurations Sequence[FusionAuth Idp Open Id Connect Tenant Configuration Args] - The configuration for each Tenant that limits the number of links a user may have for a particular identity provider.
- application
Configurations List<Property Map> - The configuration for each Application that the identity provider is enabled for.
- String
- The top-level button image (URL) to use on the FusionAuth login page for this Identity Provider.
- String
- The top-level button text to use on the FusionAuth login page for this Identity Provider.
- debug Boolean
- Determines if debug is enabled for this provider. When enabled, each time this provider is invoked to reconcile a login an Event Log will be created.
- domains List<String>
- This is an optional list of domains that this OpenID Connect provider should be used for. This converts the FusionAuth login form to a domain-based login form. This type of form first asks the user for their email. FusionAuth then uses their email to determine if an OpenID Connect identity provider should be used. If an OpenID Connect provider should be used, the browser is redirected to the authorization endpoint of that identity provider. Otherwise, the password field is revealed on the form so that the user can login using FusionAuth.
- enabled Boolean
- Determines if this provider is enabled. If it is false then it will be disabled globally.
- idp
Id String - The ID to use for the new identity provider. If not specified a secure random UUID will be generated.
- lambda
Reconcile StringId - The unique Id of the lambda to used during the user reconcile process to map custom claims from the external identity provider to the FusionAuth user.
- linking
Strategy String - The linking strategy to use when creating the link between the {idp_display_name} Identity Provider and the user.
- name String
- The name of this OpenID Connect identity provider. This is only used for display purposes.
- String
- The top-level authorization endpoint for the OpenID Connect identity provider. You can leave this blank if you provide the issuer field, which will be used to make a request to the OpenID Connect .well-known endpoint in order to dynamically resolve the authorization endpoint. If you provide an issuer then this field will be ignored.
- oauth2Client
Authentication StringMethod - The client authentication method to use with the OpenID Connect identity provider.
- oauth2Client
Id String - The top-level client id for your Application.
- oauth2Client
Secret String - The top-level client secret to use with the OpenID Connect identity provider.
- oauth2Email
Claim String - An optional configuration to modify the expected name of the claim returned by the IdP that contains the email address.
- oauth2Issuer String
- The top-level issuer URI for the OpenID Connect identity provider. If this is provided, the authorization endpoint, token endpoint and userinfo endpoint will all be resolved using the issuer URI plus /.well-known/openid-configuration.
- oauth2Scope String
- The top-level scope that you are requesting from the OpenID Connect identity provider.
- oauth2Token
Endpoint String - The top-level token endpoint for the OpenID Connect identity provider. You can leave this blank if you provide the issuer field, which will be used to make a request to the OpenID Connect .well-known endpoint in order to dynamically resolve the token endpoint. If you provide an issuer then this field will be ignored.
- oauth2Unique
Id StringClaim - An optional configuration to modify the expected name of the claim returned by the IdP that contains the user Id.
- oauth2User
Info StringEndpoint - The top-level userinfo endpoint for the OpenID Connect identity provider. You can leave this blank if you provide the issuer field, which will be used to make a request to the OpenID Connect .well-known endpoint in order to dynamically resolve the userinfo endpoint. If you provide an issuer then this field will be ignored.
- oauth2Username
Claim String - An optional configuration to modify the expected name of the claim returned by the IdP that contains the username.
- post
Request Boolean - Set this value equal to true if you wish to use POST bindings with this OpenID Connect identity provider. The default value of false means that a redirect binding which uses a GET request will be used.
- tenant
Configurations List<Property Map> - The configuration for each Tenant that limits the number of links a user may have for a particular identity provider.
Supporting Types
FusionAuthIdpOpenIdConnectApplicationConfiguration, FusionAuthIdpOpenIdConnectApplicationConfigurationArgs
- Application
Id string - ID of the Application to apply this configuration to.
- string
- This is an optional Application specific override for the top level button image URL.
- string
- This is an optional Application specific override for the top level button text.
- Create
Registration bool - Determines if a UserRegistration is created for the User automatically or not. If a user doesn’t exist in FusionAuth and logs in through an identity provider, this boolean controls whether or not FusionAuth creates a registration for the User in the Application they are logging into.
- Enabled bool
- Determines if this identity provider is enabled for the Application specified by the applicationId key.
- Oauth2Client
Id string - This is an optional Application specific override for the top level client id.
- Oauth2Client
Secret string - This is an optional Application specific override for the top level client secret.
- Oauth2Scope string
- This is an optional Application specific override for the top level scope.
- Application
Id string - ID of the Application to apply this configuration to.
- string
- This is an optional Application specific override for the top level button image URL.
- string
- This is an optional Application specific override for the top level button text.
- Create
Registration bool - Determines if a UserRegistration is created for the User automatically or not. If a user doesn’t exist in FusionAuth and logs in through an identity provider, this boolean controls whether or not FusionAuth creates a registration for the User in the Application they are logging into.
- Enabled bool
- Determines if this identity provider is enabled for the Application specified by the applicationId key.
- Oauth2Client
Id string - This is an optional Application specific override for the top level client id.
- Oauth2Client
Secret string - This is an optional Application specific override for the top level client secret.
- Oauth2Scope string
- This is an optional Application specific override for the top level scope.
- application
Id String - ID of the Application to apply this configuration to.
- String
- This is an optional Application specific override for the top level button image URL.
- String
- This is an optional Application specific override for the top level button text.
- create
Registration Boolean - Determines if a UserRegistration is created for the User automatically or not. If a user doesn’t exist in FusionAuth and logs in through an identity provider, this boolean controls whether or not FusionAuth creates a registration for the User in the Application they are logging into.
- enabled Boolean
- Determines if this identity provider is enabled for the Application specified by the applicationId key.
- oauth2Client
Id String - This is an optional Application specific override for the top level client id.
- oauth2Client
Secret String - This is an optional Application specific override for the top level client secret.
- oauth2Scope String
- This is an optional Application specific override for the top level scope.
- application
Id string - ID of the Application to apply this configuration to.
- string
- This is an optional Application specific override for the top level button image URL.
- string
- This is an optional Application specific override for the top level button text.
- create
Registration boolean - Determines if a UserRegistration is created for the User automatically or not. If a user doesn’t exist in FusionAuth and logs in through an identity provider, this boolean controls whether or not FusionAuth creates a registration for the User in the Application they are logging into.
- enabled boolean
- Determines if this identity provider is enabled for the Application specified by the applicationId key.
- oauth2Client
Id string - This is an optional Application specific override for the top level client id.
- oauth2Client
Secret string - This is an optional Application specific override for the top level client secret.
- oauth2Scope string
- This is an optional Application specific override for the top level scope.
- application_
id str - ID of the Application to apply this configuration to.
- str
- This is an optional Application specific override for the top level button image URL.
- str
- This is an optional Application specific override for the top level button text.
- create_
registration bool - Determines if a UserRegistration is created for the User automatically or not. If a user doesn’t exist in FusionAuth and logs in through an identity provider, this boolean controls whether or not FusionAuth creates a registration for the User in the Application they are logging into.
- enabled bool
- Determines if this identity provider is enabled for the Application specified by the applicationId key.
- oauth2_
client_ strid - This is an optional Application specific override for the top level client id.
- oauth2_
client_ strsecret - This is an optional Application specific override for the top level client secret.
- oauth2_
scope str - This is an optional Application specific override for the top level scope.
- application
Id String - ID of the Application to apply this configuration to.
- String
- This is an optional Application specific override for the top level button image URL.
- String
- This is an optional Application specific override for the top level button text.
- create
Registration Boolean - Determines if a UserRegistration is created for the User automatically or not. If a user doesn’t exist in FusionAuth and logs in through an identity provider, this boolean controls whether or not FusionAuth creates a registration for the User in the Application they are logging into.
- enabled Boolean
- Determines if this identity provider is enabled for the Application specified by the applicationId key.
- oauth2Client
Id String - This is an optional Application specific override for the top level client id.
- oauth2Client
Secret String - This is an optional Application specific override for the top level client secret.
- oauth2Scope String
- This is an optional Application specific override for the top level scope.
FusionAuthIdpOpenIdConnectTenantConfiguration, FusionAuthIdpOpenIdConnectTenantConfigurationArgs
- Limit
User boolLink Count Enabled - When enabled, the number of identity provider links a user may create is enforced by maximumLinks.
- Limit
User intLink Count Maximum Links - Determines if this provider is enabled. If it is false then it will be disabled globally.
- Tenant
Id string - The unique Id of the tenant that this configuration applies to.
- Limit
User boolLink Count Enabled - When enabled, the number of identity provider links a user may create is enforced by maximumLinks.
- Limit
User intLink Count Maximum Links - Determines if this provider is enabled. If it is false then it will be disabled globally.
- Tenant
Id string - The unique Id of the tenant that this configuration applies to.
- limit
User BooleanLink Count Enabled - When enabled, the number of identity provider links a user may create is enforced by maximumLinks.
- limit
User IntegerLink Count Maximum Links - Determines if this provider is enabled. If it is false then it will be disabled globally.
- tenant
Id String - The unique Id of the tenant that this configuration applies to.
- limit
User booleanLink Count Enabled - When enabled, the number of identity provider links a user may create is enforced by maximumLinks.
- limit
User numberLink Count Maximum Links - Determines if this provider is enabled. If it is false then it will be disabled globally.
- tenant
Id string - The unique Id of the tenant that this configuration applies to.
- limit_
user_ boollink_ count_ enabled - When enabled, the number of identity provider links a user may create is enforced by maximumLinks.
- limit_
user_ intlink_ count_ maximum_ links - Determines if this provider is enabled. If it is false then it will be disabled globally.
- tenant_
id str - The unique Id of the tenant that this configuration applies to.
- limit
User BooleanLink Count Enabled - When enabled, the number of identity provider links a user may create is enforced by maximumLinks.
- limit
User NumberLink Count Maximum Links - Determines if this provider is enabled. If it is false then it will be disabled globally.
- tenant
Id String - The unique Id of the tenant that this configuration applies to.
Package Details
- Repository
- fusionauth theogravity/pulumi-fusionauth
- License
- MIT
- Notes
- This Pulumi package is based on the
fusionauthTerraform Provider.