Docs Home
Okta v4.15.0 published on Friday, Mar 7, 2025 by Pulumi
okta.app.OAuth
Explore with Pulumi AI
This resource allows you to create and configure an OIDC Application.
During an apply if there is change in status the app will first be activated or deactivated in accordance with the status change. Then, all other arguments that changed will be applied.
okta.app.OAuthRedirectUrihas been marked deprecated and will be removed in the v5 release of the provider. Operators should manage the redirect URIs for an oauth app directly on that resource.
Private Keys
The private key format that an Okta OAuth app expects is PKCS#8 (unencrypted).
The operator either uploads their own private key or Okta can generate one in
the Admin UI Panel under the apps Client Credentials. PKCS#8 format can be
identified by a header that starts with -----BEGIN PRIVATE KEY-----. If the
operator has a PKCS#1 (unencrypted) format private key (the header starts with
-----BEGIN RSA PRIVATE KEY-----) they can generate a PKCS#8 format
key with openssl:
openssl rsa -in pkcs1.pem -out pkcs8-example.pem
Create OAuth Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new OAuth(name: string, args: OAuthArgs, opts?: CustomResourceOptions);@overload
def OAuth(resource_name: str,
args: OAuthArgs,
opts: Optional[ResourceOptions] = None)
@overload
def OAuth(resource_name: str,
opts: Optional[ResourceOptions] = None,
label: Optional[str] = None,
type: Optional[str] = None,
client_uri: Optional[str] = None,
app_settings_json: Optional[str] = None,
app_links_json: Optional[str] = None,
login_mode: Optional[str] = None,
authentication_policy: Optional[str] = None,
auto_key_rotation: Optional[bool] = None,
auto_submit_toolbar: Optional[bool] = None,
client_basic_secret: Optional[str] = None,
client_id: Optional[str] = None,
accessibility_error_redirect_url: Optional[str] = None,
accessibility_self_service: Optional[bool] = None,
enduser_note: Optional[str] = None,
login_scopes: Optional[Sequence[str]] = None,
groups_claim: Optional[OAuthGroupsClaimArgs] = None,
hide_ios: Optional[bool] = None,
hide_web: Optional[bool] = None,
implicit_assignment: Optional[bool] = None,
issuer_mode: Optional[str] = None,
jwks: Optional[Sequence[OAuthJwkArgs]] = None,
jwks_uri: Optional[str] = None,
consent_method: Optional[str] = None,
admin_note: Optional[str] = None,
grant_types: Optional[Sequence[str]] = None,
login_uri: Optional[str] = None,
logo: Optional[str] = None,
logo_uri: Optional[str] = None,
omit_secret: Optional[bool] = None,
pkce_required: Optional[bool] = None,
policy_uri: Optional[str] = None,
post_logout_redirect_uris: Optional[Sequence[str]] = None,
profile: Optional[str] = None,
redirect_uris: Optional[Sequence[str]] = None,
refresh_token_leeway: Optional[int] = None,
refresh_token_rotation: Optional[str] = None,
response_types: Optional[Sequence[str]] = None,
status: Optional[str] = None,
token_endpoint_auth_method: Optional[str] = None,
tos_uri: Optional[str] = None,
accessibility_login_redirect_url: Optional[str] = None,
user_name_template: Optional[str] = None,
user_name_template_push_status: Optional[str] = None,
user_name_template_suffix: Optional[str] = None,
user_name_template_type: Optional[str] = None,
wildcard_redirect: Optional[str] = None)func NewOAuth(ctx *Context, name string, args OAuthArgs, opts ...ResourceOption) (*OAuth, error)public OAuth(string name, OAuthArgs args, CustomResourceOptions? opts = null)type: okta:app:OAuth
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args OAuthArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args OAuthArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args OAuthArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args OAuthArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args OAuthArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var oauthResource = new Okta.App.OAuth("oauthResource", new()
{
Label = "string",
Type = "string",
ClientUri = "string",
AppSettingsJson = "string",
AppLinksJson = "string",
LoginMode = "string",
AuthenticationPolicy = "string",
AutoKeyRotation = false,
AutoSubmitToolbar = false,
ClientBasicSecret = "string",
ClientId = "string",
AccessibilityErrorRedirectUrl = "string",
AccessibilitySelfService = false,
EnduserNote = "string",
LoginScopes = new[]
{
"string",
},
GroupsClaim = new Okta.App.Inputs.OAuthGroupsClaimArgs
{
Name = "string",
Type = "string",
Value = "string",
FilterType = "string",
IssuerMode = "string",
},
HideIos = false,
HideWeb = false,
ImplicitAssignment = false,
IssuerMode = "string",
Jwks = new[]
{
new Okta.App.Inputs.OAuthJwkArgs
{
Kid = "string",
Kty = "string",
E = "string",
N = "string",
X = "string",
Y = "string",
},
},
JwksUri = "string",
ConsentMethod = "string",
AdminNote = "string",
GrantTypes = new[]
{
"string",
},
LoginUri = "string",
Logo = "string",
LogoUri = "string",
OmitSecret = false,
PkceRequired = false,
PolicyUri = "string",
PostLogoutRedirectUris = new[]
{
"string",
},
Profile = "string",
RedirectUris = new[]
{
"string",
},
RefreshTokenLeeway = 0,
RefreshTokenRotation = "string",
ResponseTypes = new[]
{
"string",
},
Status = "string",
TokenEndpointAuthMethod = "string",
TosUri = "string",
AccessibilityLoginRedirectUrl = "string",
UserNameTemplate = "string",
UserNameTemplatePushStatus = "string",
UserNameTemplateSuffix = "string",
UserNameTemplateType = "string",
WildcardRedirect = "string",
});
example, err := app.NewOAuth(ctx, "oauthResource", &app.OAuthArgs{
Label: pulumi.String("string"),
Type: pulumi.String("string"),
ClientUri: pulumi.String("string"),
AppSettingsJson: pulumi.String("string"),
AppLinksJson: pulumi.String("string"),
LoginMode: pulumi.String("string"),
AuthenticationPolicy: pulumi.String("string"),
AutoKeyRotation: pulumi.Bool(false),
AutoSubmitToolbar: pulumi.Bool(false),
ClientBasicSecret: pulumi.String("string"),
ClientId: pulumi.String("string"),
AccessibilityErrorRedirectUrl: pulumi.String("string"),
AccessibilitySelfService: pulumi.Bool(false),
EnduserNote: pulumi.String("string"),
LoginScopes: pulumi.StringArray{
pulumi.String("string"),
},
GroupsClaim: &app.OAuthGroupsClaimArgs{
Name: pulumi.String("string"),
Type: pulumi.String("string"),
Value: pulumi.String("string"),
FilterType: pulumi.String("string"),
IssuerMode: pulumi.String("string"),
},
HideIos: pulumi.Bool(false),
HideWeb: pulumi.Bool(false),
ImplicitAssignment: pulumi.Bool(false),
IssuerMode: pulumi.String("string"),
Jwks: app.OAuthJwkArray{
&app.OAuthJwkArgs{
Kid: pulumi.String("string"),
Kty: pulumi.String("string"),
E: pulumi.String("string"),
N: pulumi.String("string"),
X: pulumi.String("string"),
Y: pulumi.String("string"),
},
},
JwksUri: pulumi.String("string"),
ConsentMethod: pulumi.String("string"),
AdminNote: pulumi.String("string"),
GrantTypes: pulumi.StringArray{
pulumi.String("string"),
},
LoginUri: pulumi.String("string"),
Logo: pulumi.String("string"),
LogoUri: pulumi.String("string"),
OmitSecret: pulumi.Bool(false),
PkceRequired: pulumi.Bool(false),
PolicyUri: pulumi.String("string"),
PostLogoutRedirectUris: pulumi.StringArray{
pulumi.String("string"),
},
Profile: pulumi.String("string"),
RedirectUris: pulumi.StringArray{
pulumi.String("string"),
},
RefreshTokenLeeway: pulumi.Int(0),
RefreshTokenRotation: pulumi.String("string"),
ResponseTypes: pulumi.StringArray{
pulumi.String("string"),
},
Status: pulumi.String("string"),
TokenEndpointAuthMethod: pulumi.String("string"),
TosUri: pulumi.String("string"),
AccessibilityLoginRedirectUrl: pulumi.String("string"),
UserNameTemplate: pulumi.String("string"),
UserNameTemplatePushStatus: pulumi.String("string"),
UserNameTemplateSuffix: pulumi.String("string"),
UserNameTemplateType: pulumi.String("string"),
WildcardRedirect: pulumi.String("string"),
})
var oauthResource = new OAuth("oauthResource", OAuthArgs.builder()
.label("string")
.type("string")
.clientUri("string")
.appSettingsJson("string")
.appLinksJson("string")
.loginMode("string")
.authenticationPolicy("string")
.autoKeyRotation(false)
.autoSubmitToolbar(false)
.clientBasicSecret("string")
.clientId("string")
.accessibilityErrorRedirectUrl("string")
.accessibilitySelfService(false)
.enduserNote("string")
.loginScopes("string")
.groupsClaim(OAuthGroupsClaimArgs.builder()
.name("string")
.type("string")
.value("string")
.filterType("string")
.issuerMode("string")
.build())
.hideIos(false)
.hideWeb(false)
.implicitAssignment(false)
.issuerMode("string")
.jwks(OAuthJwkArgs.builder()
.kid("string")
.kty("string")
.e("string")
.n("string")
.x("string")
.y("string")
.build())
.jwksUri("string")
.consentMethod("string")
.adminNote("string")
.grantTypes("string")
.loginUri("string")
.logo("string")
.logoUri("string")
.omitSecret(false)
.pkceRequired(false)
.policyUri("string")
.postLogoutRedirectUris("string")
.profile("string")
.redirectUris("string")
.refreshTokenLeeway(0)
.refreshTokenRotation("string")
.responseTypes("string")
.status("string")
.tokenEndpointAuthMethod("string")
.tosUri("string")
.accessibilityLoginRedirectUrl("string")
.userNameTemplate("string")
.userNameTemplatePushStatus("string")
.userNameTemplateSuffix("string")
.userNameTemplateType("string")
.wildcardRedirect("string")
.build());
oauth_resource = okta.app.OAuth("oauthResource",
label="string",
type="string",
client_uri="string",
app_settings_json="string",
app_links_json="string",
login_mode="string",
authentication_policy="string",
auto_key_rotation=False,
auto_submit_toolbar=False,
client_basic_secret="string",
client_id="string",
accessibility_error_redirect_url="string",
accessibility_self_service=False,
enduser_note="string",
login_scopes=["string"],
groups_claim={
"name": "string",
"type": "string",
"value": "string",
"filter_type": "string",
"issuer_mode": "string",
},
hide_ios=False,
hide_web=False,
implicit_assignment=False,
issuer_mode="string",
jwks=[{
"kid": "string",
"kty": "string",
"e": "string",
"n": "string",
"x": "string",
"y": "string",
}],
jwks_uri="string",
consent_method="string",
admin_note="string",
grant_types=["string"],
login_uri="string",
logo="string",
logo_uri="string",
omit_secret=False,
pkce_required=False,
policy_uri="string",
post_logout_redirect_uris=["string"],
profile="string",
redirect_uris=["string"],
refresh_token_leeway=0,
refresh_token_rotation="string",
response_types=["string"],
status="string",
token_endpoint_auth_method="string",
tos_uri="string",
accessibility_login_redirect_url="string",
user_name_template="string",
user_name_template_push_status="string",
user_name_template_suffix="string",
user_name_template_type="string",
wildcard_redirect="string")
const oauthResource = new okta.app.OAuth("oauthResource", {
label: "string",
type: "string",
clientUri: "string",
appSettingsJson: "string",
appLinksJson: "string",
loginMode: "string",
authenticationPolicy: "string",
autoKeyRotation: false,
autoSubmitToolbar: false,
clientBasicSecret: "string",
clientId: "string",
accessibilityErrorRedirectUrl: "string",
accessibilitySelfService: false,
enduserNote: "string",
loginScopes: ["string"],
groupsClaim: {
name: "string",
type: "string",
value: "string",
filterType: "string",
issuerMode: "string",
},
hideIos: false,
hideWeb: false,
implicitAssignment: false,
issuerMode: "string",
jwks: [{
kid: "string",
kty: "string",
e: "string",
n: "string",
x: "string",
y: "string",
}],
jwksUri: "string",
consentMethod: "string",
adminNote: "string",
grantTypes: ["string"],
loginUri: "string",
logo: "string",
logoUri: "string",
omitSecret: false,
pkceRequired: false,
policyUri: "string",
postLogoutRedirectUris: ["string"],
profile: "string",
redirectUris: ["string"],
refreshTokenLeeway: 0,
refreshTokenRotation: "string",
responseTypes: ["string"],
status: "string",
tokenEndpointAuthMethod: "string",
tosUri: "string",
accessibilityLoginRedirectUrl: "string",
userNameTemplate: "string",
userNameTemplatePushStatus: "string",
userNameTemplateSuffix: "string",
userNameTemplateType: "string",
wildcardRedirect: "string",
});
type: okta:app:OAuth
properties:
accessibilityErrorRedirectUrl: string
accessibilityLoginRedirectUrl: string
accessibilitySelfService: false
adminNote: string
appLinksJson: string
appSettingsJson: string
authenticationPolicy: string
autoKeyRotation: false
autoSubmitToolbar: false
clientBasicSecret: string
clientId: string
clientUri: string
consentMethod: string
enduserNote: string
grantTypes:
- string
groupsClaim:
filterType: string
issuerMode: string
name: string
type: string
value: string
hideIos: false
hideWeb: false
implicitAssignment: false
issuerMode: string
jwks:
- e: string
kid: string
kty: string
"n": string
x: string
"y": string
jwksUri: string
label: string
loginMode: string
loginScopes:
- string
loginUri: string
logo: string
logoUri: string
omitSecret: false
pkceRequired: false
policyUri: string
postLogoutRedirectUris:
- string
profile: string
redirectUris:
- string
refreshTokenLeeway: 0
refreshTokenRotation: string
responseTypes:
- string
status: string
tokenEndpointAuthMethod: string
tosUri: string
type: string
userNameTemplate: string
userNameTemplatePushStatus: string
userNameTemplateSuffix: string
userNameTemplateType: string
wildcardRedirect: string
OAuth Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The OAuth resource accepts the following input properties:
- Label string
- The Application's display name.
- Type string
- The type of client application.
- Accessibility
Error stringRedirect Url - Custom error page URL
- Accessibility
Login stringRedirect Url - Custom login page URL
- Accessibility
Self boolService - Enable self service. Default is
false - Admin
Note string - Application notes for admins.
- App
Links stringJson - Displays specific appLinks for the app. The value for each application link should be boolean.
- App
Settings stringJson - Application settings in JSON format
- Authentication
Policy string - The ID of the associated appsignonpolicy. If this property is removed from the application the default sign-on-policy will be associated with this application.
- Auto
Key boolRotation - Requested key rotation mode. If autokeyrotation isn't specified, the client automatically opts in for Okta's key rotation. You can update this property via the API or via the administrator UI. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object"
- Auto
Submit boolToolbar - Display auto submit toolbar
- Client
Basic stringSecret - The user provided OAuth client secret key value, this can be set when tokenendpointauthmethod is clientsecretbasic. This does nothing when `omitsecret is set to true.
- Client
Id string - OAuth client ID. If set during creation, app is created with this id.
- Client
Uri string - URI to a web page providing information about the client.
- Consent
Method string - Early Access Property. Indicates whether user consent is required or implicit. Valid values: REQUIRED, TRUSTED. Default value is TRUSTED
- Enduser
Note string - Application notes for end users.
- Grant
Types List<string> - List of OAuth 2.0 grant types. Conditional validation params found here https://developer.okta.com/docs/api/resources/apps#credentials-settings-details. Defaults to minimum requirements per app type.
- Groups
Claim OAuthGroups Claim - Groups claim for an OpenID Connect client application (argument is ignored when API auth is done with OAuth 2.0 credentials)
- Hide
Ios bool - Do not display application icon on mobile app
- Hide
Web bool - Do not display application icon to users
- Implicit
Assignment bool - Early Access Property. Enable Federation Broker Mode.
- Issuer
Mode string - Early Access Property. Indicates whether the Okta Authorization Server uses the original Okta org domain URL or a custom domain URL as the issuer of ID token for this client.
- Jwks
List<OAuth
Jwk> - Jwks
Uri string - URL reference to JWKS
- Login
Mode string - The type of Idp-Initiated login that the client supports, if any
- Login
Scopes List<string> - List of scopes to use for the request
- Login
Uri string - URI that initiates login.
- Logo string
- Local file path to the logo. The file must be in PNG, JPG, or GIF format, and less than 1 MB in size.
- Logo
Uri string - URI that references a logo for the client.
- Omit
Secret bool - This tells the provider not manage the clientsecret value in state. When this is false (the default), it will cause the auto-generated clientsecret to be persisted in the client_secret attribute in state. This also means that every time an update to this app is run, this value is also set on the API. If this changes from false => true, the
client_secretis dropped from state and the secret at the time of the apply is what remains. If this is ever changes from true => false your app will be recreated, due to the need to regenerate a secret we can store in state. - Pkce
Required bool - Require Proof Key for Code Exchange (PKCE) for additional verification key rotation mode. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object
- Policy
Uri string - URI to web page providing client policy document.
- Post
Logout List<string>Redirect Uris - List of URIs for redirection after logout. Note: see oktaappoauthpostlogoutredirecturi for appending to this list in a decentralized way.
- Profile string
- Custom JSON that represents an OAuth application's profile
- Redirect
Uris List<string> - List of URIs for use in the redirect-based flow. This is required for all application types except service. Note: see oktaappoauthredirecturi for appending to this list in a decentralized way.
- Refresh
Token intLeeway - Early Access Property Grace period for token rotation, required with grant types refresh_token
- Refresh
Token stringRotation - Early Access Property Refresh token rotation behavior, required with grant types refresh_token
- Response
Types List<string> - List of OAuth 2.0 response type strings. Valid values are any combination of:
code,token, andid_token. - Status string
- Status of application. By default, it is
ACTIVE - Token
Endpoint stringAuth Method - Requested authentication method for the token endpoint, valid values include: 'clientsecretbasic', 'clientsecretpost', 'clientsecretjwt', 'privatekeyjwt', 'none', etc.
- Tos
Uri string - URI to web page providing client tos (terms of service).
- User
Name stringTemplate - Username template. Default:
${source.login} - User
Name stringTemplate Push Status - Push username on update. Valid values:
PUSHandDONT_PUSH - User
Name stringTemplate Suffix - Username template suffix
- User
Name stringTemplate Type - Username template type. Default:
BUILT_IN - Wildcard
Redirect string - Early Access Property. Indicates if the client is allowed to use wildcard matching of redirect_uris
- Label string
- The Application's display name.
- Type string
- The type of client application.
- Accessibility
Error stringRedirect Url - Custom error page URL
- Accessibility
Login stringRedirect Url - Custom login page URL
- Accessibility
Self boolService - Enable self service. Default is
false - Admin
Note string - Application notes for admins.
- App
Links stringJson - Displays specific appLinks for the app. The value for each application link should be boolean.
- App
Settings stringJson - Application settings in JSON format
- Authentication
Policy string - The ID of the associated appsignonpolicy. If this property is removed from the application the default sign-on-policy will be associated with this application.
- Auto
Key boolRotation - Requested key rotation mode. If autokeyrotation isn't specified, the client automatically opts in for Okta's key rotation. You can update this property via the API or via the administrator UI. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object"
- Auto
Submit boolToolbar - Display auto submit toolbar
- Client
Basic stringSecret - The user provided OAuth client secret key value, this can be set when tokenendpointauthmethod is clientsecretbasic. This does nothing when `omitsecret is set to true.
- Client
Id string - OAuth client ID. If set during creation, app is created with this id.
- Client
Uri string - URI to a web page providing information about the client.
- Consent
Method string - Early Access Property. Indicates whether user consent is required or implicit. Valid values: REQUIRED, TRUSTED. Default value is TRUSTED
- Enduser
Note string - Application notes for end users.
- Grant
Types []string - List of OAuth 2.0 grant types. Conditional validation params found here https://developer.okta.com/docs/api/resources/apps#credentials-settings-details. Defaults to minimum requirements per app type.
- Groups
Claim OAuthGroups Claim Args - Groups claim for an OpenID Connect client application (argument is ignored when API auth is done with OAuth 2.0 credentials)
- Hide
Ios bool - Do not display application icon on mobile app
- Hide
Web bool - Do not display application icon to users
- Implicit
Assignment bool - Early Access Property. Enable Federation Broker Mode.
- Issuer
Mode string - Early Access Property. Indicates whether the Okta Authorization Server uses the original Okta org domain URL or a custom domain URL as the issuer of ID token for this client.
- Jwks
[]OAuth
Jwk Args - Jwks
Uri string - URL reference to JWKS
- Login
Mode string - The type of Idp-Initiated login that the client supports, if any
- Login
Scopes []string - List of scopes to use for the request
- Login
Uri string - URI that initiates login.
- Logo string
- Local file path to the logo. The file must be in PNG, JPG, or GIF format, and less than 1 MB in size.
- Logo
Uri string - URI that references a logo for the client.
- Omit
Secret bool - This tells the provider not manage the clientsecret value in state. When this is false (the default), it will cause the auto-generated clientsecret to be persisted in the client_secret attribute in state. This also means that every time an update to this app is run, this value is also set on the API. If this changes from false => true, the
client_secretis dropped from state and the secret at the time of the apply is what remains. If this is ever changes from true => false your app will be recreated, due to the need to regenerate a secret we can store in state. - Pkce
Required bool - Require Proof Key for Code Exchange (PKCE) for additional verification key rotation mode. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object
- Policy
Uri string - URI to web page providing client policy document.
- Post
Logout []stringRedirect Uris - List of URIs for redirection after logout. Note: see oktaappoauthpostlogoutredirecturi for appending to this list in a decentralized way.
- Profile string
- Custom JSON that represents an OAuth application's profile
- Redirect
Uris []string - List of URIs for use in the redirect-based flow. This is required for all application types except service. Note: see oktaappoauthredirecturi for appending to this list in a decentralized way.
- Refresh
Token intLeeway - Early Access Property Grace period for token rotation, required with grant types refresh_token
- Refresh
Token stringRotation - Early Access Property Refresh token rotation behavior, required with grant types refresh_token
- Response
Types []string - List of OAuth 2.0 response type strings. Valid values are any combination of:
code,token, andid_token. - Status string
- Status of application. By default, it is
ACTIVE - Token
Endpoint stringAuth Method - Requested authentication method for the token endpoint, valid values include: 'clientsecretbasic', 'clientsecretpost', 'clientsecretjwt', 'privatekeyjwt', 'none', etc.
- Tos
Uri string - URI to web page providing client tos (terms of service).
- User
Name stringTemplate - Username template. Default:
${source.login} - User
Name stringTemplate Push Status - Push username on update. Valid values:
PUSHandDONT_PUSH - User
Name stringTemplate Suffix - Username template suffix
- User
Name stringTemplate Type - Username template type. Default:
BUILT_IN - Wildcard
Redirect string - Early Access Property. Indicates if the client is allowed to use wildcard matching of redirect_uris
- label String
- The Application's display name.
- type String
- The type of client application.
- accessibility
Error StringRedirect Url - Custom error page URL
- accessibility
Login StringRedirect Url - Custom login page URL
- accessibility
Self BooleanService - Enable self service. Default is
false - admin
Note String - Application notes for admins.
- app
Links StringJson - Displays specific appLinks for the app. The value for each application link should be boolean.
- app
Settings StringJson - Application settings in JSON format
- authentication
Policy String - The ID of the associated appsignonpolicy. If this property is removed from the application the default sign-on-policy will be associated with this application.
- auto
Key BooleanRotation - Requested key rotation mode. If autokeyrotation isn't specified, the client automatically opts in for Okta's key rotation. You can update this property via the API or via the administrator UI. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object"
- auto
Submit BooleanToolbar - Display auto submit toolbar
- client
Basic StringSecret - The user provided OAuth client secret key value, this can be set when tokenendpointauthmethod is clientsecretbasic. This does nothing when `omitsecret is set to true.
- client
Id String - OAuth client ID. If set during creation, app is created with this id.
- client
Uri String - URI to a web page providing information about the client.
- consent
Method String - Early Access Property. Indicates whether user consent is required or implicit. Valid values: REQUIRED, TRUSTED. Default value is TRUSTED
- enduser
Note String - Application notes for end users.
- grant
Types List<String> - List of OAuth 2.0 grant types. Conditional validation params found here https://developer.okta.com/docs/api/resources/apps#credentials-settings-details. Defaults to minimum requirements per app type.
- groups
Claim OAuthGroups Claim - Groups claim for an OpenID Connect client application (argument is ignored when API auth is done with OAuth 2.0 credentials)
- hide
Ios Boolean - Do not display application icon on mobile app
- hide
Web Boolean - Do not display application icon to users
- implicit
Assignment Boolean - Early Access Property. Enable Federation Broker Mode.
- issuer
Mode String - Early Access Property. Indicates whether the Okta Authorization Server uses the original Okta org domain URL or a custom domain URL as the issuer of ID token for this client.
- jwks
List<OAuth
Jwk> - jwks
Uri String - URL reference to JWKS
- login
Mode String - The type of Idp-Initiated login that the client supports, if any
- login
Scopes List<String> - List of scopes to use for the request
- login
Uri String - URI that initiates login.
- logo String
- Local file path to the logo. The file must be in PNG, JPG, or GIF format, and less than 1 MB in size.
- logo
Uri String - URI that references a logo for the client.
- omit
Secret Boolean - This tells the provider not manage the clientsecret value in state. When this is false (the default), it will cause the auto-generated clientsecret to be persisted in the client_secret attribute in state. This also means that every time an update to this app is run, this value is also set on the API. If this changes from false => true, the
client_secretis dropped from state and the secret at the time of the apply is what remains. If this is ever changes from true => false your app will be recreated, due to the need to regenerate a secret we can store in state. - pkce
Required Boolean - Require Proof Key for Code Exchange (PKCE) for additional verification key rotation mode. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object
- policy
Uri String - URI to web page providing client policy document.
- post
Logout List<String>Redirect Uris - List of URIs for redirection after logout. Note: see oktaappoauthpostlogoutredirecturi for appending to this list in a decentralized way.
- profile String
- Custom JSON that represents an OAuth application's profile
- redirect
Uris List<String> - List of URIs for use in the redirect-based flow. This is required for all application types except service. Note: see oktaappoauthredirecturi for appending to this list in a decentralized way.
- refresh
Token IntegerLeeway - Early Access Property Grace period for token rotation, required with grant types refresh_token
- refresh
Token StringRotation - Early Access Property Refresh token rotation behavior, required with grant types refresh_token
- response
Types List<String> - List of OAuth 2.0 response type strings. Valid values are any combination of:
code,token, andid_token. - status String
- Status of application. By default, it is
ACTIVE - token
Endpoint StringAuth Method - Requested authentication method for the token endpoint, valid values include: 'clientsecretbasic', 'clientsecretpost', 'clientsecretjwt', 'privatekeyjwt', 'none', etc.
- tos
Uri String - URI to web page providing client tos (terms of service).
- user
Name StringTemplate - Username template. Default:
${source.login} - user
Name StringTemplate Push Status - Push username on update. Valid values:
PUSHandDONT_PUSH - user
Name StringTemplate Suffix - Username template suffix
- user
Name StringTemplate Type - Username template type. Default:
BUILT_IN - wildcard
Redirect String - Early Access Property. Indicates if the client is allowed to use wildcard matching of redirect_uris
- label string
- The Application's display name.
- type string
- The type of client application.
- accessibility
Error stringRedirect Url - Custom error page URL
- accessibility
Login stringRedirect Url - Custom login page URL
- accessibility
Self booleanService - Enable self service. Default is
false - admin
Note string - Application notes for admins.
- app
Links stringJson - Displays specific appLinks for the app. The value for each application link should be boolean.
- app
Settings stringJson - Application settings in JSON format
- authentication
Policy string - The ID of the associated appsignonpolicy. If this property is removed from the application the default sign-on-policy will be associated with this application.
- auto
Key booleanRotation - Requested key rotation mode. If autokeyrotation isn't specified, the client automatically opts in for Okta's key rotation. You can update this property via the API or via the administrator UI. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object"
- auto
Submit booleanToolbar - Display auto submit toolbar
- client
Basic stringSecret - The user provided OAuth client secret key value, this can be set when tokenendpointauthmethod is clientsecretbasic. This does nothing when `omitsecret is set to true.
- client
Id string - OAuth client ID. If set during creation, app is created with this id.
- client
Uri string - URI to a web page providing information about the client.
- consent
Method string - Early Access Property. Indicates whether user consent is required or implicit. Valid values: REQUIRED, TRUSTED. Default value is TRUSTED
- enduser
Note string - Application notes for end users.
- grant
Types string[] - List of OAuth 2.0 grant types. Conditional validation params found here https://developer.okta.com/docs/api/resources/apps#credentials-settings-details. Defaults to minimum requirements per app type.
- groups
Claim OAuthGroups Claim - Groups claim for an OpenID Connect client application (argument is ignored when API auth is done with OAuth 2.0 credentials)
- hide
Ios boolean - Do not display application icon on mobile app
- hide
Web boolean - Do not display application icon to users
- implicit
Assignment boolean - Early Access Property. Enable Federation Broker Mode.
- issuer
Mode string - Early Access Property. Indicates whether the Okta Authorization Server uses the original Okta org domain URL or a custom domain URL as the issuer of ID token for this client.
- jwks
OAuth
Jwk[] - jwks
Uri string - URL reference to JWKS
- login
Mode string - The type of Idp-Initiated login that the client supports, if any
- login
Scopes string[] - List of scopes to use for the request
- login
Uri string - URI that initiates login.
- logo string
- Local file path to the logo. The file must be in PNG, JPG, or GIF format, and less than 1 MB in size.
- logo
Uri string - URI that references a logo for the client.
- omit
Secret boolean - This tells the provider not manage the clientsecret value in state. When this is false (the default), it will cause the auto-generated clientsecret to be persisted in the client_secret attribute in state. This also means that every time an update to this app is run, this value is also set on the API. If this changes from false => true, the
client_secretis dropped from state and the secret at the time of the apply is what remains. If this is ever changes from true => false your app will be recreated, due to the need to regenerate a secret we can store in state. - pkce
Required boolean - Require Proof Key for Code Exchange (PKCE) for additional verification key rotation mode. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object
- policy
Uri string - URI to web page providing client policy document.
- post
Logout string[]Redirect Uris - List of URIs for redirection after logout. Note: see oktaappoauthpostlogoutredirecturi for appending to this list in a decentralized way.
- profile string
- Custom JSON that represents an OAuth application's profile
- redirect
Uris string[] - List of URIs for use in the redirect-based flow. This is required for all application types except service. Note: see oktaappoauthredirecturi for appending to this list in a decentralized way.
- refresh
Token numberLeeway - Early Access Property Grace period for token rotation, required with grant types refresh_token
- refresh
Token stringRotation - Early Access Property Refresh token rotation behavior, required with grant types refresh_token
- response
Types string[] - List of OAuth 2.0 response type strings. Valid values are any combination of:
code,token, andid_token. - status string
- Status of application. By default, it is
ACTIVE - token
Endpoint stringAuth Method - Requested authentication method for the token endpoint, valid values include: 'clientsecretbasic', 'clientsecretpost', 'clientsecretjwt', 'privatekeyjwt', 'none', etc.
- tos
Uri string - URI to web page providing client tos (terms of service).
- user
Name stringTemplate - Username template. Default:
${source.login} - user
Name stringTemplate Push Status - Push username on update. Valid values:
PUSHandDONT_PUSH - user
Name stringTemplate Suffix - Username template suffix
- user
Name stringTemplate Type - Username template type. Default:
BUILT_IN - wildcard
Redirect string - Early Access Property. Indicates if the client is allowed to use wildcard matching of redirect_uris
- label str
- The Application's display name.
- type str
- The type of client application.
- accessibility_
error_ strredirect_ url - Custom error page URL
- accessibility_
login_ strredirect_ url - Custom login page URL
- accessibility_
self_ boolservice - Enable self service. Default is
false - admin_
note str - Application notes for admins.
- app_
links_ strjson - Displays specific appLinks for the app. The value for each application link should be boolean.
- app_
settings_ strjson - Application settings in JSON format
- authentication_
policy str - The ID of the associated appsignonpolicy. If this property is removed from the application the default sign-on-policy will be associated with this application.
- auto_
key_ boolrotation - Requested key rotation mode. If autokeyrotation isn't specified, the client automatically opts in for Okta's key rotation. You can update this property via the API or via the administrator UI. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object"
- auto_
submit_ booltoolbar - Display auto submit toolbar
- client_
basic_ strsecret - The user provided OAuth client secret key value, this can be set when tokenendpointauthmethod is clientsecretbasic. This does nothing when `omitsecret is set to true.
- client_
id str - OAuth client ID. If set during creation, app is created with this id.
- client_
uri str - URI to a web page providing information about the client.
- consent_
method str - Early Access Property. Indicates whether user consent is required or implicit. Valid values: REQUIRED, TRUSTED. Default value is TRUSTED
- enduser_
note str - Application notes for end users.
- grant_
types Sequence[str] - List of OAuth 2.0 grant types. Conditional validation params found here https://developer.okta.com/docs/api/resources/apps#credentials-settings-details. Defaults to minimum requirements per app type.
- groups_
claim OAuthGroups Claim Args - Groups claim for an OpenID Connect client application (argument is ignored when API auth is done with OAuth 2.0 credentials)
- hide_
ios bool - Do not display application icon on mobile app
- hide_
web bool - Do not display application icon to users
- implicit_
assignment bool - Early Access Property. Enable Federation Broker Mode.
- issuer_
mode str - Early Access Property. Indicates whether the Okta Authorization Server uses the original Okta org domain URL or a custom domain URL as the issuer of ID token for this client.
- jwks
Sequence[OAuth
Jwk Args] - jwks_
uri str - URL reference to JWKS
- login_
mode str - The type of Idp-Initiated login that the client supports, if any
- login_
scopes Sequence[str] - List of scopes to use for the request
- login_
uri str - URI that initiates login.
- logo str
- Local file path to the logo. The file must be in PNG, JPG, or GIF format, and less than 1 MB in size.
- logo_
uri str - URI that references a logo for the client.
- omit_
secret bool - This tells the provider not manage the clientsecret value in state. When this is false (the default), it will cause the auto-generated clientsecret to be persisted in the client_secret attribute in state. This also means that every time an update to this app is run, this value is also set on the API. If this changes from false => true, the
client_secretis dropped from state and the secret at the time of the apply is what remains. If this is ever changes from true => false your app will be recreated, due to the need to regenerate a secret we can store in state. - pkce_
required bool - Require Proof Key for Code Exchange (PKCE) for additional verification key rotation mode. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object
- policy_
uri str - URI to web page providing client policy document.
- post_
logout_ Sequence[str]redirect_ uris - List of URIs for redirection after logout. Note: see oktaappoauthpostlogoutredirecturi for appending to this list in a decentralized way.
- profile str
- Custom JSON that represents an OAuth application's profile
- redirect_
uris Sequence[str] - List of URIs for use in the redirect-based flow. This is required for all application types except service. Note: see oktaappoauthredirecturi for appending to this list in a decentralized way.
- refresh_
token_ intleeway - Early Access Property Grace period for token rotation, required with grant types refresh_token
- refresh_
token_ strrotation - Early Access Property Refresh token rotation behavior, required with grant types refresh_token
- response_
types Sequence[str] - List of OAuth 2.0 response type strings. Valid values are any combination of:
code,token, andid_token. - status str
- Status of application. By default, it is
ACTIVE - token_
endpoint_ strauth_ method - Requested authentication method for the token endpoint, valid values include: 'clientsecretbasic', 'clientsecretpost', 'clientsecretjwt', 'privatekeyjwt', 'none', etc.
- tos_
uri str - URI to web page providing client tos (terms of service).
- user_
name_ strtemplate - Username template. Default:
${source.login} - user_
name_ strtemplate_ push_ status - Push username on update. Valid values:
PUSHandDONT_PUSH - user_
name_ strtemplate_ suffix - Username template suffix
- user_
name_ strtemplate_ type - Username template type. Default:
BUILT_IN - wildcard_
redirect str - Early Access Property. Indicates if the client is allowed to use wildcard matching of redirect_uris
- label String
- The Application's display name.
- type String
- The type of client application.
- accessibility
Error StringRedirect Url - Custom error page URL
- accessibility
Login StringRedirect Url - Custom login page URL
- accessibility
Self BooleanService - Enable self service. Default is
false - admin
Note String - Application notes for admins.
- app
Links StringJson - Displays specific appLinks for the app. The value for each application link should be boolean.
- app
Settings StringJson - Application settings in JSON format
- authentication
Policy String - The ID of the associated appsignonpolicy. If this property is removed from the application the default sign-on-policy will be associated with this application.
- auto
Key BooleanRotation - Requested key rotation mode. If autokeyrotation isn't specified, the client automatically opts in for Okta's key rotation. You can update this property via the API or via the administrator UI. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object"
- auto
Submit BooleanToolbar - Display auto submit toolbar
- client
Basic StringSecret - The user provided OAuth client secret key value, this can be set when tokenendpointauthmethod is clientsecretbasic. This does nothing when `omitsecret is set to true.
- client
Id String - OAuth client ID. If set during creation, app is created with this id.
- client
Uri String - URI to a web page providing information about the client.
- consent
Method String - Early Access Property. Indicates whether user consent is required or implicit. Valid values: REQUIRED, TRUSTED. Default value is TRUSTED
- enduser
Note String - Application notes for end users.
- grant
Types List<String> - List of OAuth 2.0 grant types. Conditional validation params found here https://developer.okta.com/docs/api/resources/apps#credentials-settings-details. Defaults to minimum requirements per app type.
- groups
Claim Property Map - Groups claim for an OpenID Connect client application (argument is ignored when API auth is done with OAuth 2.0 credentials)
- hide
Ios Boolean - Do not display application icon on mobile app
- hide
Web Boolean - Do not display application icon to users
- implicit
Assignment Boolean - Early Access Property. Enable Federation Broker Mode.
- issuer
Mode String - Early Access Property. Indicates whether the Okta Authorization Server uses the original Okta org domain URL or a custom domain URL as the issuer of ID token for this client.
- jwks List<Property Map>
- jwks
Uri String - URL reference to JWKS
- login
Mode String - The type of Idp-Initiated login that the client supports, if any
- login
Scopes List<String> - List of scopes to use for the request
- login
Uri String - URI that initiates login.
- logo String
- Local file path to the logo. The file must be in PNG, JPG, or GIF format, and less than 1 MB in size.
- logo
Uri String - URI that references a logo for the client.
- omit
Secret Boolean - This tells the provider not manage the clientsecret value in state. When this is false (the default), it will cause the auto-generated clientsecret to be persisted in the client_secret attribute in state. This also means that every time an update to this app is run, this value is also set on the API. If this changes from false => true, the
client_secretis dropped from state and the secret at the time of the apply is what remains. If this is ever changes from true => false your app will be recreated, due to the need to regenerate a secret we can store in state. - pkce
Required Boolean - Require Proof Key for Code Exchange (PKCE) for additional verification key rotation mode. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object
- policy
Uri String - URI to web page providing client policy document.
- post
Logout List<String>Redirect Uris - List of URIs for redirection after logout. Note: see oktaappoauthpostlogoutredirecturi for appending to this list in a decentralized way.
- profile String
- Custom JSON that represents an OAuth application's profile
- redirect
Uris List<String> - List of URIs for use in the redirect-based flow. This is required for all application types except service. Note: see oktaappoauthredirecturi for appending to this list in a decentralized way.
- refresh
Token NumberLeeway - Early Access Property Grace period for token rotation, required with grant types refresh_token
- refresh
Token StringRotation - Early Access Property Refresh token rotation behavior, required with grant types refresh_token
- response
Types List<String> - List of OAuth 2.0 response type strings. Valid values are any combination of:
code,token, andid_token. - status String
- Status of application. By default, it is
ACTIVE - token
Endpoint StringAuth Method - Requested authentication method for the token endpoint, valid values include: 'clientsecretbasic', 'clientsecretpost', 'clientsecretjwt', 'privatekeyjwt', 'none', etc.
- tos
Uri String - URI to web page providing client tos (terms of service).
- user
Name StringTemplate - Username template. Default:
${source.login} - user
Name StringTemplate Push Status - Push username on update. Valid values:
PUSHandDONT_PUSH - user
Name StringTemplate Suffix - Username template suffix
- user
Name StringTemplate Type - Username template type. Default:
BUILT_IN - wildcard
Redirect String - Early Access Property. Indicates if the client is allowed to use wildcard matching of redirect_uris
Outputs
All input properties are implicitly available as output properties. Additionally, the OAuth resource produces the following output properties:
- Client
Secret string - OAuth client secret value, this is output only. This will be in plain text in your statefile unless you set omit_secret above.
- Id string
- The provider-assigned unique ID for this managed resource.
- Logo
Url string - URL of the application's logo
- Name string
- Name of the app.
- Sign
On stringMode - Sign on mode of application.
- Client
Secret string - OAuth client secret value, this is output only. This will be in plain text in your statefile unless you set omit_secret above.
- Id string
- The provider-assigned unique ID for this managed resource.
- Logo
Url string - URL of the application's logo
- Name string
- Name of the app.
- Sign
On stringMode - Sign on mode of application.
- client
Secret String - OAuth client secret value, this is output only. This will be in plain text in your statefile unless you set omit_secret above.
- id String
- The provider-assigned unique ID for this managed resource.
- logo
Url String - URL of the application's logo
- name String
- Name of the app.
- sign
On StringMode - Sign on mode of application.
- client
Secret string - OAuth client secret value, this is output only. This will be in plain text in your statefile unless you set omit_secret above.
- id string
- The provider-assigned unique ID for this managed resource.
- logo
Url string - URL of the application's logo
- name string
- Name of the app.
- sign
On stringMode - Sign on mode of application.
- client_
secret str - OAuth client secret value, this is output only. This will be in plain text in your statefile unless you set omit_secret above.
- id str
- The provider-assigned unique ID for this managed resource.
- logo_
url str - URL of the application's logo
- name str
- Name of the app.
- sign_
on_ strmode - Sign on mode of application.
- client
Secret String - OAuth client secret value, this is output only. This will be in plain text in your statefile unless you set omit_secret above.
- id String
- The provider-assigned unique ID for this managed resource.
- logo
Url String - URL of the application's logo
- name String
- Name of the app.
- sign
On StringMode - Sign on mode of application.
Look up Existing OAuth Resource
Get an existing OAuth resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: OAuthState, opts?: CustomResourceOptions): OAuth@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
accessibility_error_redirect_url: Optional[str] = None,
accessibility_login_redirect_url: Optional[str] = None,
accessibility_self_service: Optional[bool] = None,
admin_note: Optional[str] = None,
app_links_json: Optional[str] = None,
app_settings_json: Optional[str] = None,
authentication_policy: Optional[str] = None,
auto_key_rotation: Optional[bool] = None,
auto_submit_toolbar: Optional[bool] = None,
client_basic_secret: Optional[str] = None,
client_id: Optional[str] = None,
client_secret: Optional[str] = None,
client_uri: Optional[str] = None,
consent_method: Optional[str] = None,
enduser_note: Optional[str] = None,
grant_types: Optional[Sequence[str]] = None,
groups_claim: Optional[OAuthGroupsClaimArgs] = None,
hide_ios: Optional[bool] = None,
hide_web: Optional[bool] = None,
implicit_assignment: Optional[bool] = None,
issuer_mode: Optional[str] = None,
jwks: Optional[Sequence[OAuthJwkArgs]] = None,
jwks_uri: Optional[str] = None,
label: Optional[str] = None,
login_mode: Optional[str] = None,
login_scopes: Optional[Sequence[str]] = None,
login_uri: Optional[str] = None,
logo: Optional[str] = None,
logo_uri: Optional[str] = None,
logo_url: Optional[str] = None,
name: Optional[str] = None,
omit_secret: Optional[bool] = None,
pkce_required: Optional[bool] = None,
policy_uri: Optional[str] = None,
post_logout_redirect_uris: Optional[Sequence[str]] = None,
profile: Optional[str] = None,
redirect_uris: Optional[Sequence[str]] = None,
refresh_token_leeway: Optional[int] = None,
refresh_token_rotation: Optional[str] = None,
response_types: Optional[Sequence[str]] = None,
sign_on_mode: Optional[str] = None,
status: Optional[str] = None,
token_endpoint_auth_method: Optional[str] = None,
tos_uri: Optional[str] = None,
type: Optional[str] = None,
user_name_template: Optional[str] = None,
user_name_template_push_status: Optional[str] = None,
user_name_template_suffix: Optional[str] = None,
user_name_template_type: Optional[str] = None,
wildcard_redirect: Optional[str] = None) -> OAuthfunc GetOAuth(ctx *Context, name string, id IDInput, state *OAuthState, opts ...ResourceOption) (*OAuth, error)public static OAuth Get(string name, Input<string> id, OAuthState? state, CustomResourceOptions? opts = null)public static OAuth get(String name, Output<String> id, OAuthState state, CustomResourceOptions options)resources: _: type: okta:app:OAuth get: id: ${id}- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Accessibility
Error stringRedirect Url - Custom error page URL
- Accessibility
Login stringRedirect Url - Custom login page URL
- Accessibility
Self boolService - Enable self service. Default is
false - Admin
Note string - Application notes for admins.
- App
Links stringJson - Displays specific appLinks for the app. The value for each application link should be boolean.
- App
Settings stringJson - Application settings in JSON format
- Authentication
Policy string - The ID of the associated appsignonpolicy. If this property is removed from the application the default sign-on-policy will be associated with this application.
- Auto
Key boolRotation - Requested key rotation mode. If autokeyrotation isn't specified, the client automatically opts in for Okta's key rotation. You can update this property via the API or via the administrator UI. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object"
- Auto
Submit boolToolbar - Display auto submit toolbar
- Client
Basic stringSecret - The user provided OAuth client secret key value, this can be set when tokenendpointauthmethod is clientsecretbasic. This does nothing when `omitsecret is set to true.
- Client
Id string - OAuth client ID. If set during creation, app is created with this id.
- Client
Secret string - OAuth client secret value, this is output only. This will be in plain text in your statefile unless you set omit_secret above.
- Client
Uri string - URI to a web page providing information about the client.
- Consent
Method string - Early Access Property. Indicates whether user consent is required or implicit. Valid values: REQUIRED, TRUSTED. Default value is TRUSTED
- Enduser
Note string - Application notes for end users.
- Grant
Types List<string> - List of OAuth 2.0 grant types. Conditional validation params found here https://developer.okta.com/docs/api/resources/apps#credentials-settings-details. Defaults to minimum requirements per app type.
- Groups
Claim OAuthGroups Claim - Groups claim for an OpenID Connect client application (argument is ignored when API auth is done with OAuth 2.0 credentials)
- Hide
Ios bool - Do not display application icon on mobile app
- Hide
Web bool - Do not display application icon to users
- Implicit
Assignment bool - Early Access Property. Enable Federation Broker Mode.
- Issuer
Mode string - Early Access Property. Indicates whether the Okta Authorization Server uses the original Okta org domain URL or a custom domain URL as the issuer of ID token for this client.
- Jwks
List<OAuth
Jwk> - Jwks
Uri string - URL reference to JWKS
- Label string
- The Application's display name.
- Login
Mode string - The type of Idp-Initiated login that the client supports, if any
- Login
Scopes List<string> - List of scopes to use for the request
- Login
Uri string - URI that initiates login.
- Logo string
- Local file path to the logo. The file must be in PNG, JPG, or GIF format, and less than 1 MB in size.
- Logo
Uri string - URI that references a logo for the client.
- Logo
Url string - URL of the application's logo
- Name string
- Name of the app.
- Omit
Secret bool - This tells the provider not manage the clientsecret value in state. When this is false (the default), it will cause the auto-generated clientsecret to be persisted in the client_secret attribute in state. This also means that every time an update to this app is run, this value is also set on the API. If this changes from false => true, the
client_secretis dropped from state and the secret at the time of the apply is what remains. If this is ever changes from true => false your app will be recreated, due to the need to regenerate a secret we can store in state. - Pkce
Required bool - Require Proof Key for Code Exchange (PKCE) for additional verification key rotation mode. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object
- Policy
Uri string - URI to web page providing client policy document.
- Post
Logout List<string>Redirect Uris - List of URIs for redirection after logout. Note: see oktaappoauthpostlogoutredirecturi for appending to this list in a decentralized way.
- Profile string
- Custom JSON that represents an OAuth application's profile
- Redirect
Uris List<string> - List of URIs for use in the redirect-based flow. This is required for all application types except service. Note: see oktaappoauthredirecturi for appending to this list in a decentralized way.
- Refresh
Token intLeeway - Early Access Property Grace period for token rotation, required with grant types refresh_token
- Refresh
Token stringRotation - Early Access Property Refresh token rotation behavior, required with grant types refresh_token
- Response
Types List<string> - List of OAuth 2.0 response type strings. Valid values are any combination of:
code,token, andid_token. - Sign
On stringMode - Sign on mode of application.
- Status string
- Status of application. By default, it is
ACTIVE - Token
Endpoint stringAuth Method - Requested authentication method for the token endpoint, valid values include: 'clientsecretbasic', 'clientsecretpost', 'clientsecretjwt', 'privatekeyjwt', 'none', etc.
- Tos
Uri string - URI to web page providing client tos (terms of service).
- Type string
- The type of client application.
- User
Name stringTemplate - Username template. Default:
${source.login} - User
Name stringTemplate Push Status - Push username on update. Valid values:
PUSHandDONT_PUSH - User
Name stringTemplate Suffix - Username template suffix
- User
Name stringTemplate Type - Username template type. Default:
BUILT_IN - Wildcard
Redirect string - Early Access Property. Indicates if the client is allowed to use wildcard matching of redirect_uris
- Accessibility
Error stringRedirect Url - Custom error page URL
- Accessibility
Login stringRedirect Url - Custom login page URL
- Accessibility
Self boolService - Enable self service. Default is
false - Admin
Note string - Application notes for admins.
- App
Links stringJson - Displays specific appLinks for the app. The value for each application link should be boolean.
- App
Settings stringJson - Application settings in JSON format
- Authentication
Policy string - The ID of the associated appsignonpolicy. If this property is removed from the application the default sign-on-policy will be associated with this application.
- Auto
Key boolRotation - Requested key rotation mode. If autokeyrotation isn't specified, the client automatically opts in for Okta's key rotation. You can update this property via the API or via the administrator UI. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object"
- Auto
Submit boolToolbar - Display auto submit toolbar
- Client
Basic stringSecret - The user provided OAuth client secret key value, this can be set when tokenendpointauthmethod is clientsecretbasic. This does nothing when `omitsecret is set to true.
- Client
Id string - OAuth client ID. If set during creation, app is created with this id.
- Client
Secret string - OAuth client secret value, this is output only. This will be in plain text in your statefile unless you set omit_secret above.
- Client
Uri string - URI to a web page providing information about the client.
- Consent
Method string - Early Access Property. Indicates whether user consent is required or implicit. Valid values: REQUIRED, TRUSTED. Default value is TRUSTED
- Enduser
Note string - Application notes for end users.
- Grant
Types []string - List of OAuth 2.0 grant types. Conditional validation params found here https://developer.okta.com/docs/api/resources/apps#credentials-settings-details. Defaults to minimum requirements per app type.
- Groups
Claim OAuthGroups Claim Args - Groups claim for an OpenID Connect client application (argument is ignored when API auth is done with OAuth 2.0 credentials)
- Hide
Ios bool - Do not display application icon on mobile app
- Hide
Web bool - Do not display application icon to users
- Implicit
Assignment bool - Early Access Property. Enable Federation Broker Mode.
- Issuer
Mode string - Early Access Property. Indicates whether the Okta Authorization Server uses the original Okta org domain URL or a custom domain URL as the issuer of ID token for this client.
- Jwks
[]OAuth
Jwk Args - Jwks
Uri string - URL reference to JWKS
- Label string
- The Application's display name.
- Login
Mode string - The type of Idp-Initiated login that the client supports, if any
- Login
Scopes []string - List of scopes to use for the request
- Login
Uri string - URI that initiates login.
- Logo string
- Local file path to the logo. The file must be in PNG, JPG, or GIF format, and less than 1 MB in size.
- Logo
Uri string - URI that references a logo for the client.
- Logo
Url string - URL of the application's logo
- Name string
- Name of the app.
- Omit
Secret bool - This tells the provider not manage the clientsecret value in state. When this is false (the default), it will cause the auto-generated clientsecret to be persisted in the client_secret attribute in state. This also means that every time an update to this app is run, this value is also set on the API. If this changes from false => true, the
client_secretis dropped from state and the secret at the time of the apply is what remains. If this is ever changes from true => false your app will be recreated, due to the need to regenerate a secret we can store in state. - Pkce
Required bool - Require Proof Key for Code Exchange (PKCE) for additional verification key rotation mode. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object
- Policy
Uri string - URI to web page providing client policy document.
- Post
Logout []stringRedirect Uris - List of URIs for redirection after logout. Note: see oktaappoauthpostlogoutredirecturi for appending to this list in a decentralized way.
- Profile string
- Custom JSON that represents an OAuth application's profile
- Redirect
Uris []string - List of URIs for use in the redirect-based flow. This is required for all application types except service. Note: see oktaappoauthredirecturi for appending to this list in a decentralized way.
- Refresh
Token intLeeway - Early Access Property Grace period for token rotation, required with grant types refresh_token
- Refresh
Token stringRotation - Early Access Property Refresh token rotation behavior, required with grant types refresh_token
- Response
Types []string - List of OAuth 2.0 response type strings. Valid values are any combination of:
code,token, andid_token. - Sign
On stringMode - Sign on mode of application.
- Status string
- Status of application. By default, it is
ACTIVE - Token
Endpoint stringAuth Method - Requested authentication method for the token endpoint, valid values include: 'clientsecretbasic', 'clientsecretpost', 'clientsecretjwt', 'privatekeyjwt', 'none', etc.
- Tos
Uri string - URI to web page providing client tos (terms of service).
- Type string
- The type of client application.
- User
Name stringTemplate - Username template. Default:
${source.login} - User
Name stringTemplate Push Status - Push username on update. Valid values:
PUSHandDONT_PUSH - User
Name stringTemplate Suffix - Username template suffix
- User
Name stringTemplate Type - Username template type. Default:
BUILT_IN - Wildcard
Redirect string - Early Access Property. Indicates if the client is allowed to use wildcard matching of redirect_uris
- accessibility
Error StringRedirect Url - Custom error page URL
- accessibility
Login StringRedirect Url - Custom login page URL
- accessibility
Self BooleanService - Enable self service. Default is
false - admin
Note String - Application notes for admins.
- app
Links StringJson - Displays specific appLinks for the app. The value for each application link should be boolean.
- app
Settings StringJson - Application settings in JSON format
- authentication
Policy String - The ID of the associated appsignonpolicy. If this property is removed from the application the default sign-on-policy will be associated with this application.
- auto
Key BooleanRotation - Requested key rotation mode. If autokeyrotation isn't specified, the client automatically opts in for Okta's key rotation. You can update this property via the API or via the administrator UI. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object"
- auto
Submit BooleanToolbar - Display auto submit toolbar
- client
Basic StringSecret - The user provided OAuth client secret key value, this can be set when tokenendpointauthmethod is clientsecretbasic. This does nothing when `omitsecret is set to true.
- client
Id String - OAuth client ID. If set during creation, app is created with this id.
- client
Secret String - OAuth client secret value, this is output only. This will be in plain text in your statefile unless you set omit_secret above.
- client
Uri String - URI to a web page providing information about the client.
- consent
Method String - Early Access Property. Indicates whether user consent is required or implicit. Valid values: REQUIRED, TRUSTED. Default value is TRUSTED
- enduser
Note String - Application notes for end users.
- grant
Types List<String> - List of OAuth 2.0 grant types. Conditional validation params found here https://developer.okta.com/docs/api/resources/apps#credentials-settings-details. Defaults to minimum requirements per app type.
- groups
Claim OAuthGroups Claim - Groups claim for an OpenID Connect client application (argument is ignored when API auth is done with OAuth 2.0 credentials)
- hide
Ios Boolean - Do not display application icon on mobile app
- hide
Web Boolean - Do not display application icon to users
- implicit
Assignment Boolean - Early Access Property. Enable Federation Broker Mode.
- issuer
Mode String - Early Access Property. Indicates whether the Okta Authorization Server uses the original Okta org domain URL or a custom domain URL as the issuer of ID token for this client.
- jwks
List<OAuth
Jwk> - jwks
Uri String - URL reference to JWKS
- label String
- The Application's display name.
- login
Mode String - The type of Idp-Initiated login that the client supports, if any
- login
Scopes List<String> - List of scopes to use for the request
- login
Uri String - URI that initiates login.
- logo String
- Local file path to the logo. The file must be in PNG, JPG, or GIF format, and less than 1 MB in size.
- logo
Uri String - URI that references a logo for the client.
- logo
Url String - URL of the application's logo
- name String
- Name of the app.
- omit
Secret Boolean - This tells the provider not manage the clientsecret value in state. When this is false (the default), it will cause the auto-generated clientsecret to be persisted in the client_secret attribute in state. This also means that every time an update to this app is run, this value is also set on the API. If this changes from false => true, the
client_secretis dropped from state and the secret at the time of the apply is what remains. If this is ever changes from true => false your app will be recreated, due to the need to regenerate a secret we can store in state. - pkce
Required Boolean - Require Proof Key for Code Exchange (PKCE) for additional verification key rotation mode. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object
- policy
Uri String - URI to web page providing client policy document.
- post
Logout List<String>Redirect Uris - List of URIs for redirection after logout. Note: see oktaappoauthpostlogoutredirecturi for appending to this list in a decentralized way.
- profile String
- Custom JSON that represents an OAuth application's profile
- redirect
Uris List<String> - List of URIs for use in the redirect-based flow. This is required for all application types except service. Note: see oktaappoauthredirecturi for appending to this list in a decentralized way.
- refresh
Token IntegerLeeway - Early Access Property Grace period for token rotation, required with grant types refresh_token
- refresh
Token StringRotation - Early Access Property Refresh token rotation behavior, required with grant types refresh_token
- response
Types List<String> - List of OAuth 2.0 response type strings. Valid values are any combination of:
code,token, andid_token. - sign
On StringMode - Sign on mode of application.
- status String
- Status of application. By default, it is
ACTIVE - token
Endpoint StringAuth Method - Requested authentication method for the token endpoint, valid values include: 'clientsecretbasic', 'clientsecretpost', 'clientsecretjwt', 'privatekeyjwt', 'none', etc.
- tos
Uri String - URI to web page providing client tos (terms of service).
- type String
- The type of client application.
- user
Name StringTemplate - Username template. Default:
${source.login} - user
Name StringTemplate Push Status - Push username on update. Valid values:
PUSHandDONT_PUSH - user
Name StringTemplate Suffix - Username template suffix
- user
Name StringTemplate Type - Username template type. Default:
BUILT_IN - wildcard
Redirect String - Early Access Property. Indicates if the client is allowed to use wildcard matching of redirect_uris
- accessibility
Error stringRedirect Url - Custom error page URL
- accessibility
Login stringRedirect Url - Custom login page URL
- accessibility
Self booleanService - Enable self service. Default is
false - admin
Note string - Application notes for admins.
- app
Links stringJson - Displays specific appLinks for the app. The value for each application link should be boolean.
- app
Settings stringJson - Application settings in JSON format
- authentication
Policy string - The ID of the associated appsignonpolicy. If this property is removed from the application the default sign-on-policy will be associated with this application.
- auto
Key booleanRotation - Requested key rotation mode. If autokeyrotation isn't specified, the client automatically opts in for Okta's key rotation. You can update this property via the API or via the administrator UI. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object"
- auto
Submit booleanToolbar - Display auto submit toolbar
- client
Basic stringSecret - The user provided OAuth client secret key value, this can be set when tokenendpointauthmethod is clientsecretbasic. This does nothing when `omitsecret is set to true.
- client
Id string - OAuth client ID. If set during creation, app is created with this id.
- client
Secret string - OAuth client secret value, this is output only. This will be in plain text in your statefile unless you set omit_secret above.
- client
Uri string - URI to a web page providing information about the client.
- consent
Method string - Early Access Property. Indicates whether user consent is required or implicit. Valid values: REQUIRED, TRUSTED. Default value is TRUSTED
- enduser
Note string - Application notes for end users.
- grant
Types string[] - List of OAuth 2.0 grant types. Conditional validation params found here https://developer.okta.com/docs/api/resources/apps#credentials-settings-details. Defaults to minimum requirements per app type.
- groups
Claim OAuthGroups Claim - Groups claim for an OpenID Connect client application (argument is ignored when API auth is done with OAuth 2.0 credentials)
- hide
Ios boolean - Do not display application icon on mobile app
- hide
Web boolean - Do not display application icon to users
- implicit
Assignment boolean - Early Access Property. Enable Federation Broker Mode.
- issuer
Mode string - Early Access Property. Indicates whether the Okta Authorization Server uses the original Okta org domain URL or a custom domain URL as the issuer of ID token for this client.
- jwks
OAuth
Jwk[] - jwks
Uri string - URL reference to JWKS
- label string
- The Application's display name.
- login
Mode string - The type of Idp-Initiated login that the client supports, if any
- login
Scopes string[] - List of scopes to use for the request
- login
Uri string - URI that initiates login.
- logo string
- Local file path to the logo. The file must be in PNG, JPG, or GIF format, and less than 1 MB in size.
- logo
Uri string - URI that references a logo for the client.
- logo
Url string - URL of the application's logo
- name string
- Name of the app.
- omit
Secret boolean - This tells the provider not manage the clientsecret value in state. When this is false (the default), it will cause the auto-generated clientsecret to be persisted in the client_secret attribute in state. This also means that every time an update to this app is run, this value is also set on the API. If this changes from false => true, the
client_secretis dropped from state and the secret at the time of the apply is what remains. If this is ever changes from true => false your app will be recreated, due to the need to regenerate a secret we can store in state. - pkce
Required boolean - Require Proof Key for Code Exchange (PKCE) for additional verification key rotation mode. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object
- policy
Uri string - URI to web page providing client policy document.
- post
Logout string[]Redirect Uris - List of URIs for redirection after logout. Note: see oktaappoauthpostlogoutredirecturi for appending to this list in a decentralized way.
- profile string
- Custom JSON that represents an OAuth application's profile
- redirect
Uris string[] - List of URIs for use in the redirect-based flow. This is required for all application types except service. Note: see oktaappoauthredirecturi for appending to this list in a decentralized way.
- refresh
Token numberLeeway - Early Access Property Grace period for token rotation, required with grant types refresh_token
- refresh
Token stringRotation - Early Access Property Refresh token rotation behavior, required with grant types refresh_token
- response
Types string[] - List of OAuth 2.0 response type strings. Valid values are any combination of:
code,token, andid_token. - sign
On stringMode - Sign on mode of application.
- status string
- Status of application. By default, it is
ACTIVE - token
Endpoint stringAuth Method - Requested authentication method for the token endpoint, valid values include: 'clientsecretbasic', 'clientsecretpost', 'clientsecretjwt', 'privatekeyjwt', 'none', etc.
- tos
Uri string - URI to web page providing client tos (terms of service).
- type string
- The type of client application.
- user
Name stringTemplate - Username template. Default:
${source.login} - user
Name stringTemplate Push Status - Push username on update. Valid values:
PUSHandDONT_PUSH - user
Name stringTemplate Suffix - Username template suffix
- user
Name stringTemplate Type - Username template type. Default:
BUILT_IN - wildcard
Redirect string - Early Access Property. Indicates if the client is allowed to use wildcard matching of redirect_uris
- accessibility_
error_ strredirect_ url - Custom error page URL
- accessibility_
login_ strredirect_ url - Custom login page URL
- accessibility_
self_ boolservice - Enable self service. Default is
false - admin_
note str - Application notes for admins.
- app_
links_ strjson - Displays specific appLinks for the app. The value for each application link should be boolean.
- app_
settings_ strjson - Application settings in JSON format
- authentication_
policy str - The ID of the associated appsignonpolicy. If this property is removed from the application the default sign-on-policy will be associated with this application.
- auto_
key_ boolrotation - Requested key rotation mode. If autokeyrotation isn't specified, the client automatically opts in for Okta's key rotation. You can update this property via the API or via the administrator UI. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object"
- auto_
submit_ booltoolbar - Display auto submit toolbar
- client_
basic_ strsecret - The user provided OAuth client secret key value, this can be set when tokenendpointauthmethod is clientsecretbasic. This does nothing when `omitsecret is set to true.
- client_
id str - OAuth client ID. If set during creation, app is created with this id.
- client_
secret str - OAuth client secret value, this is output only. This will be in plain text in your statefile unless you set omit_secret above.
- client_
uri str - URI to a web page providing information about the client.
- consent_
method str - Early Access Property. Indicates whether user consent is required or implicit. Valid values: REQUIRED, TRUSTED. Default value is TRUSTED
- enduser_
note str - Application notes for end users.
- grant_
types Sequence[str] - List of OAuth 2.0 grant types. Conditional validation params found here https://developer.okta.com/docs/api/resources/apps#credentials-settings-details. Defaults to minimum requirements per app type.
- groups_
claim OAuthGroups Claim Args - Groups claim for an OpenID Connect client application (argument is ignored when API auth is done with OAuth 2.0 credentials)
- hide_
ios bool - Do not display application icon on mobile app
- hide_
web bool - Do not display application icon to users
- implicit_
assignment bool - Early Access Property. Enable Federation Broker Mode.
- issuer_
mode str - Early Access Property. Indicates whether the Okta Authorization Server uses the original Okta org domain URL or a custom domain URL as the issuer of ID token for this client.
- jwks
Sequence[OAuth
Jwk Args] - jwks_
uri str - URL reference to JWKS
- label str
- The Application's display name.
- login_
mode str - The type of Idp-Initiated login that the client supports, if any
- login_
scopes Sequence[str] - List of scopes to use for the request
- login_
uri str - URI that initiates login.
- logo str
- Local file path to the logo. The file must be in PNG, JPG, or GIF format, and less than 1 MB in size.
- logo_
uri str - URI that references a logo for the client.
- logo_
url str - URL of the application's logo
- name str
- Name of the app.
- omit_
secret bool - This tells the provider not manage the clientsecret value in state. When this is false (the default), it will cause the auto-generated clientsecret to be persisted in the client_secret attribute in state. This also means that every time an update to this app is run, this value is also set on the API. If this changes from false => true, the
client_secretis dropped from state and the secret at the time of the apply is what remains. If this is ever changes from true => false your app will be recreated, due to the need to regenerate a secret we can store in state. - pkce_
required bool - Require Proof Key for Code Exchange (PKCE) for additional verification key rotation mode. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object
- policy_
uri str - URI to web page providing client policy document.
- post_
logout_ Sequence[str]redirect_ uris - List of URIs for redirection after logout. Note: see oktaappoauthpostlogoutredirecturi for appending to this list in a decentralized way.
- profile str
- Custom JSON that represents an OAuth application's profile
- redirect_
uris Sequence[str] - List of URIs for use in the redirect-based flow. This is required for all application types except service. Note: see oktaappoauthredirecturi for appending to this list in a decentralized way.
- refresh_
token_ intleeway - Early Access Property Grace period for token rotation, required with grant types refresh_token
- refresh_
token_ strrotation - Early Access Property Refresh token rotation behavior, required with grant types refresh_token
- response_
types Sequence[str] - List of OAuth 2.0 response type strings. Valid values are any combination of:
code,token, andid_token. - sign_
on_ strmode - Sign on mode of application.
- status str
- Status of application. By default, it is
ACTIVE - token_
endpoint_ strauth_ method - Requested authentication method for the token endpoint, valid values include: 'clientsecretbasic', 'clientsecretpost', 'clientsecretjwt', 'privatekeyjwt', 'none', etc.
- tos_
uri str - URI to web page providing client tos (terms of service).
- type str
- The type of client application.
- user_
name_ strtemplate - Username template. Default:
${source.login} - user_
name_ strtemplate_ push_ status - Push username on update. Valid values:
PUSHandDONT_PUSH - user_
name_ strtemplate_ suffix - Username template suffix
- user_
name_ strtemplate_ type - Username template type. Default:
BUILT_IN - wildcard_
redirect str - Early Access Property. Indicates if the client is allowed to use wildcard matching of redirect_uris
- accessibility
Error StringRedirect Url - Custom error page URL
- accessibility
Login StringRedirect Url - Custom login page URL
- accessibility
Self BooleanService - Enable self service. Default is
false - admin
Note String - Application notes for admins.
- app
Links StringJson - Displays specific appLinks for the app. The value for each application link should be boolean.
- app
Settings StringJson - Application settings in JSON format
- authentication
Policy String - The ID of the associated appsignonpolicy. If this property is removed from the application the default sign-on-policy will be associated with this application.
- auto
Key BooleanRotation - Requested key rotation mode. If autokeyrotation isn't specified, the client automatically opts in for Okta's key rotation. You can update this property via the API or via the administrator UI. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object"
- auto
Submit BooleanToolbar - Display auto submit toolbar
- client
Basic StringSecret - The user provided OAuth client secret key value, this can be set when tokenendpointauthmethod is clientsecretbasic. This does nothing when `omitsecret is set to true.
- client
Id String - OAuth client ID. If set during creation, app is created with this id.
- client
Secret String - OAuth client secret value, this is output only. This will be in plain text in your statefile unless you set omit_secret above.
- client
Uri String - URI to a web page providing information about the client.
- consent
Method String - Early Access Property. Indicates whether user consent is required or implicit. Valid values: REQUIRED, TRUSTED. Default value is TRUSTED
- enduser
Note String - Application notes for end users.
- grant
Types List<String> - List of OAuth 2.0 grant types. Conditional validation params found here https://developer.okta.com/docs/api/resources/apps#credentials-settings-details. Defaults to minimum requirements per app type.
- groups
Claim Property Map - Groups claim for an OpenID Connect client application (argument is ignored when API auth is done with OAuth 2.0 credentials)
- hide
Ios Boolean - Do not display application icon on mobile app
- hide
Web Boolean - Do not display application icon to users
- implicit
Assignment Boolean - Early Access Property. Enable Federation Broker Mode.
- issuer
Mode String - Early Access Property. Indicates whether the Okta Authorization Server uses the original Okta org domain URL or a custom domain URL as the issuer of ID token for this client.
- jwks List<Property Map>
- jwks
Uri String - URL reference to JWKS
- label String
- The Application's display name.
- login
Mode String - The type of Idp-Initiated login that the client supports, if any
- login
Scopes List<String> - List of scopes to use for the request
- login
Uri String - URI that initiates login.
- logo String
- Local file path to the logo. The file must be in PNG, JPG, or GIF format, and less than 1 MB in size.
- logo
Uri String - URI that references a logo for the client.
- logo
Url String - URL of the application's logo
- name String
- Name of the app.
- omit
Secret Boolean - This tells the provider not manage the clientsecret value in state. When this is false (the default), it will cause the auto-generated clientsecret to be persisted in the client_secret attribute in state. This also means that every time an update to this app is run, this value is also set on the API. If this changes from false => true, the
client_secretis dropped from state and the secret at the time of the apply is what remains. If this is ever changes from true => false your app will be recreated, due to the need to regenerate a secret we can store in state. - pkce
Required Boolean - Require Proof Key for Code Exchange (PKCE) for additional verification key rotation mode. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object
- policy
Uri String - URI to web page providing client policy document.
- post
Logout List<String>Redirect Uris - List of URIs for redirection after logout. Note: see oktaappoauthpostlogoutredirecturi for appending to this list in a decentralized way.
- profile String
- Custom JSON that represents an OAuth application's profile
- redirect
Uris List<String> - List of URIs for use in the redirect-based flow. This is required for all application types except service. Note: see oktaappoauthredirecturi for appending to this list in a decentralized way.
- refresh
Token NumberLeeway - Early Access Property Grace period for token rotation, required with grant types refresh_token
- refresh
Token StringRotation - Early Access Property Refresh token rotation behavior, required with grant types refresh_token
- response
Types List<String> - List of OAuth 2.0 response type strings. Valid values are any combination of:
code,token, andid_token. - sign
On StringMode - Sign on mode of application.
- status String
- Status of application. By default, it is
ACTIVE - token
Endpoint StringAuth Method - Requested authentication method for the token endpoint, valid values include: 'clientsecretbasic', 'clientsecretpost', 'clientsecretjwt', 'privatekeyjwt', 'none', etc.
- tos
Uri String - URI to web page providing client tos (terms of service).
- type String
- The type of client application.
- user
Name StringTemplate - Username template. Default:
${source.login} - user
Name StringTemplate Push Status - Push username on update. Valid values:
PUSHandDONT_PUSH - user
Name StringTemplate Suffix - Username template suffix
- user
Name StringTemplate Type - Username template type. Default:
BUILT_IN - wildcard
Redirect String - Early Access Property. Indicates if the client is allowed to use wildcard matching of redirect_uris
Supporting Types
OAuthGroupsClaim, OAuthGroupsClaimArgs
- Name string
- Name of the claim that will be used in the token.
- Type string
- Groups claim type.
- Value string
- Value of the claim. Can be an Okta Expression Language statement that evaluates at the time the token is minted.
- Filter
Type string - Groups claim filter. Can only be set if type is FILTER.
- Issuer
Mode string - Issuer mode inherited from OAuth App
- Name string
- Name of the claim that will be used in the token.
- Type string
- Groups claim type.
- Value string
- Value of the claim. Can be an Okta Expression Language statement that evaluates at the time the token is minted.
- Filter
Type string - Groups claim filter. Can only be set if type is FILTER.
- Issuer
Mode string - Issuer mode inherited from OAuth App
- name String
- Name of the claim that will be used in the token.
- type String
- Groups claim type.
- value String
- Value of the claim. Can be an Okta Expression Language statement that evaluates at the time the token is minted.
- filter
Type String - Groups claim filter. Can only be set if type is FILTER.
- issuer
Mode String - Issuer mode inherited from OAuth App
- name string
- Name of the claim that will be used in the token.
- type string
- Groups claim type.
- value string
- Value of the claim. Can be an Okta Expression Language statement that evaluates at the time the token is minted.
- filter
Type string - Groups claim filter. Can only be set if type is FILTER.
- issuer
Mode string - Issuer mode inherited from OAuth App
- name str
- Name of the claim that will be used in the token.
- type str
- Groups claim type.
- value str
- Value of the claim. Can be an Okta Expression Language statement that evaluates at the time the token is minted.
- filter_
type str - Groups claim filter. Can only be set if type is FILTER.
- issuer_
mode str - Issuer mode inherited from OAuth App
- name String
- Name of the claim that will be used in the token.
- type String
- Groups claim type.
- value String
- Value of the claim. Can be an Okta Expression Language statement that evaluates at the time the token is minted.
- filter
Type String - Groups claim filter. Can only be set if type is FILTER.
- issuer
Mode String - Issuer mode inherited from OAuth App
OAuthJwk, OAuthJwkArgs
Import
$ pulumi import okta:app/oAuth:OAuth example <app_id>
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- Okta pulumi/pulumi-okta
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
oktaTerraform Provider.