Keycloak v6.2.2, Apr 9 25

Keycloak v6.2.2 published on Wednesday, Apr 9, 2025 by Pulumi

keycloak.oidc.GoogleIdentityProvider

Explore with Pulumi AI

Keycloak v6.2.2 published on Wednesday, Apr 9, 2025 by Pulumi

Example Usage

TypeScript
Python
Go
C#
Java
YAML

import * as pulumi from "@pulumi/pulumi";
import * as keycloak from "@pulumi/keycloak";

const realm = new keycloak.Realm("realm", {
    realm: "my-realm",
    enabled: true,
});
const google = new keycloak.oidc.GoogleIdentityProvider("google", {
    realm: realm.id,
    clientId: googleIdentityProviderClientId,
    clientSecret: googleIdentityProviderClientSecret,
    trustEmail: true,
    hostedDomain: "example.com",
    syncMode: "IMPORT",
    extraConfig: {
        myCustomConfigKey: "myValue",
    },
});

import pulumi
import pulumi_keycloak as keycloak

realm = keycloak.Realm("realm",
    realm="my-realm",
    enabled=True)
google = keycloak.oidc.GoogleIdentityProvider("google",
    realm=realm.id,
    client_id=google_identity_provider_client_id,
    client_secret=google_identity_provider_client_secret,
    trust_email=True,
    hosted_domain="example.com",
    sync_mode="IMPORT",
    extra_config={
        "myCustomConfigKey": "myValue",
    })

package main

import (
	"github.com/pulumi/pulumi-keycloak/sdk/v6/go/keycloak"
	"github.com/pulumi/pulumi-keycloak/sdk/v6/go/keycloak/oidc"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		realm, err := keycloak.NewRealm(ctx, "realm", &keycloak.RealmArgs{
			Realm:   pulumi.String("my-realm"),
			Enabled: pulumi.Bool(true),
		})
		if err != nil {
			return err
		}
		_, err = oidc.NewGoogleIdentityProvider(ctx, "google", &oidc.GoogleIdentityProviderArgs{
			Realm:        realm.ID(),
			ClientId:     pulumi.Any(googleIdentityProviderClientId),
			ClientSecret: pulumi.Any(googleIdentityProviderClientSecret),
			TrustEmail:   pulumi.Bool(true),
			HostedDomain: pulumi.String("example.com"),
			SyncMode:     pulumi.String("IMPORT"),
			ExtraConfig: pulumi.StringMap{
				"myCustomConfigKey": pulumi.String("myValue"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Keycloak = Pulumi.Keycloak;

return await Deployment.RunAsync(() => 
{
    var realm = new Keycloak.Realm("realm", new()
    {
        RealmName = "my-realm",
        Enabled = true,
    });

    var google = new Keycloak.Oidc.GoogleIdentityProvider("google", new()
    {
        Realm = realm.Id,
        ClientId = googleIdentityProviderClientId,
        ClientSecret = googleIdentityProviderClientSecret,
        TrustEmail = true,
        HostedDomain = "example.com",
        SyncMode = "IMPORT",
        ExtraConfig = 
        {
            { "myCustomConfigKey", "myValue" },
        },
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.keycloak.Realm;
import com.pulumi.keycloak.RealmArgs;
import com.pulumi.keycloak.oidc.GoogleIdentityProvider;
import com.pulumi.keycloak.oidc.GoogleIdentityProviderArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var realm = new Realm("realm", RealmArgs.builder()
            .realm("my-realm")
            .enabled(true)
            .build());

        var google = new GoogleIdentityProvider("google", GoogleIdentityProviderArgs.builder()
            .realm(realm.id())
            .clientId(googleIdentityProviderClientId)
            .clientSecret(googleIdentityProviderClientSecret)
            .trustEmail(true)
            .hostedDomain("example.com")
            .syncMode("IMPORT")
            .extraConfig(Map.of("myCustomConfigKey", "myValue"))
            .build());

    }
}

resources:
  realm:
    type: keycloak:Realm
    properties:
      realm: my-realm
      enabled: true
  google:
    type: keycloak:oidc:GoogleIdentityProvider
    properties:
      realm: ${realm.id}
      clientId: ${googleIdentityProviderClientId}
      clientSecret: ${googleIdentityProviderClientSecret}
      trustEmail: true
      hostedDomain: example.com
      syncMode: IMPORT
      extraConfig:
        myCustomConfigKey: myValue

Create GoogleIdentityProvider Resource

Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

new GoogleIdentityProvider(name: string, args: GoogleIdentityProviderArgs, opts?: CustomResourceOptions);

@overload
def GoogleIdentityProvider(resource_name: str,
                           args: GoogleIdentityProviderArgs,
                           opts: Optional[ResourceOptions] = None)

@overload
def GoogleIdentityProvider(resource_name: str,
                           opts: Optional[ResourceOptions] = None,
                           client_id: Optional[str] = None,
                           realm: Optional[str] = None,
                           client_secret: Optional[str] = None,
                           gui_order: Optional[str] = None,
                           hosted_domain: Optional[str] = None,
                           default_scopes: Optional[str] = None,
                           disable_user_info: Optional[bool] = None,
                           enabled: Optional[bool] = None,
                           extra_config: Optional[Mapping[str, str]] = None,
                           first_broker_login_flow_alias: Optional[str] = None,
                           accepts_prompt_none_forward_from_client: Optional[bool] = None,
                           hide_on_login_page: Optional[bool] = None,
                           authenticate_by_default: Optional[bool] = None,
                           link_only: Optional[bool] = None,
                           post_broker_login_flow_alias: Optional[str] = None,
                           provider_id: Optional[str] = None,
                           add_read_token_role_on_create: Optional[bool] = None,
                           request_refresh_token: Optional[bool] = None,
                           store_token: Optional[bool] = None,
                           sync_mode: Optional[str] = None,
                           trust_email: Optional[bool] = None,
                           use_user_ip_param: Optional[bool] = None)

func NewGoogleIdentityProvider(ctx *Context, name string, args GoogleIdentityProviderArgs, opts ...ResourceOption) (*GoogleIdentityProvider, error)

public GoogleIdentityProvider(string name, GoogleIdentityProviderArgs args, CustomResourceOptions? opts = null)

public GoogleIdentityProvider(String name, GoogleIdentityProviderArgs args)
public GoogleIdentityProvider(String name, GoogleIdentityProviderArgs args, CustomResourceOptions options)

type: keycloak:oidc:GoogleIdentityProvider
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

Parameters

name string: The unique name of the resource.
args GoogleIdentityProviderArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
args GoogleIdentityProviderArgs: The arguments to resource properties.
opts ResourceOptions: Bag of options to control resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args GoogleIdentityProviderArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args GoogleIdentityProviderArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

name String: The unique name of the resource.
args GoogleIdentityProviderArgs: The arguments to resource properties.
options CustomResourceOptions: Bag of options to control resource's behavior.

Constructor example

The following reference example uses placeholder values for all input properties.

TypeScript
Python
Go
C#
Java
YAML

var googleIdentityProviderResource = new Keycloak.Oidc.GoogleIdentityProvider("googleIdentityProviderResource", new()
{
    ClientId = "string",
    Realm = "string",
    ClientSecret = "string",
    GuiOrder = "string",
    HostedDomain = "string",
    DefaultScopes = "string",
    DisableUserInfo = false,
    Enabled = false,
    ExtraConfig = 
    {
        { "string", "string" },
    },
    FirstBrokerLoginFlowAlias = "string",
    AcceptsPromptNoneForwardFromClient = false,
    HideOnLoginPage = false,
    AuthenticateByDefault = false,
    LinkOnly = false,
    PostBrokerLoginFlowAlias = "string",
    ProviderId = "string",
    AddReadTokenRoleOnCreate = false,
    RequestRefreshToken = false,
    StoreToken = false,
    SyncMode = "string",
    TrustEmail = false,
    UseUserIpParam = false,
});

example, err := oidc.NewGoogleIdentityProvider(ctx, "googleIdentityProviderResource", &oidc.GoogleIdentityProviderArgs{
	ClientId:        pulumi.String("string"),
	Realm:           pulumi.String("string"),
	ClientSecret:    pulumi.String("string"),
	GuiOrder:        pulumi.String("string"),
	HostedDomain:    pulumi.String("string"),
	DefaultScopes:   pulumi.String("string"),
	DisableUserInfo: pulumi.Bool(false),
	Enabled:         pulumi.Bool(false),
	ExtraConfig: pulumi.StringMap{
		"string": pulumi.String("string"),
	},
	FirstBrokerLoginFlowAlias:          pulumi.String("string"),
	AcceptsPromptNoneForwardFromClient: pulumi.Bool(false),
	HideOnLoginPage:                    pulumi.Bool(false),
	AuthenticateByDefault:              pulumi.Bool(false),
	LinkOnly:                           pulumi.Bool(false),
	PostBrokerLoginFlowAlias:           pulumi.String("string"),
	ProviderId:                         pulumi.String("string"),
	AddReadTokenRoleOnCreate:           pulumi.Bool(false),
	RequestRefreshToken:                pulumi.Bool(false),
	StoreToken:                         pulumi.Bool(false),
	SyncMode:                           pulumi.String("string"),
	TrustEmail:                         pulumi.Bool(false),
	UseUserIpParam:                     pulumi.Bool(false),
})

var googleIdentityProviderResource = new GoogleIdentityProvider("googleIdentityProviderResource", GoogleIdentityProviderArgs.builder()
    .clientId("string")
    .realm("string")
    .clientSecret("string")
    .guiOrder("string")
    .hostedDomain("string")
    .defaultScopes("string")
    .disableUserInfo(false)
    .enabled(false)
    .extraConfig(Map.of("string", "string"))
    .firstBrokerLoginFlowAlias("string")
    .acceptsPromptNoneForwardFromClient(false)
    .hideOnLoginPage(false)
    .authenticateByDefault(false)
    .linkOnly(false)
    .postBrokerLoginFlowAlias("string")
    .providerId("string")
    .addReadTokenRoleOnCreate(false)
    .requestRefreshToken(false)
    .storeToken(false)
    .syncMode("string")
    .trustEmail(false)
    .useUserIpParam(false)
    .build());

google_identity_provider_resource = keycloak.oidc.GoogleIdentityProvider("googleIdentityProviderResource",
    client_id="string",
    realm="string",
    client_secret="string",
    gui_order="string",
    hosted_domain="string",
    default_scopes="string",
    disable_user_info=False,
    enabled=False,
    extra_config={
        "string": "string",
    },
    first_broker_login_flow_alias="string",
    accepts_prompt_none_forward_from_client=False,
    hide_on_login_page=False,
    authenticate_by_default=False,
    link_only=False,
    post_broker_login_flow_alias="string",
    provider_id="string",
    add_read_token_role_on_create=False,
    request_refresh_token=False,
    store_token=False,
    sync_mode="string",
    trust_email=False,
    use_user_ip_param=False)

const googleIdentityProviderResource = new keycloak.oidc.GoogleIdentityProvider("googleIdentityProviderResource", {
    clientId: "string",
    realm: "string",
    clientSecret: "string",
    guiOrder: "string",
    hostedDomain: "string",
    defaultScopes: "string",
    disableUserInfo: false,
    enabled: false,
    extraConfig: {
        string: "string",
    },
    firstBrokerLoginFlowAlias: "string",
    acceptsPromptNoneForwardFromClient: false,
    hideOnLoginPage: false,
    authenticateByDefault: false,
    linkOnly: false,
    postBrokerLoginFlowAlias: "string",
    providerId: "string",
    addReadTokenRoleOnCreate: false,
    requestRefreshToken: false,
    storeToken: false,
    syncMode: "string",
    trustEmail: false,
    useUserIpParam: false,
});

type: keycloak:oidc:GoogleIdentityProvider
properties:
    acceptsPromptNoneForwardFromClient: false
    addReadTokenRoleOnCreate: false
    authenticateByDefault: false
    clientId: string
    clientSecret: string
    defaultScopes: string
    disableUserInfo: false
    enabled: false
    extraConfig:
        string: string
    firstBrokerLoginFlowAlias: string
    guiOrder: string
    hideOnLoginPage: false
    hostedDomain: string
    linkOnly: false
    postBrokerLoginFlowAlias: string
    providerId: string
    realm: string
    requestRefreshToken: false
    storeToken: false
    syncMode: string
    trustEmail: false
    useUserIpParam: false

GoogleIdentityProvider Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

The GoogleIdentityProvider resource accepts the following input properties:

ClientId string: The client or client identifier registered within the identity provider.
ClientSecret string: The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format.
Realm string: The name of the realm. This is unique across Keycloak.
AcceptsPromptNoneForwardFromClient bool: When true, unauthenticated requests with prompt=none will be forwarded to Google instead of returning an error. Defaults to false.
AddReadTokenRoleOnCreate bool: When true, new users will be able to read stored tokens. This will automatically assign the broker.read-token role. Defaults to false.
AuthenticateByDefault bool: Enable/disable authenticate users by default.
DefaultScopes string: The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to openid profile email.
DisableUserInfo bool: When true, disables the usage of the user info service to obtain additional user information. Defaults to false.
Enabled bool: When true, users will be able to log in to this realm using this identity provider. Defaults to true.
ExtraConfig Dictionary<string, string>
FirstBrokerLoginFlowAlias string: The authentication flow to use when users log in for the first time through this identity provider. Defaults to first broker login.
GuiOrder string: A number defining the order of this identity provider in the GUI.
HideOnLoginPage bool: When true, this identity provider will be hidden on the login page. Defaults to false.
HostedDomain string: Sets the "hd" query parameter when logging in with Google. Google will only list accounts for this domain. Keycloak will validate that the returned identity token has a claim for this domain. When * is entered, an account from any domain can be used.
LinkOnly bool: When true, users cannot sign-in using this provider, but their existing accounts will be linked when possible. Defaults to false.
PostBrokerLoginFlowAlias string: The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.
ProviderId string: The ID of the identity provider to use. Defaults to google, which should be used unless you have extended Keycloak and provided your own implementation.
RequestRefreshToken bool: Sets the "access_type" query parameter to "offline" when redirecting to google authorization endpoint,to get a refresh token back. This is useful for using Token Exchange to retrieve a Google token to access Google APIs when the user is offline.
StoreToken bool: When true, tokens will be stored after authenticating users. Defaults to true.
SyncMode string: The default sync mode to use for all mappers attached to this identity provider. Can be once of IMPORT, FORCE, or LEGACY.
TrustEmail bool: When true, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to false.
UseUserIpParam bool: Sets the "userIp" query parameter when querying Google's User Info service. This will use the user's IP address. This is useful if Google is throttling Keycloak's access to the User Info service.

ClientId string: The client or client identifier registered within the identity provider.
ClientSecret string: The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format.
Realm string: The name of the realm. This is unique across Keycloak.
AcceptsPromptNoneForwardFromClient bool: When true, unauthenticated requests with prompt=none will be forwarded to Google instead of returning an error. Defaults to false.
AddReadTokenRoleOnCreate bool: When true, new users will be able to read stored tokens. This will automatically assign the broker.read-token role. Defaults to false.
AuthenticateByDefault bool: Enable/disable authenticate users by default.
DefaultScopes string: The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to openid profile email.
DisableUserInfo bool: When true, disables the usage of the user info service to obtain additional user information. Defaults to false.
Enabled bool: When true, users will be able to log in to this realm using this identity provider. Defaults to true.
ExtraConfig map[string]string
FirstBrokerLoginFlowAlias string: The authentication flow to use when users log in for the first time through this identity provider. Defaults to first broker login.
GuiOrder string: A number defining the order of this identity provider in the GUI.
HideOnLoginPage bool: When true, this identity provider will be hidden on the login page. Defaults to false.
HostedDomain string: Sets the "hd" query parameter when logging in with Google. Google will only list accounts for this domain. Keycloak will validate that the returned identity token has a claim for this domain. When * is entered, an account from any domain can be used.
LinkOnly bool: When true, users cannot sign-in using this provider, but their existing accounts will be linked when possible. Defaults to false.
PostBrokerLoginFlowAlias string: The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.
ProviderId string: The ID of the identity provider to use. Defaults to google, which should be used unless you have extended Keycloak and provided your own implementation.
RequestRefreshToken bool: Sets the "access_type" query parameter to "offline" when redirecting to google authorization endpoint,to get a refresh token back. This is useful for using Token Exchange to retrieve a Google token to access Google APIs when the user is offline.
StoreToken bool: When true, tokens will be stored after authenticating users. Defaults to true.
SyncMode string: The default sync mode to use for all mappers attached to this identity provider. Can be once of IMPORT, FORCE, or LEGACY.
TrustEmail bool: When true, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to false.
UseUserIpParam bool: Sets the "userIp" query parameter when querying Google's User Info service. This will use the user's IP address. This is useful if Google is throttling Keycloak's access to the User Info service.

clientId String: The client or client identifier registered within the identity provider.
clientSecret String: The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format.
realm String: The name of the realm. This is unique across Keycloak.
acceptsPromptNoneForwardFromClient Boolean: When true, unauthenticated requests with prompt=none will be forwarded to Google instead of returning an error. Defaults to false.
addReadTokenRoleOnCreate Boolean: When true, new users will be able to read stored tokens. This will automatically assign the broker.read-token role. Defaults to false.
authenticateByDefault Boolean: Enable/disable authenticate users by default.
defaultScopes String: The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to openid profile email.
disableUserInfo Boolean: When true, disables the usage of the user info service to obtain additional user information. Defaults to false.
enabled Boolean: When true, users will be able to log in to this realm using this identity provider. Defaults to true.
extraConfig Map<String,String>
firstBrokerLoginFlowAlias String: The authentication flow to use when users log in for the first time through this identity provider. Defaults to first broker login.
guiOrder String: A number defining the order of this identity provider in the GUI.
hideOnLoginPage Boolean: When true, this identity provider will be hidden on the login page. Defaults to false.
hostedDomain String: Sets the "hd" query parameter when logging in with Google. Google will only list accounts for this domain. Keycloak will validate that the returned identity token has a claim for this domain. When * is entered, an account from any domain can be used.
linkOnly Boolean: When true, users cannot sign-in using this provider, but their existing accounts will be linked when possible. Defaults to false.
postBrokerLoginFlowAlias String: The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.
providerId String: The ID of the identity provider to use. Defaults to google, which should be used unless you have extended Keycloak and provided your own implementation.
requestRefreshToken Boolean: Sets the "access_type" query parameter to "offline" when redirecting to google authorization endpoint,to get a refresh token back. This is useful for using Token Exchange to retrieve a Google token to access Google APIs when the user is offline.
storeToken Boolean: When true, tokens will be stored after authenticating users. Defaults to true.
syncMode String: The default sync mode to use for all mappers attached to this identity provider. Can be once of IMPORT, FORCE, or LEGACY.
trustEmail Boolean: When true, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to false.
useUserIpParam Boolean: Sets the "userIp" query parameter when querying Google's User Info service. This will use the user's IP address. This is useful if Google is throttling Keycloak's access to the User Info service.

clientId string: The client or client identifier registered within the identity provider.
clientSecret string: The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format.
realm string: The name of the realm. This is unique across Keycloak.
acceptsPromptNoneForwardFromClient boolean: When true, unauthenticated requests with prompt=none will be forwarded to Google instead of returning an error. Defaults to false.
addReadTokenRoleOnCreate boolean: When true, new users will be able to read stored tokens. This will automatically assign the broker.read-token role. Defaults to false.
authenticateByDefault boolean: Enable/disable authenticate users by default.
defaultScopes string: The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to openid profile email.
disableUserInfo boolean: When true, disables the usage of the user info service to obtain additional user information. Defaults to false.
enabled boolean: When true, users will be able to log in to this realm using this identity provider. Defaults to true.
extraConfig {[key: string]: string}
firstBrokerLoginFlowAlias string: The authentication flow to use when users log in for the first time through this identity provider. Defaults to first broker login.
guiOrder string: A number defining the order of this identity provider in the GUI.
hideOnLoginPage boolean: When true, this identity provider will be hidden on the login page. Defaults to false.
hostedDomain string: Sets the "hd" query parameter when logging in with Google. Google will only list accounts for this domain. Keycloak will validate that the returned identity token has a claim for this domain. When * is entered, an account from any domain can be used.
linkOnly boolean: When true, users cannot sign-in using this provider, but their existing accounts will be linked when possible. Defaults to false.
postBrokerLoginFlowAlias string: The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.
providerId string: The ID of the identity provider to use. Defaults to google, which should be used unless you have extended Keycloak and provided your own implementation.
requestRefreshToken boolean: Sets the "access_type" query parameter to "offline" when redirecting to google authorization endpoint,to get a refresh token back. This is useful for using Token Exchange to retrieve a Google token to access Google APIs when the user is offline.
storeToken boolean: When true, tokens will be stored after authenticating users. Defaults to true.
syncMode string: The default sync mode to use for all mappers attached to this identity provider. Can be once of IMPORT, FORCE, or LEGACY.
trustEmail boolean: When true, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to false.
useUserIpParam boolean: Sets the "userIp" query parameter when querying Google's User Info service. This will use the user's IP address. This is useful if Google is throttling Keycloak's access to the User Info service.

client_id str: The client or client identifier registered within the identity provider.
client_secret str: The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format.
realm str: The name of the realm. This is unique across Keycloak.
accepts_prompt_none_forward_from_client bool: When true, unauthenticated requests with prompt=none will be forwarded to Google instead of returning an error. Defaults to false.
add_read_token_role_on_create bool: When true, new users will be able to read stored tokens. This will automatically assign the broker.read-token role. Defaults to false.
authenticate_by_default bool: Enable/disable authenticate users by default.
default_scopes str: The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to openid profile email.
disable_user_info bool: When true, disables the usage of the user info service to obtain additional user information. Defaults to false.
enabled bool: When true, users will be able to log in to this realm using this identity provider. Defaults to true.
extra_config Mapping[str, str]
first_broker_login_flow_alias str: The authentication flow to use when users log in for the first time through this identity provider. Defaults to first broker login.
gui_order str: A number defining the order of this identity provider in the GUI.
hide_on_login_page bool: When true, this identity provider will be hidden on the login page. Defaults to false.
hosted_domain str: Sets the "hd" query parameter when logging in with Google. Google will only list accounts for this domain. Keycloak will validate that the returned identity token has a claim for this domain. When * is entered, an account from any domain can be used.
link_only bool: When true, users cannot sign-in using this provider, but their existing accounts will be linked when possible. Defaults to false.
post_broker_login_flow_alias str: The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.
provider_id str: The ID of the identity provider to use. Defaults to google, which should be used unless you have extended Keycloak and provided your own implementation.
request_refresh_token bool: Sets the "access_type" query parameter to "offline" when redirecting to google authorization endpoint,to get a refresh token back. This is useful for using Token Exchange to retrieve a Google token to access Google APIs when the user is offline.
store_token bool: When true, tokens will be stored after authenticating users. Defaults to true.
sync_mode str: The default sync mode to use for all mappers attached to this identity provider. Can be once of IMPORT, FORCE, or LEGACY.
trust_email bool: When true, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to false.
use_user_ip_param bool: Sets the "userIp" query parameter when querying Google's User Info service. This will use the user's IP address. This is useful if Google is throttling Keycloak's access to the User Info service.

clientId String: The client or client identifier registered within the identity provider.
clientSecret String: The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format.
realm String: The name of the realm. This is unique across Keycloak.
acceptsPromptNoneForwardFromClient Boolean: When true, unauthenticated requests with prompt=none will be forwarded to Google instead of returning an error. Defaults to false.
addReadTokenRoleOnCreate Boolean: When true, new users will be able to read stored tokens. This will automatically assign the broker.read-token role. Defaults to false.
authenticateByDefault Boolean: Enable/disable authenticate users by default.
defaultScopes String: The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to openid profile email.
disableUserInfo Boolean: When true, disables the usage of the user info service to obtain additional user information. Defaults to false.
enabled Boolean: When true, users will be able to log in to this realm using this identity provider. Defaults to true.
extraConfig Map<String>
firstBrokerLoginFlowAlias String: The authentication flow to use when users log in for the first time through this identity provider. Defaults to first broker login.
guiOrder String: A number defining the order of this identity provider in the GUI.
hideOnLoginPage Boolean: When true, this identity provider will be hidden on the login page. Defaults to false.
hostedDomain String: Sets the "hd" query parameter when logging in with Google. Google will only list accounts for this domain. Keycloak will validate that the returned identity token has a claim for this domain. When * is entered, an account from any domain can be used.
linkOnly Boolean: When true, users cannot sign-in using this provider, but their existing accounts will be linked when possible. Defaults to false.
postBrokerLoginFlowAlias String: The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.
providerId String: The ID of the identity provider to use. Defaults to google, which should be used unless you have extended Keycloak and provided your own implementation.
requestRefreshToken Boolean: Sets the "access_type" query parameter to "offline" when redirecting to google authorization endpoint,to get a refresh token back. This is useful for using Token Exchange to retrieve a Google token to access Google APIs when the user is offline.
storeToken Boolean: When true, tokens will be stored after authenticating users. Defaults to true.
syncMode String: The default sync mode to use for all mappers attached to this identity provider. Can be once of IMPORT, FORCE, or LEGACY.
trustEmail Boolean: When true, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to false.
useUserIpParam Boolean: Sets the "userIp" query parameter when querying Google's User Info service. This will use the user's IP address. This is useful if Google is throttling Keycloak's access to the User Info service.

Outputs

All input properties are implicitly available as output properties. Additionally, the GoogleIdentityProvider resource produces the following output properties:

Alias string: (Computed) The alias for the Google identity provider.
DisplayName string: (Computed) Display name for the Google identity provider in the GUI.
Id string: The provider-assigned unique ID for this managed resource.
InternalId string: (Computed) The unique ID that Keycloak assigns to the identity provider upon creation.

Alias string: (Computed) The alias for the Google identity provider.
DisplayName string: (Computed) Display name for the Google identity provider in the GUI.
Id string: The provider-assigned unique ID for this managed resource.
InternalId string: (Computed) The unique ID that Keycloak assigns to the identity provider upon creation.

alias String: (Computed) The alias for the Google identity provider.
displayName String: (Computed) Display name for the Google identity provider in the GUI.
id String: The provider-assigned unique ID for this managed resource.
internalId String: (Computed) The unique ID that Keycloak assigns to the identity provider upon creation.

alias string: (Computed) The alias for the Google identity provider.
displayName string: (Computed) Display name for the Google identity provider in the GUI.
id string: The provider-assigned unique ID for this managed resource.
internalId string: (Computed) The unique ID that Keycloak assigns to the identity provider upon creation.

alias str: (Computed) The alias for the Google identity provider.
display_name str: (Computed) Display name for the Google identity provider in the GUI.
id str: The provider-assigned unique ID for this managed resource.
internal_id str: (Computed) The unique ID that Keycloak assigns to the identity provider upon creation.

alias String: (Computed) The alias for the Google identity provider.
displayName String: (Computed) Display name for the Google identity provider in the GUI.
id String: The provider-assigned unique ID for this managed resource.
internalId String: (Computed) The unique ID that Keycloak assigns to the identity provider upon creation.

Look up Existing GoogleIdentityProvider Resource

Get an existing GoogleIdentityProvider resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

TypeScript
Python
Go
C#
Java
YAML

public static get(name: string, id: Input<ID>, state?: GoogleIdentityProviderState, opts?: CustomResourceOptions): GoogleIdentityProvider

@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        accepts_prompt_none_forward_from_client: Optional[bool] = None,
        add_read_token_role_on_create: Optional[bool] = None,
        alias: Optional[str] = None,
        authenticate_by_default: Optional[bool] = None,
        client_id: Optional[str] = None,
        client_secret: Optional[str] = None,
        default_scopes: Optional[str] = None,
        disable_user_info: Optional[bool] = None,
        display_name: Optional[str] = None,
        enabled: Optional[bool] = None,
        extra_config: Optional[Mapping[str, str]] = None,
        first_broker_login_flow_alias: Optional[str] = None,
        gui_order: Optional[str] = None,
        hide_on_login_page: Optional[bool] = None,
        hosted_domain: Optional[str] = None,
        internal_id: Optional[str] = None,
        link_only: Optional[bool] = None,
        post_broker_login_flow_alias: Optional[str] = None,
        provider_id: Optional[str] = None,
        realm: Optional[str] = None,
        request_refresh_token: Optional[bool] = None,
        store_token: Optional[bool] = None,
        sync_mode: Optional[str] = None,
        trust_email: Optional[bool] = None,
        use_user_ip_param: Optional[bool] = None) -> GoogleIdentityProvider

func GetGoogleIdentityProvider(ctx *Context, name string, id IDInput, state *GoogleIdentityProviderState, opts ...ResourceOption) (*GoogleIdentityProvider, error)

public static GoogleIdentityProvider Get(string name, Input<string> id, GoogleIdentityProviderState? state, CustomResourceOptions? opts = null)

public static GoogleIdentityProvider get(String name, Output<String> id, GoogleIdentityProviderState state, CustomResourceOptions options)

resources:  _:    type: keycloak:oidc:GoogleIdentityProvider    get:      id: ${id}

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

resource_name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

The following state arguments are supported:

AcceptsPromptNoneForwardFromClient bool: When true, unauthenticated requests with prompt=none will be forwarded to Google instead of returning an error. Defaults to false.
AddReadTokenRoleOnCreate bool: When true, new users will be able to read stored tokens. This will automatically assign the broker.read-token role. Defaults to false.
Alias string: (Computed) The alias for the Google identity provider.
AuthenticateByDefault bool: Enable/disable authenticate users by default.
ClientId string: The client or client identifier registered within the identity provider.
ClientSecret string: The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format.
DefaultScopes string: The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to openid profile email.
DisableUserInfo bool: When true, disables the usage of the user info service to obtain additional user information. Defaults to false.
DisplayName string: (Computed) Display name for the Google identity provider in the GUI.
Enabled bool: When true, users will be able to log in to this realm using this identity provider. Defaults to true.
ExtraConfig Dictionary<string, string>
FirstBrokerLoginFlowAlias string: The authentication flow to use when users log in for the first time through this identity provider. Defaults to first broker login.
GuiOrder string: A number defining the order of this identity provider in the GUI.
HideOnLoginPage bool: When true, this identity provider will be hidden on the login page. Defaults to false.
HostedDomain string: Sets the "hd" query parameter when logging in with Google. Google will only list accounts for this domain. Keycloak will validate that the returned identity token has a claim for this domain. When * is entered, an account from any domain can be used.
InternalId string: (Computed) The unique ID that Keycloak assigns to the identity provider upon creation.
LinkOnly bool: When true, users cannot sign-in using this provider, but their existing accounts will be linked when possible. Defaults to false.
PostBrokerLoginFlowAlias string: The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.
ProviderId string: The ID of the identity provider to use. Defaults to google, which should be used unless you have extended Keycloak and provided your own implementation.
Realm string: The name of the realm. This is unique across Keycloak.
RequestRefreshToken bool: Sets the "access_type" query parameter to "offline" when redirecting to google authorization endpoint,to get a refresh token back. This is useful for using Token Exchange to retrieve a Google token to access Google APIs when the user is offline.
StoreToken bool: When true, tokens will be stored after authenticating users. Defaults to true.
SyncMode string: The default sync mode to use for all mappers attached to this identity provider. Can be once of IMPORT, FORCE, or LEGACY.
TrustEmail bool: When true, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to false.
UseUserIpParam bool: Sets the "userIp" query parameter when querying Google's User Info service. This will use the user's IP address. This is useful if Google is throttling Keycloak's access to the User Info service.

AcceptsPromptNoneForwardFromClient bool: When true, unauthenticated requests with prompt=none will be forwarded to Google instead of returning an error. Defaults to false.
AddReadTokenRoleOnCreate bool: When true, new users will be able to read stored tokens. This will automatically assign the broker.read-token role. Defaults to false.
Alias string: (Computed) The alias for the Google identity provider.
AuthenticateByDefault bool: Enable/disable authenticate users by default.
ClientId string: The client or client identifier registered within the identity provider.
ClientSecret string: The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format.
DefaultScopes string: The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to openid profile email.
DisableUserInfo bool: When true, disables the usage of the user info service to obtain additional user information. Defaults to false.
DisplayName string: (Computed) Display name for the Google identity provider in the GUI.
Enabled bool: When true, users will be able to log in to this realm using this identity provider. Defaults to true.
ExtraConfig map[string]string
FirstBrokerLoginFlowAlias string: The authentication flow to use when users log in for the first time through this identity provider. Defaults to first broker login.
GuiOrder string: A number defining the order of this identity provider in the GUI.
HideOnLoginPage bool: When true, this identity provider will be hidden on the login page. Defaults to false.
HostedDomain string: Sets the "hd" query parameter when logging in with Google. Google will only list accounts for this domain. Keycloak will validate that the returned identity token has a claim for this domain. When * is entered, an account from any domain can be used.
InternalId string: (Computed) The unique ID that Keycloak assigns to the identity provider upon creation.
LinkOnly bool: When true, users cannot sign-in using this provider, but their existing accounts will be linked when possible. Defaults to false.
PostBrokerLoginFlowAlias string: The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.
ProviderId string: The ID of the identity provider to use. Defaults to google, which should be used unless you have extended Keycloak and provided your own implementation.
Realm string: The name of the realm. This is unique across Keycloak.
RequestRefreshToken bool: Sets the "access_type" query parameter to "offline" when redirecting to google authorization endpoint,to get a refresh token back. This is useful for using Token Exchange to retrieve a Google token to access Google APIs when the user is offline.
StoreToken bool: When true, tokens will be stored after authenticating users. Defaults to true.
SyncMode string: The default sync mode to use for all mappers attached to this identity provider. Can be once of IMPORT, FORCE, or LEGACY.
TrustEmail bool: When true, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to false.
UseUserIpParam bool: Sets the "userIp" query parameter when querying Google's User Info service. This will use the user's IP address. This is useful if Google is throttling Keycloak's access to the User Info service.

acceptsPromptNoneForwardFromClient Boolean: When true, unauthenticated requests with prompt=none will be forwarded to Google instead of returning an error. Defaults to false.
addReadTokenRoleOnCreate Boolean: When true, new users will be able to read stored tokens. This will automatically assign the broker.read-token role. Defaults to false.
alias String: (Computed) The alias for the Google identity provider.
authenticateByDefault Boolean: Enable/disable authenticate users by default.
clientId String: The client or client identifier registered within the identity provider.
clientSecret String: The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format.
defaultScopes String: The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to openid profile email.
disableUserInfo Boolean: When true, disables the usage of the user info service to obtain additional user information. Defaults to false.
displayName String: (Computed) Display name for the Google identity provider in the GUI.
enabled Boolean: When true, users will be able to log in to this realm using this identity provider. Defaults to true.
extraConfig Map<String,String>
firstBrokerLoginFlowAlias String: The authentication flow to use when users log in for the first time through this identity provider. Defaults to first broker login.
guiOrder String: A number defining the order of this identity provider in the GUI.
hideOnLoginPage Boolean: When true, this identity provider will be hidden on the login page. Defaults to false.
hostedDomain String: Sets the "hd" query parameter when logging in with Google. Google will only list accounts for this domain. Keycloak will validate that the returned identity token has a claim for this domain. When * is entered, an account from any domain can be used.
internalId String: (Computed) The unique ID that Keycloak assigns to the identity provider upon creation.
linkOnly Boolean: When true, users cannot sign-in using this provider, but their existing accounts will be linked when possible. Defaults to false.
postBrokerLoginFlowAlias String: The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.
providerId String: The ID of the identity provider to use. Defaults to google, which should be used unless you have extended Keycloak and provided your own implementation.
realm String: The name of the realm. This is unique across Keycloak.
requestRefreshToken Boolean: Sets the "access_type" query parameter to "offline" when redirecting to google authorization endpoint,to get a refresh token back. This is useful for using Token Exchange to retrieve a Google token to access Google APIs when the user is offline.
storeToken Boolean: When true, tokens will be stored after authenticating users. Defaults to true.
syncMode String: The default sync mode to use for all mappers attached to this identity provider. Can be once of IMPORT, FORCE, or LEGACY.
trustEmail Boolean: When true, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to false.
useUserIpParam Boolean: Sets the "userIp" query parameter when querying Google's User Info service. This will use the user's IP address. This is useful if Google is throttling Keycloak's access to the User Info service.

acceptsPromptNoneForwardFromClient boolean: When true, unauthenticated requests with prompt=none will be forwarded to Google instead of returning an error. Defaults to false.
addReadTokenRoleOnCreate boolean: When true, new users will be able to read stored tokens. This will automatically assign the broker.read-token role. Defaults to false.
alias string: (Computed) The alias for the Google identity provider.
authenticateByDefault boolean: Enable/disable authenticate users by default.
clientId string: The client or client identifier registered within the identity provider.
clientSecret string: The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format.
defaultScopes string: The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to openid profile email.
disableUserInfo boolean: When true, disables the usage of the user info service to obtain additional user information. Defaults to false.
displayName string: (Computed) Display name for the Google identity provider in the GUI.
enabled boolean: When true, users will be able to log in to this realm using this identity provider. Defaults to true.
extraConfig {[key: string]: string}
firstBrokerLoginFlowAlias string: The authentication flow to use when users log in for the first time through this identity provider. Defaults to first broker login.
guiOrder string: A number defining the order of this identity provider in the GUI.
hideOnLoginPage boolean: When true, this identity provider will be hidden on the login page. Defaults to false.
hostedDomain string: Sets the "hd" query parameter when logging in with Google. Google will only list accounts for this domain. Keycloak will validate that the returned identity token has a claim for this domain. When * is entered, an account from any domain can be used.
internalId string: (Computed) The unique ID that Keycloak assigns to the identity provider upon creation.
linkOnly boolean: When true, users cannot sign-in using this provider, but their existing accounts will be linked when possible. Defaults to false.
postBrokerLoginFlowAlias string: The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.
providerId string: The ID of the identity provider to use. Defaults to google, which should be used unless you have extended Keycloak and provided your own implementation.
realm string: The name of the realm. This is unique across Keycloak.
requestRefreshToken boolean: Sets the "access_type" query parameter to "offline" when redirecting to google authorization endpoint,to get a refresh token back. This is useful for using Token Exchange to retrieve a Google token to access Google APIs when the user is offline.
storeToken boolean: When true, tokens will be stored after authenticating users. Defaults to true.
syncMode string: The default sync mode to use for all mappers attached to this identity provider. Can be once of IMPORT, FORCE, or LEGACY.
trustEmail boolean: When true, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to false.
useUserIpParam boolean: Sets the "userIp" query parameter when querying Google's User Info service. This will use the user's IP address. This is useful if Google is throttling Keycloak's access to the User Info service.

accepts_prompt_none_forward_from_client bool: When true, unauthenticated requests with prompt=none will be forwarded to Google instead of returning an error. Defaults to false.
add_read_token_role_on_create bool: When true, new users will be able to read stored tokens. This will automatically assign the broker.read-token role. Defaults to false.
alias str: (Computed) The alias for the Google identity provider.
authenticate_by_default bool: Enable/disable authenticate users by default.
client_id str: The client or client identifier registered within the identity provider.
client_secret str: The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format.
default_scopes str: The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to openid profile email.
disable_user_info bool: When true, disables the usage of the user info service to obtain additional user information. Defaults to false.
display_name str: (Computed) Display name for the Google identity provider in the GUI.
enabled bool: When true, users will be able to log in to this realm using this identity provider. Defaults to true.
extra_config Mapping[str, str]
first_broker_login_flow_alias str: The authentication flow to use when users log in for the first time through this identity provider. Defaults to first broker login.
gui_order str: A number defining the order of this identity provider in the GUI.
hide_on_login_page bool: When true, this identity provider will be hidden on the login page. Defaults to false.
hosted_domain str: Sets the "hd" query parameter when logging in with Google. Google will only list accounts for this domain. Keycloak will validate that the returned identity token has a claim for this domain. When * is entered, an account from any domain can be used.
internal_id str: (Computed) The unique ID that Keycloak assigns to the identity provider upon creation.
link_only bool: When true, users cannot sign-in using this provider, but their existing accounts will be linked when possible. Defaults to false.
post_broker_login_flow_alias str: The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.
provider_id str: The ID of the identity provider to use. Defaults to google, which should be used unless you have extended Keycloak and provided your own implementation.
realm str: The name of the realm. This is unique across Keycloak.
request_refresh_token bool: Sets the "access_type" query parameter to "offline" when redirecting to google authorization endpoint,to get a refresh token back. This is useful for using Token Exchange to retrieve a Google token to access Google APIs when the user is offline.
store_token bool: When true, tokens will be stored after authenticating users. Defaults to true.
sync_mode str: The default sync mode to use for all mappers attached to this identity provider. Can be once of IMPORT, FORCE, or LEGACY.
trust_email bool: When true, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to false.
use_user_ip_param bool: Sets the "userIp" query parameter when querying Google's User Info service. This will use the user's IP address. This is useful if Google is throttling Keycloak's access to the User Info service.

acceptsPromptNoneForwardFromClient Boolean: When true, unauthenticated requests with prompt=none will be forwarded to Google instead of returning an error. Defaults to false.
addReadTokenRoleOnCreate Boolean: When true, new users will be able to read stored tokens. This will automatically assign the broker.read-token role. Defaults to false.
alias String: (Computed) The alias for the Google identity provider.
authenticateByDefault Boolean: Enable/disable authenticate users by default.
clientId String: The client or client identifier registered within the identity provider.
clientSecret String: The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use $${vault.ID} format.
defaultScopes String: The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to openid profile email.
disableUserInfo Boolean: When true, disables the usage of the user info service to obtain additional user information. Defaults to false.
displayName String: (Computed) Display name for the Google identity provider in the GUI.
enabled Boolean: When true, users will be able to log in to this realm using this identity provider. Defaults to true.
extraConfig Map<String>
firstBrokerLoginFlowAlias String: The authentication flow to use when users log in for the first time through this identity provider. Defaults to first broker login.
guiOrder String: A number defining the order of this identity provider in the GUI.
hideOnLoginPage Boolean: When true, this identity provider will be hidden on the login page. Defaults to false.
hostedDomain String: Sets the "hd" query parameter when logging in with Google. Google will only list accounts for this domain. Keycloak will validate that the returned identity token has a claim for this domain. When * is entered, an account from any domain can be used.
internalId String: (Computed) The unique ID that Keycloak assigns to the identity provider upon creation.
linkOnly Boolean: When true, users cannot sign-in using this provider, but their existing accounts will be linked when possible. Defaults to false.
postBrokerLoginFlowAlias String: The authentication flow to use after users have successfully logged in, which can be used to perform additional user verification (such as OTP checking). Defaults to an empty string, which means no post login flow will be used.
providerId String: The ID of the identity provider to use. Defaults to google, which should be used unless you have extended Keycloak and provided your own implementation.
realm String: The name of the realm. This is unique across Keycloak.
requestRefreshToken Boolean: Sets the "access_type" query parameter to "offline" when redirecting to google authorization endpoint,to get a refresh token back. This is useful for using Token Exchange to retrieve a Google token to access Google APIs when the user is offline.
storeToken Boolean: When true, tokens will be stored after authenticating users. Defaults to true.
syncMode String: The default sync mode to use for all mappers attached to this identity provider. Can be once of IMPORT, FORCE, or LEGACY.
trustEmail Boolean: When true, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to false.
useUserIpParam Boolean: Sets the "userIp" query parameter when querying Google's User Info service. This will use the user's IP address. This is useful if Google is throttling Keycloak's access to the User Info service.

Import

Google Identity providers can be imported using the format {{realm_id}}/{{idp_alias}}, where idp_alias is the identity provider alias.

Example:

bash

$ pulumi import keycloak:oidc/googleIdentityProvider:GoogleIdentityProvider google_identity_provider my-realm/my-google-idp

To learn more about importing existing cloud resources, see Importing resources.

Package Details

Repository: Keycloak pulumi/pulumi-keycloak
License: Apache-2.0
Notes: This Pulumi package is based on the keycloak Terraform Provider.

Keycloak v6.2.2 published on Wednesday, Apr 9, 2025 by Pulumi

pulumi/pulumi-keycloak

keycloak.oidc.GoogleIdentityProvider

On this page

On this page

Example Usage

Create GoogleIdentityProvider Resource

Constructor syntax

Parameters

Constructor example

GoogleIdentityProvider Resource Properties

Inputs

Outputs

Look up Existing GoogleIdentityProvider Resource

Import

Package Details

On this page

On this page