1. Packages
  2. Okta Provider
  3. API Docs
  4. app
  5. OAuth
Okta v4.16.0 published on Wednesday, Apr 9, 2025 by Pulumi

okta.app.OAuth

Explore with Pulumi AI

This resource allows you to create and configure an OIDC Application.

During an apply if there is change in status the app will first be activated or deactivated in accordance with the status change. Then, all other arguments that changed will be applied.

okta.app.OAuthRedirectUri has been marked deprecated and will be removed in the v5 release of the provider. Operators should manage the redirect URIs for an oauth app directly on that resource.

Private Keys

The private key format that an Okta OAuth app expects is PKCS#8 (unencrypted). The operator either uploads their own private key or Okta can generate one in the Admin UI Panel under the apps Client Credentials. PKCS#8 format can be identified by a header that starts with -----BEGIN PRIVATE KEY-----. If the operator has a PKCS#1 (unencrypted) format private key (the header starts with -----BEGIN RSA PRIVATE KEY-----) they can generate a PKCS#8 format key with openssl:

 openssl rsa -in pkcs1.pem -out pkcs8-example.pem

Create OAuth Resource

Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

Constructor syntax

new OAuth(name: string, args: OAuthArgs, opts?: CustomResourceOptions);
@overload
def OAuth(resource_name: str,
          args: OAuthArgs,
          opts: Optional[ResourceOptions] = None)

@overload
def OAuth(resource_name: str,
          opts: Optional[ResourceOptions] = None,
          label: Optional[str] = None,
          type: Optional[str] = None,
          client_uri: Optional[str] = None,
          admin_note: Optional[str] = None,
          app_links_json: Optional[str] = None,
          app_settings_json: Optional[str] = None,
          authentication_policy: Optional[str] = None,
          auto_key_rotation: Optional[bool] = None,
          auto_submit_toolbar: Optional[bool] = None,
          client_basic_secret: Optional[str] = None,
          client_id: Optional[str] = None,
          accessibility_error_redirect_url: Optional[str] = None,
          consent_method: Optional[str] = None,
          enduser_note: Optional[str] = None,
          grant_types: Optional[Sequence[str]] = None,
          groups_claim: Optional[OAuthGroupsClaimArgs] = None,
          hide_ios: Optional[bool] = None,
          hide_web: Optional[bool] = None,
          implicit_assignment: Optional[bool] = None,
          issuer_mode: Optional[str] = None,
          jwks: Optional[Sequence[OAuthJwkArgs]] = None,
          jwks_uri: Optional[str] = None,
          login_scopes: Optional[Sequence[str]] = None,
          accessibility_self_service: Optional[bool] = None,
          login_mode: Optional[str] = None,
          login_uri: Optional[str] = None,
          logo: Optional[str] = None,
          logo_uri: Optional[str] = None,
          omit_secret: Optional[bool] = None,
          pkce_required: Optional[bool] = None,
          policy_uri: Optional[str] = None,
          post_logout_redirect_uris: Optional[Sequence[str]] = None,
          profile: Optional[str] = None,
          redirect_uris: Optional[Sequence[str]] = None,
          refresh_token_leeway: Optional[int] = None,
          refresh_token_rotation: Optional[str] = None,
          response_types: Optional[Sequence[str]] = None,
          status: Optional[str] = None,
          token_endpoint_auth_method: Optional[str] = None,
          tos_uri: Optional[str] = None,
          accessibility_login_redirect_url: Optional[str] = None,
          user_name_template: Optional[str] = None,
          user_name_template_push_status: Optional[str] = None,
          user_name_template_suffix: Optional[str] = None,
          user_name_template_type: Optional[str] = None,
          wildcard_redirect: Optional[str] = None)
func NewOAuth(ctx *Context, name string, args OAuthArgs, opts ...ResourceOption) (*OAuth, error)
public OAuth(string name, OAuthArgs args, CustomResourceOptions? opts = null)
public OAuth(String name, OAuthArgs args)
public OAuth(String name, OAuthArgs args, CustomResourceOptions options)
type: okta:app:OAuth
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

Parameters

name This property is required. string
The unique name of the resource.
args This property is required. OAuthArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
resource_name This property is required. str
The unique name of the resource.
args This property is required. OAuthArgs
The arguments to resource properties.
opts ResourceOptions
Bag of options to control resource's behavior.
ctx Context
Context object for the current deployment.
name This property is required. string
The unique name of the resource.
args This property is required. OAuthArgs
The arguments to resource properties.
opts ResourceOption
Bag of options to control resource's behavior.
name This property is required. string
The unique name of the resource.
args This property is required. OAuthArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
name This property is required. String
The unique name of the resource.
args This property is required. OAuthArgs
The arguments to resource properties.
options CustomResourceOptions
Bag of options to control resource's behavior.

Constructor example

The following reference example uses placeholder values for all input properties.

var oauthResource = new Okta.App.OAuth("oauthResource", new()
{
    Label = "string",
    Type = "string",
    ClientUri = "string",
    AdminNote = "string",
    AppLinksJson = "string",
    AppSettingsJson = "string",
    AuthenticationPolicy = "string",
    AutoKeyRotation = false,
    AutoSubmitToolbar = false,
    ClientBasicSecret = "string",
    ClientId = "string",
    AccessibilityErrorRedirectUrl = "string",
    ConsentMethod = "string",
    EnduserNote = "string",
    GrantTypes = new[]
    {
        "string",
    },
    GroupsClaim = new Okta.App.Inputs.OAuthGroupsClaimArgs
    {
        Name = "string",
        Type = "string",
        Value = "string",
        FilterType = "string",
        IssuerMode = "string",
    },
    HideIos = false,
    HideWeb = false,
    ImplicitAssignment = false,
    IssuerMode = "string",
    Jwks = new[]
    {
        new Okta.App.Inputs.OAuthJwkArgs
        {
            Kid = "string",
            Kty = "string",
            E = "string",
            N = "string",
            X = "string",
            Y = "string",
        },
    },
    JwksUri = "string",
    LoginScopes = new[]
    {
        "string",
    },
    AccessibilitySelfService = false,
    LoginMode = "string",
    LoginUri = "string",
    Logo = "string",
    LogoUri = "string",
    OmitSecret = false,
    PkceRequired = false,
    PolicyUri = "string",
    PostLogoutRedirectUris = new[]
    {
        "string",
    },
    Profile = "string",
    RedirectUris = new[]
    {
        "string",
    },
    RefreshTokenLeeway = 0,
    RefreshTokenRotation = "string",
    ResponseTypes = new[]
    {
        "string",
    },
    Status = "string",
    TokenEndpointAuthMethod = "string",
    TosUri = "string",
    AccessibilityLoginRedirectUrl = "string",
    UserNameTemplate = "string",
    UserNameTemplatePushStatus = "string",
    UserNameTemplateSuffix = "string",
    UserNameTemplateType = "string",
    WildcardRedirect = "string",
});
Copy
example, err := app.NewOAuth(ctx, "oauthResource", &app.OAuthArgs{
	Label:                         pulumi.String("string"),
	Type:                          pulumi.String("string"),
	ClientUri:                     pulumi.String("string"),
	AdminNote:                     pulumi.String("string"),
	AppLinksJson:                  pulumi.String("string"),
	AppSettingsJson:               pulumi.String("string"),
	AuthenticationPolicy:          pulumi.String("string"),
	AutoKeyRotation:               pulumi.Bool(false),
	AutoSubmitToolbar:             pulumi.Bool(false),
	ClientBasicSecret:             pulumi.String("string"),
	ClientId:                      pulumi.String("string"),
	AccessibilityErrorRedirectUrl: pulumi.String("string"),
	ConsentMethod:                 pulumi.String("string"),
	EnduserNote:                   pulumi.String("string"),
	GrantTypes: pulumi.StringArray{
		pulumi.String("string"),
	},
	GroupsClaim: &app.OAuthGroupsClaimArgs{
		Name:       pulumi.String("string"),
		Type:       pulumi.String("string"),
		Value:      pulumi.String("string"),
		FilterType: pulumi.String("string"),
		IssuerMode: pulumi.String("string"),
	},
	HideIos:            pulumi.Bool(false),
	HideWeb:            pulumi.Bool(false),
	ImplicitAssignment: pulumi.Bool(false),
	IssuerMode:         pulumi.String("string"),
	Jwks: app.OAuthJwkArray{
		&app.OAuthJwkArgs{
			Kid: pulumi.String("string"),
			Kty: pulumi.String("string"),
			E:   pulumi.String("string"),
			N:   pulumi.String("string"),
			X:   pulumi.String("string"),
			Y:   pulumi.String("string"),
		},
	},
	JwksUri: pulumi.String("string"),
	LoginScopes: pulumi.StringArray{
		pulumi.String("string"),
	},
	AccessibilitySelfService: pulumi.Bool(false),
	LoginMode:                pulumi.String("string"),
	LoginUri:                 pulumi.String("string"),
	Logo:                     pulumi.String("string"),
	LogoUri:                  pulumi.String("string"),
	OmitSecret:               pulumi.Bool(false),
	PkceRequired:             pulumi.Bool(false),
	PolicyUri:                pulumi.String("string"),
	PostLogoutRedirectUris: pulumi.StringArray{
		pulumi.String("string"),
	},
	Profile: pulumi.String("string"),
	RedirectUris: pulumi.StringArray{
		pulumi.String("string"),
	},
	RefreshTokenLeeway:   pulumi.Int(0),
	RefreshTokenRotation: pulumi.String("string"),
	ResponseTypes: pulumi.StringArray{
		pulumi.String("string"),
	},
	Status:                        pulumi.String("string"),
	TokenEndpointAuthMethod:       pulumi.String("string"),
	TosUri:                        pulumi.String("string"),
	AccessibilityLoginRedirectUrl: pulumi.String("string"),
	UserNameTemplate:              pulumi.String("string"),
	UserNameTemplatePushStatus:    pulumi.String("string"),
	UserNameTemplateSuffix:        pulumi.String("string"),
	UserNameTemplateType:          pulumi.String("string"),
	WildcardRedirect:              pulumi.String("string"),
})
Copy
var oauthResource = new OAuth("oauthResource", OAuthArgs.builder()
    .label("string")
    .type("string")
    .clientUri("string")
    .adminNote("string")
    .appLinksJson("string")
    .appSettingsJson("string")
    .authenticationPolicy("string")
    .autoKeyRotation(false)
    .autoSubmitToolbar(false)
    .clientBasicSecret("string")
    .clientId("string")
    .accessibilityErrorRedirectUrl("string")
    .consentMethod("string")
    .enduserNote("string")
    .grantTypes("string")
    .groupsClaim(OAuthGroupsClaimArgs.builder()
        .name("string")
        .type("string")
        .value("string")
        .filterType("string")
        .issuerMode("string")
        .build())
    .hideIos(false)
    .hideWeb(false)
    .implicitAssignment(false)
    .issuerMode("string")
    .jwks(OAuthJwkArgs.builder()
        .kid("string")
        .kty("string")
        .e("string")
        .n("string")
        .x("string")
        .y("string")
        .build())
    .jwksUri("string")
    .loginScopes("string")
    .accessibilitySelfService(false)
    .loginMode("string")
    .loginUri("string")
    .logo("string")
    .logoUri("string")
    .omitSecret(false)
    .pkceRequired(false)
    .policyUri("string")
    .postLogoutRedirectUris("string")
    .profile("string")
    .redirectUris("string")
    .refreshTokenLeeway(0)
    .refreshTokenRotation("string")
    .responseTypes("string")
    .status("string")
    .tokenEndpointAuthMethod("string")
    .tosUri("string")
    .accessibilityLoginRedirectUrl("string")
    .userNameTemplate("string")
    .userNameTemplatePushStatus("string")
    .userNameTemplateSuffix("string")
    .userNameTemplateType("string")
    .wildcardRedirect("string")
    .build());
Copy
oauth_resource = okta.app.OAuth("oauthResource",
    label="string",
    type="string",
    client_uri="string",
    admin_note="string",
    app_links_json="string",
    app_settings_json="string",
    authentication_policy="string",
    auto_key_rotation=False,
    auto_submit_toolbar=False,
    client_basic_secret="string",
    client_id="string",
    accessibility_error_redirect_url="string",
    consent_method="string",
    enduser_note="string",
    grant_types=["string"],
    groups_claim={
        "name": "string",
        "type": "string",
        "value": "string",
        "filter_type": "string",
        "issuer_mode": "string",
    },
    hide_ios=False,
    hide_web=False,
    implicit_assignment=False,
    issuer_mode="string",
    jwks=[{
        "kid": "string",
        "kty": "string",
        "e": "string",
        "n": "string",
        "x": "string",
        "y": "string",
    }],
    jwks_uri="string",
    login_scopes=["string"],
    accessibility_self_service=False,
    login_mode="string",
    login_uri="string",
    logo="string",
    logo_uri="string",
    omit_secret=False,
    pkce_required=False,
    policy_uri="string",
    post_logout_redirect_uris=["string"],
    profile="string",
    redirect_uris=["string"],
    refresh_token_leeway=0,
    refresh_token_rotation="string",
    response_types=["string"],
    status="string",
    token_endpoint_auth_method="string",
    tos_uri="string",
    accessibility_login_redirect_url="string",
    user_name_template="string",
    user_name_template_push_status="string",
    user_name_template_suffix="string",
    user_name_template_type="string",
    wildcard_redirect="string")
Copy
const oauthResource = new okta.app.OAuth("oauthResource", {
    label: "string",
    type: "string",
    clientUri: "string",
    adminNote: "string",
    appLinksJson: "string",
    appSettingsJson: "string",
    authenticationPolicy: "string",
    autoKeyRotation: false,
    autoSubmitToolbar: false,
    clientBasicSecret: "string",
    clientId: "string",
    accessibilityErrorRedirectUrl: "string",
    consentMethod: "string",
    enduserNote: "string",
    grantTypes: ["string"],
    groupsClaim: {
        name: "string",
        type: "string",
        value: "string",
        filterType: "string",
        issuerMode: "string",
    },
    hideIos: false,
    hideWeb: false,
    implicitAssignment: false,
    issuerMode: "string",
    jwks: [{
        kid: "string",
        kty: "string",
        e: "string",
        n: "string",
        x: "string",
        y: "string",
    }],
    jwksUri: "string",
    loginScopes: ["string"],
    accessibilitySelfService: false,
    loginMode: "string",
    loginUri: "string",
    logo: "string",
    logoUri: "string",
    omitSecret: false,
    pkceRequired: false,
    policyUri: "string",
    postLogoutRedirectUris: ["string"],
    profile: "string",
    redirectUris: ["string"],
    refreshTokenLeeway: 0,
    refreshTokenRotation: "string",
    responseTypes: ["string"],
    status: "string",
    tokenEndpointAuthMethod: "string",
    tosUri: "string",
    accessibilityLoginRedirectUrl: "string",
    userNameTemplate: "string",
    userNameTemplatePushStatus: "string",
    userNameTemplateSuffix: "string",
    userNameTemplateType: "string",
    wildcardRedirect: "string",
});
Copy
type: okta:app:OAuth
properties:
    accessibilityErrorRedirectUrl: string
    accessibilityLoginRedirectUrl: string
    accessibilitySelfService: false
    adminNote: string
    appLinksJson: string
    appSettingsJson: string
    authenticationPolicy: string
    autoKeyRotation: false
    autoSubmitToolbar: false
    clientBasicSecret: string
    clientId: string
    clientUri: string
    consentMethod: string
    enduserNote: string
    grantTypes:
        - string
    groupsClaim:
        filterType: string
        issuerMode: string
        name: string
        type: string
        value: string
    hideIos: false
    hideWeb: false
    implicitAssignment: false
    issuerMode: string
    jwks:
        - e: string
          kid: string
          kty: string
          "n": string
          x: string
          "y": string
    jwksUri: string
    label: string
    loginMode: string
    loginScopes:
        - string
    loginUri: string
    logo: string
    logoUri: string
    omitSecret: false
    pkceRequired: false
    policyUri: string
    postLogoutRedirectUris:
        - string
    profile: string
    redirectUris:
        - string
    refreshTokenLeeway: 0
    refreshTokenRotation: string
    responseTypes:
        - string
    status: string
    tokenEndpointAuthMethod: string
    tosUri: string
    type: string
    userNameTemplate: string
    userNameTemplatePushStatus: string
    userNameTemplateSuffix: string
    userNameTemplateType: string
    wildcardRedirect: string
Copy

OAuth Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

The OAuth resource accepts the following input properties:

Label This property is required. string
The Application's display name.
Type
This property is required.
Changes to this property will trigger replacement.
string
The type of client application.
AccessibilityErrorRedirectUrl string
Custom error page URL
AccessibilityLoginRedirectUrl string
Custom login page URL
AccessibilitySelfService bool
Enable self service. Default is false
AdminNote string
Application notes for admins.
AppLinksJson string
Displays specific appLinks for the app. The value for each application link should be boolean.
AppSettingsJson string
Application settings in JSON format
AuthenticationPolicy string
The ID of the associated appsignonpolicy. If this property is removed from the application the default sign-on-policy will be associated with this application.
AutoKeyRotation bool
Requested key rotation mode. If autokeyrotation isn't specified, the client automatically opts in for Okta's key rotation. You can update this property via the API or via the administrator UI. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object"
AutoSubmitToolbar bool
Display auto submit toolbar
ClientBasicSecret string
The user provided OAuth client secret key value, this can be set when tokenendpointauthmethod is clientsecretbasic. This does nothing when `omitsecret is set to true.
ClientId Changes to this property will trigger replacement. string
OAuth client ID. If set during creation, app is created with this id.
ClientUri string
URI to a web page providing information about the client.
ConsentMethod string
Early Access Property. Indicates whether user consent is required or implicit. Valid values: REQUIRED, TRUSTED. Default value is TRUSTED
EnduserNote string
Application notes for end users.
GrantTypes List<string>
List of OAuth 2.0 grant types. Conditional validation params found here https://developer.okta.com/docs/api/resources/apps#credentials-settings-details. Defaults to minimum requirements per app type.
GroupsClaim OAuthGroupsClaim
Groups claim for an OpenID Connect client application (argument is ignored when API auth is done with OAuth 2.0 credentials)
HideIos bool
Do not display application icon on mobile app
HideWeb bool
Do not display application icon to users
ImplicitAssignment bool
Early Access Property. Enable Federation Broker Mode.
IssuerMode string
Early Access Property. Indicates whether the Okta Authorization Server uses the original Okta org domain URL or a custom domain URL as the issuer of ID token for this client.
Jwks List<OAuthJwk>
JwksUri string
URL reference to JWKS
LoginMode string
The type of Idp-Initiated login that the client supports, if any
LoginScopes List<string>
List of scopes to use for the request
LoginUri string
URI that initiates login.
Logo string
Local file path to the logo. The file must be in PNG, JPG, or GIF format, and less than 1 MB in size.
LogoUri string
URI that references a logo for the client.
OmitSecret bool
This tells the provider not manage the clientsecret value in state. When this is false (the default), it will cause the auto-generated clientsecret to be persisted in the client_secret attribute in state. This also means that every time an update to this app is run, this value is also set on the API. If this changes from false => true, the client_secret is dropped from state and the secret at the time of the apply is what remains. If this is ever changes from true => false your app will be recreated, due to the need to regenerate a secret we can store in state.
PkceRequired bool
Require Proof Key for Code Exchange (PKCE) for additional verification key rotation mode. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object
PolicyUri string
URI to web page providing client policy document.
PostLogoutRedirectUris List<string>
List of URIs for redirection after logout. Note: see oktaappoauthpostlogoutredirecturi for appending to this list in a decentralized way.
Profile string
Custom JSON that represents an OAuth application's profile
RedirectUris List<string>
List of URIs for use in the redirect-based flow. This is required for all application types except service. Note: see oktaappoauthredirecturi for appending to this list in a decentralized way.
RefreshTokenLeeway int
Early Access Property Grace period for token rotation, required with grant types refresh_token
RefreshTokenRotation string
Early Access Property Refresh token rotation behavior, required with grant types refresh_token
ResponseTypes List<string>
List of OAuth 2.0 response type strings. Valid values are any combination of: code, token, and id_token.
Status string
Status of application. By default, it is ACTIVE
TokenEndpointAuthMethod string
Requested authentication method for the token endpoint, valid values include: 'clientsecretbasic', 'clientsecretpost', 'clientsecretjwt', 'privatekeyjwt', 'none', etc.
TosUri string
URI to web page providing client tos (terms of service).
UserNameTemplate string
Username template. Default: ${source.login}
UserNameTemplatePushStatus string
Push username on update. Valid values: PUSH and DONT_PUSH
UserNameTemplateSuffix string
Username template suffix
UserNameTemplateType string
Username template type. Default: BUILT_IN
WildcardRedirect string
Early Access Property. Indicates if the client is allowed to use wildcard matching of redirect_uris
Label This property is required. string
The Application's display name.
Type
This property is required.
Changes to this property will trigger replacement.
string
The type of client application.
AccessibilityErrorRedirectUrl string
Custom error page URL
AccessibilityLoginRedirectUrl string
Custom login page URL
AccessibilitySelfService bool
Enable self service. Default is false
AdminNote string
Application notes for admins.
AppLinksJson string
Displays specific appLinks for the app. The value for each application link should be boolean.
AppSettingsJson string
Application settings in JSON format
AuthenticationPolicy string
The ID of the associated appsignonpolicy. If this property is removed from the application the default sign-on-policy will be associated with this application.
AutoKeyRotation bool
Requested key rotation mode. If autokeyrotation isn't specified, the client automatically opts in for Okta's key rotation. You can update this property via the API or via the administrator UI. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object"
AutoSubmitToolbar bool
Display auto submit toolbar
ClientBasicSecret string
The user provided OAuth client secret key value, this can be set when tokenendpointauthmethod is clientsecretbasic. This does nothing when `omitsecret is set to true.
ClientId Changes to this property will trigger replacement. string
OAuth client ID. If set during creation, app is created with this id.
ClientUri string
URI to a web page providing information about the client.
ConsentMethod string
Early Access Property. Indicates whether user consent is required or implicit. Valid values: REQUIRED, TRUSTED. Default value is TRUSTED
EnduserNote string
Application notes for end users.
GrantTypes []string
List of OAuth 2.0 grant types. Conditional validation params found here https://developer.okta.com/docs/api/resources/apps#credentials-settings-details. Defaults to minimum requirements per app type.
GroupsClaim OAuthGroupsClaimArgs
Groups claim for an OpenID Connect client application (argument is ignored when API auth is done with OAuth 2.0 credentials)
HideIos bool
Do not display application icon on mobile app
HideWeb bool
Do not display application icon to users
ImplicitAssignment bool
Early Access Property. Enable Federation Broker Mode.
IssuerMode string
Early Access Property. Indicates whether the Okta Authorization Server uses the original Okta org domain URL or a custom domain URL as the issuer of ID token for this client.
Jwks []OAuthJwkArgs
JwksUri string
URL reference to JWKS
LoginMode string
The type of Idp-Initiated login that the client supports, if any
LoginScopes []string
List of scopes to use for the request
LoginUri string
URI that initiates login.
Logo string
Local file path to the logo. The file must be in PNG, JPG, or GIF format, and less than 1 MB in size.
LogoUri string
URI that references a logo for the client.
OmitSecret bool
This tells the provider not manage the clientsecret value in state. When this is false (the default), it will cause the auto-generated clientsecret to be persisted in the client_secret attribute in state. This also means that every time an update to this app is run, this value is also set on the API. If this changes from false => true, the client_secret is dropped from state and the secret at the time of the apply is what remains. If this is ever changes from true => false your app will be recreated, due to the need to regenerate a secret we can store in state.
PkceRequired bool
Require Proof Key for Code Exchange (PKCE) for additional verification key rotation mode. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object
PolicyUri string
URI to web page providing client policy document.
PostLogoutRedirectUris []string
List of URIs for redirection after logout. Note: see oktaappoauthpostlogoutredirecturi for appending to this list in a decentralized way.
Profile string
Custom JSON that represents an OAuth application's profile
RedirectUris []string
List of URIs for use in the redirect-based flow. This is required for all application types except service. Note: see oktaappoauthredirecturi for appending to this list in a decentralized way.
RefreshTokenLeeway int
Early Access Property Grace period for token rotation, required with grant types refresh_token
RefreshTokenRotation string
Early Access Property Refresh token rotation behavior, required with grant types refresh_token
ResponseTypes []string
List of OAuth 2.0 response type strings. Valid values are any combination of: code, token, and id_token.
Status string
Status of application. By default, it is ACTIVE
TokenEndpointAuthMethod string
Requested authentication method for the token endpoint, valid values include: 'clientsecretbasic', 'clientsecretpost', 'clientsecretjwt', 'privatekeyjwt', 'none', etc.
TosUri string
URI to web page providing client tos (terms of service).
UserNameTemplate string
Username template. Default: ${source.login}
UserNameTemplatePushStatus string
Push username on update. Valid values: PUSH and DONT_PUSH
UserNameTemplateSuffix string
Username template suffix
UserNameTemplateType string
Username template type. Default: BUILT_IN
WildcardRedirect string
Early Access Property. Indicates if the client is allowed to use wildcard matching of redirect_uris
label This property is required. String
The Application's display name.
type
This property is required.
Changes to this property will trigger replacement.
String
The type of client application.
accessibilityErrorRedirectUrl String
Custom error page URL
accessibilityLoginRedirectUrl String
Custom login page URL
accessibilitySelfService Boolean
Enable self service. Default is false
adminNote String
Application notes for admins.
appLinksJson String
Displays specific appLinks for the app. The value for each application link should be boolean.
appSettingsJson String
Application settings in JSON format
authenticationPolicy String
The ID of the associated appsignonpolicy. If this property is removed from the application the default sign-on-policy will be associated with this application.
autoKeyRotation Boolean
Requested key rotation mode. If autokeyrotation isn't specified, the client automatically opts in for Okta's key rotation. You can update this property via the API or via the administrator UI. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object"
autoSubmitToolbar Boolean
Display auto submit toolbar
clientBasicSecret String
The user provided OAuth client secret key value, this can be set when tokenendpointauthmethod is clientsecretbasic. This does nothing when `omitsecret is set to true.
clientId Changes to this property will trigger replacement. String
OAuth client ID. If set during creation, app is created with this id.
clientUri String
URI to a web page providing information about the client.
consentMethod String
Early Access Property. Indicates whether user consent is required or implicit. Valid values: REQUIRED, TRUSTED. Default value is TRUSTED
enduserNote String
Application notes for end users.
grantTypes List<String>
List of OAuth 2.0 grant types. Conditional validation params found here https://developer.okta.com/docs/api/resources/apps#credentials-settings-details. Defaults to minimum requirements per app type.
groupsClaim OAuthGroupsClaim
Groups claim for an OpenID Connect client application (argument is ignored when API auth is done with OAuth 2.0 credentials)
hideIos Boolean
Do not display application icon on mobile app
hideWeb Boolean
Do not display application icon to users
implicitAssignment Boolean
Early Access Property. Enable Federation Broker Mode.
issuerMode String
Early Access Property. Indicates whether the Okta Authorization Server uses the original Okta org domain URL or a custom domain URL as the issuer of ID token for this client.
jwks List<OAuthJwk>
jwksUri String
URL reference to JWKS
loginMode String
The type of Idp-Initiated login that the client supports, if any
loginScopes List<String>
List of scopes to use for the request
loginUri String
URI that initiates login.
logo String
Local file path to the logo. The file must be in PNG, JPG, or GIF format, and less than 1 MB in size.
logoUri String
URI that references a logo for the client.
omitSecret Boolean
This tells the provider not manage the clientsecret value in state. When this is false (the default), it will cause the auto-generated clientsecret to be persisted in the client_secret attribute in state. This also means that every time an update to this app is run, this value is also set on the API. If this changes from false => true, the client_secret is dropped from state and the secret at the time of the apply is what remains. If this is ever changes from true => false your app will be recreated, due to the need to regenerate a secret we can store in state.
pkceRequired Boolean
Require Proof Key for Code Exchange (PKCE) for additional verification key rotation mode. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object
policyUri String
URI to web page providing client policy document.
postLogoutRedirectUris List<String>
List of URIs for redirection after logout. Note: see oktaappoauthpostlogoutredirecturi for appending to this list in a decentralized way.
profile String
Custom JSON that represents an OAuth application's profile
redirectUris List<String>
List of URIs for use in the redirect-based flow. This is required for all application types except service. Note: see oktaappoauthredirecturi for appending to this list in a decentralized way.
refreshTokenLeeway Integer
Early Access Property Grace period for token rotation, required with grant types refresh_token
refreshTokenRotation String
Early Access Property Refresh token rotation behavior, required with grant types refresh_token
responseTypes List<String>
List of OAuth 2.0 response type strings. Valid values are any combination of: code, token, and id_token.
status String
Status of application. By default, it is ACTIVE
tokenEndpointAuthMethod String
Requested authentication method for the token endpoint, valid values include: 'clientsecretbasic', 'clientsecretpost', 'clientsecretjwt', 'privatekeyjwt', 'none', etc.
tosUri String
URI to web page providing client tos (terms of service).
userNameTemplate String
Username template. Default: ${source.login}
userNameTemplatePushStatus String
Push username on update. Valid values: PUSH and DONT_PUSH
userNameTemplateSuffix String
Username template suffix
userNameTemplateType String
Username template type. Default: BUILT_IN
wildcardRedirect String
Early Access Property. Indicates if the client is allowed to use wildcard matching of redirect_uris
label This property is required. string
The Application's display name.
type
This property is required.
Changes to this property will trigger replacement.
string
The type of client application.
accessibilityErrorRedirectUrl string
Custom error page URL
accessibilityLoginRedirectUrl string
Custom login page URL
accessibilitySelfService boolean
Enable self service. Default is false
adminNote string
Application notes for admins.
appLinksJson string
Displays specific appLinks for the app. The value for each application link should be boolean.
appSettingsJson string
Application settings in JSON format
authenticationPolicy string
The ID of the associated appsignonpolicy. If this property is removed from the application the default sign-on-policy will be associated with this application.
autoKeyRotation boolean
Requested key rotation mode. If autokeyrotation isn't specified, the client automatically opts in for Okta's key rotation. You can update this property via the API or via the administrator UI. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object"
autoSubmitToolbar boolean
Display auto submit toolbar
clientBasicSecret string
The user provided OAuth client secret key value, this can be set when tokenendpointauthmethod is clientsecretbasic. This does nothing when `omitsecret is set to true.
clientId Changes to this property will trigger replacement. string
OAuth client ID. If set during creation, app is created with this id.
clientUri string
URI to a web page providing information about the client.
consentMethod string
Early Access Property. Indicates whether user consent is required or implicit. Valid values: REQUIRED, TRUSTED. Default value is TRUSTED
enduserNote string
Application notes for end users.
grantTypes string[]
List of OAuth 2.0 grant types. Conditional validation params found here https://developer.okta.com/docs/api/resources/apps#credentials-settings-details. Defaults to minimum requirements per app type.
groupsClaim OAuthGroupsClaim
Groups claim for an OpenID Connect client application (argument is ignored when API auth is done with OAuth 2.0 credentials)
hideIos boolean
Do not display application icon on mobile app
hideWeb boolean
Do not display application icon to users
implicitAssignment boolean
Early Access Property. Enable Federation Broker Mode.
issuerMode string
Early Access Property. Indicates whether the Okta Authorization Server uses the original Okta org domain URL or a custom domain URL as the issuer of ID token for this client.
jwks OAuthJwk[]
jwksUri string
URL reference to JWKS
loginMode string
The type of Idp-Initiated login that the client supports, if any
loginScopes string[]
List of scopes to use for the request
loginUri string
URI that initiates login.
logo string
Local file path to the logo. The file must be in PNG, JPG, or GIF format, and less than 1 MB in size.
logoUri string
URI that references a logo for the client.
omitSecret boolean
This tells the provider not manage the clientsecret value in state. When this is false (the default), it will cause the auto-generated clientsecret to be persisted in the client_secret attribute in state. This also means that every time an update to this app is run, this value is also set on the API. If this changes from false => true, the client_secret is dropped from state and the secret at the time of the apply is what remains. If this is ever changes from true => false your app will be recreated, due to the need to regenerate a secret we can store in state.
pkceRequired boolean
Require Proof Key for Code Exchange (PKCE) for additional verification key rotation mode. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object
policyUri string
URI to web page providing client policy document.
postLogoutRedirectUris string[]
List of URIs for redirection after logout. Note: see oktaappoauthpostlogoutredirecturi for appending to this list in a decentralized way.
profile string
Custom JSON that represents an OAuth application's profile
redirectUris string[]
List of URIs for use in the redirect-based flow. This is required for all application types except service. Note: see oktaappoauthredirecturi for appending to this list in a decentralized way.
refreshTokenLeeway number
Early Access Property Grace period for token rotation, required with grant types refresh_token
refreshTokenRotation string
Early Access Property Refresh token rotation behavior, required with grant types refresh_token
responseTypes string[]
List of OAuth 2.0 response type strings. Valid values are any combination of: code, token, and id_token.
status string
Status of application. By default, it is ACTIVE
tokenEndpointAuthMethod string
Requested authentication method for the token endpoint, valid values include: 'clientsecretbasic', 'clientsecretpost', 'clientsecretjwt', 'privatekeyjwt', 'none', etc.
tosUri string
URI to web page providing client tos (terms of service).
userNameTemplate string
Username template. Default: ${source.login}
userNameTemplatePushStatus string
Push username on update. Valid values: PUSH and DONT_PUSH
userNameTemplateSuffix string
Username template suffix
userNameTemplateType string
Username template type. Default: BUILT_IN
wildcardRedirect string
Early Access Property. Indicates if the client is allowed to use wildcard matching of redirect_uris
label This property is required. str
The Application's display name.
type
This property is required.
Changes to this property will trigger replacement.
str
The type of client application.
accessibility_error_redirect_url str
Custom error page URL
accessibility_login_redirect_url str
Custom login page URL
accessibility_self_service bool
Enable self service. Default is false
admin_note str
Application notes for admins.
app_links_json str
Displays specific appLinks for the app. The value for each application link should be boolean.
app_settings_json str
Application settings in JSON format
authentication_policy str
The ID of the associated appsignonpolicy. If this property is removed from the application the default sign-on-policy will be associated with this application.
auto_key_rotation bool
Requested key rotation mode. If autokeyrotation isn't specified, the client automatically opts in for Okta's key rotation. You can update this property via the API or via the administrator UI. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object"
auto_submit_toolbar bool
Display auto submit toolbar
client_basic_secret str
The user provided OAuth client secret key value, this can be set when tokenendpointauthmethod is clientsecretbasic. This does nothing when `omitsecret is set to true.
client_id Changes to this property will trigger replacement. str
OAuth client ID. If set during creation, app is created with this id.
client_uri str
URI to a web page providing information about the client.
consent_method str
Early Access Property. Indicates whether user consent is required or implicit. Valid values: REQUIRED, TRUSTED. Default value is TRUSTED
enduser_note str
Application notes for end users.
grant_types Sequence[str]
List of OAuth 2.0 grant types. Conditional validation params found here https://developer.okta.com/docs/api/resources/apps#credentials-settings-details. Defaults to minimum requirements per app type.
groups_claim OAuthGroupsClaimArgs
Groups claim for an OpenID Connect client application (argument is ignored when API auth is done with OAuth 2.0 credentials)
hide_ios bool
Do not display application icon on mobile app
hide_web bool
Do not display application icon to users
implicit_assignment bool
Early Access Property. Enable Federation Broker Mode.
issuer_mode str
Early Access Property. Indicates whether the Okta Authorization Server uses the original Okta org domain URL or a custom domain URL as the issuer of ID token for this client.
jwks Sequence[OAuthJwkArgs]
jwks_uri str
URL reference to JWKS
login_mode str
The type of Idp-Initiated login that the client supports, if any
login_scopes Sequence[str]
List of scopes to use for the request
login_uri str
URI that initiates login.
logo str
Local file path to the logo. The file must be in PNG, JPG, or GIF format, and less than 1 MB in size.
logo_uri str
URI that references a logo for the client.
omit_secret bool
This tells the provider not manage the clientsecret value in state. When this is false (the default), it will cause the auto-generated clientsecret to be persisted in the client_secret attribute in state. This also means that every time an update to this app is run, this value is also set on the API. If this changes from false => true, the client_secret is dropped from state and the secret at the time of the apply is what remains. If this is ever changes from true => false your app will be recreated, due to the need to regenerate a secret we can store in state.
pkce_required bool
Require Proof Key for Code Exchange (PKCE) for additional verification key rotation mode. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object
policy_uri str
URI to web page providing client policy document.
post_logout_redirect_uris Sequence[str]
List of URIs for redirection after logout. Note: see oktaappoauthpostlogoutredirecturi for appending to this list in a decentralized way.
profile str
Custom JSON that represents an OAuth application's profile
redirect_uris Sequence[str]
List of URIs for use in the redirect-based flow. This is required for all application types except service. Note: see oktaappoauthredirecturi for appending to this list in a decentralized way.
refresh_token_leeway int
Early Access Property Grace period for token rotation, required with grant types refresh_token
refresh_token_rotation str
Early Access Property Refresh token rotation behavior, required with grant types refresh_token
response_types Sequence[str]
List of OAuth 2.0 response type strings. Valid values are any combination of: code, token, and id_token.
status str
Status of application. By default, it is ACTIVE
token_endpoint_auth_method str
Requested authentication method for the token endpoint, valid values include: 'clientsecretbasic', 'clientsecretpost', 'clientsecretjwt', 'privatekeyjwt', 'none', etc.
tos_uri str
URI to web page providing client tos (terms of service).
user_name_template str
Username template. Default: ${source.login}
user_name_template_push_status str
Push username on update. Valid values: PUSH and DONT_PUSH
user_name_template_suffix str
Username template suffix
user_name_template_type str
Username template type. Default: BUILT_IN
wildcard_redirect str
Early Access Property. Indicates if the client is allowed to use wildcard matching of redirect_uris
label This property is required. String
The Application's display name.
type
This property is required.
Changes to this property will trigger replacement.
String
The type of client application.
accessibilityErrorRedirectUrl String
Custom error page URL
accessibilityLoginRedirectUrl String
Custom login page URL
accessibilitySelfService Boolean
Enable self service. Default is false
adminNote String
Application notes for admins.
appLinksJson String
Displays specific appLinks for the app. The value for each application link should be boolean.
appSettingsJson String
Application settings in JSON format
authenticationPolicy String
The ID of the associated appsignonpolicy. If this property is removed from the application the default sign-on-policy will be associated with this application.
autoKeyRotation Boolean
Requested key rotation mode. If autokeyrotation isn't specified, the client automatically opts in for Okta's key rotation. You can update this property via the API or via the administrator UI. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object"
autoSubmitToolbar Boolean
Display auto submit toolbar
clientBasicSecret String
The user provided OAuth client secret key value, this can be set when tokenendpointauthmethod is clientsecretbasic. This does nothing when `omitsecret is set to true.
clientId Changes to this property will trigger replacement. String
OAuth client ID. If set during creation, app is created with this id.
clientUri String
URI to a web page providing information about the client.
consentMethod String
Early Access Property. Indicates whether user consent is required or implicit. Valid values: REQUIRED, TRUSTED. Default value is TRUSTED
enduserNote String
Application notes for end users.
grantTypes List<String>
List of OAuth 2.0 grant types. Conditional validation params found here https://developer.okta.com/docs/api/resources/apps#credentials-settings-details. Defaults to minimum requirements per app type.
groupsClaim Property Map
Groups claim for an OpenID Connect client application (argument is ignored when API auth is done with OAuth 2.0 credentials)
hideIos Boolean
Do not display application icon on mobile app
hideWeb Boolean
Do not display application icon to users
implicitAssignment Boolean
Early Access Property. Enable Federation Broker Mode.
issuerMode String
Early Access Property. Indicates whether the Okta Authorization Server uses the original Okta org domain URL or a custom domain URL as the issuer of ID token for this client.
jwks List<Property Map>
jwksUri String
URL reference to JWKS
loginMode String
The type of Idp-Initiated login that the client supports, if any
loginScopes List<String>
List of scopes to use for the request
loginUri String
URI that initiates login.
logo String
Local file path to the logo. The file must be in PNG, JPG, or GIF format, and less than 1 MB in size.
logoUri String
URI that references a logo for the client.
omitSecret Boolean
This tells the provider not manage the clientsecret value in state. When this is false (the default), it will cause the auto-generated clientsecret to be persisted in the client_secret attribute in state. This also means that every time an update to this app is run, this value is also set on the API. If this changes from false => true, the client_secret is dropped from state and the secret at the time of the apply is what remains. If this is ever changes from true => false your app will be recreated, due to the need to regenerate a secret we can store in state.
pkceRequired Boolean
Require Proof Key for Code Exchange (PKCE) for additional verification key rotation mode. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object
policyUri String
URI to web page providing client policy document.
postLogoutRedirectUris List<String>
List of URIs for redirection after logout. Note: see oktaappoauthpostlogoutredirecturi for appending to this list in a decentralized way.
profile String
Custom JSON that represents an OAuth application's profile
redirectUris List<String>
List of URIs for use in the redirect-based flow. This is required for all application types except service. Note: see oktaappoauthredirecturi for appending to this list in a decentralized way.
refreshTokenLeeway Number
Early Access Property Grace period for token rotation, required with grant types refresh_token
refreshTokenRotation String
Early Access Property Refresh token rotation behavior, required with grant types refresh_token
responseTypes List<String>
List of OAuth 2.0 response type strings. Valid values are any combination of: code, token, and id_token.
status String
Status of application. By default, it is ACTIVE
tokenEndpointAuthMethod String
Requested authentication method for the token endpoint, valid values include: 'clientsecretbasic', 'clientsecretpost', 'clientsecretjwt', 'privatekeyjwt', 'none', etc.
tosUri String
URI to web page providing client tos (terms of service).
userNameTemplate String
Username template. Default: ${source.login}
userNameTemplatePushStatus String
Push username on update. Valid values: PUSH and DONT_PUSH
userNameTemplateSuffix String
Username template suffix
userNameTemplateType String
Username template type. Default: BUILT_IN
wildcardRedirect String
Early Access Property. Indicates if the client is allowed to use wildcard matching of redirect_uris

Outputs

All input properties are implicitly available as output properties. Additionally, the OAuth resource produces the following output properties:

ClientSecret string
OAuth client secret value, this is output only. This will be in plain text in your statefile unless you set omit_secret above.
Id string
The provider-assigned unique ID for this managed resource.
LogoUrl string
URL of the application's logo
Name string
Name of the app.
SignOnMode string
Sign on mode of application.
ClientSecret string
OAuth client secret value, this is output only. This will be in plain text in your statefile unless you set omit_secret above.
Id string
The provider-assigned unique ID for this managed resource.
LogoUrl string
URL of the application's logo
Name string
Name of the app.
SignOnMode string
Sign on mode of application.
clientSecret String
OAuth client secret value, this is output only. This will be in plain text in your statefile unless you set omit_secret above.
id String
The provider-assigned unique ID for this managed resource.
logoUrl String
URL of the application's logo
name String
Name of the app.
signOnMode String
Sign on mode of application.
clientSecret string
OAuth client secret value, this is output only. This will be in plain text in your statefile unless you set omit_secret above.
id string
The provider-assigned unique ID for this managed resource.
logoUrl string
URL of the application's logo
name string
Name of the app.
signOnMode string
Sign on mode of application.
client_secret str
OAuth client secret value, this is output only. This will be in plain text in your statefile unless you set omit_secret above.
id str
The provider-assigned unique ID for this managed resource.
logo_url str
URL of the application's logo
name str
Name of the app.
sign_on_mode str
Sign on mode of application.
clientSecret String
OAuth client secret value, this is output only. This will be in plain text in your statefile unless you set omit_secret above.
id String
The provider-assigned unique ID for this managed resource.
logoUrl String
URL of the application's logo
name String
Name of the app.
signOnMode String
Sign on mode of application.

Look up Existing OAuth Resource

Get an existing OAuth resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: OAuthState, opts?: CustomResourceOptions): OAuth
@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        accessibility_error_redirect_url: Optional[str] = None,
        accessibility_login_redirect_url: Optional[str] = None,
        accessibility_self_service: Optional[bool] = None,
        admin_note: Optional[str] = None,
        app_links_json: Optional[str] = None,
        app_settings_json: Optional[str] = None,
        authentication_policy: Optional[str] = None,
        auto_key_rotation: Optional[bool] = None,
        auto_submit_toolbar: Optional[bool] = None,
        client_basic_secret: Optional[str] = None,
        client_id: Optional[str] = None,
        client_secret: Optional[str] = None,
        client_uri: Optional[str] = None,
        consent_method: Optional[str] = None,
        enduser_note: Optional[str] = None,
        grant_types: Optional[Sequence[str]] = None,
        groups_claim: Optional[OAuthGroupsClaimArgs] = None,
        hide_ios: Optional[bool] = None,
        hide_web: Optional[bool] = None,
        implicit_assignment: Optional[bool] = None,
        issuer_mode: Optional[str] = None,
        jwks: Optional[Sequence[OAuthJwkArgs]] = None,
        jwks_uri: Optional[str] = None,
        label: Optional[str] = None,
        login_mode: Optional[str] = None,
        login_scopes: Optional[Sequence[str]] = None,
        login_uri: Optional[str] = None,
        logo: Optional[str] = None,
        logo_uri: Optional[str] = None,
        logo_url: Optional[str] = None,
        name: Optional[str] = None,
        omit_secret: Optional[bool] = None,
        pkce_required: Optional[bool] = None,
        policy_uri: Optional[str] = None,
        post_logout_redirect_uris: Optional[Sequence[str]] = None,
        profile: Optional[str] = None,
        redirect_uris: Optional[Sequence[str]] = None,
        refresh_token_leeway: Optional[int] = None,
        refresh_token_rotation: Optional[str] = None,
        response_types: Optional[Sequence[str]] = None,
        sign_on_mode: Optional[str] = None,
        status: Optional[str] = None,
        token_endpoint_auth_method: Optional[str] = None,
        tos_uri: Optional[str] = None,
        type: Optional[str] = None,
        user_name_template: Optional[str] = None,
        user_name_template_push_status: Optional[str] = None,
        user_name_template_suffix: Optional[str] = None,
        user_name_template_type: Optional[str] = None,
        wildcard_redirect: Optional[str] = None) -> OAuth
func GetOAuth(ctx *Context, name string, id IDInput, state *OAuthState, opts ...ResourceOption) (*OAuth, error)
public static OAuth Get(string name, Input<string> id, OAuthState? state, CustomResourceOptions? opts = null)
public static OAuth get(String name, Output<String> id, OAuthState state, CustomResourceOptions options)
resources:  _:    type: okta:app:OAuth    get:      id: ${id}
name This property is required.
The unique name of the resulting resource.
id This property is required.
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
resource_name This property is required.
The unique name of the resulting resource.
id This property is required.
The unique provider ID of the resource to lookup.
name This property is required.
The unique name of the resulting resource.
id This property is required.
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
name This property is required.
The unique name of the resulting resource.
id This property is required.
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
name This property is required.
The unique name of the resulting resource.
id This property is required.
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
The following state arguments are supported:
AccessibilityErrorRedirectUrl string
Custom error page URL
AccessibilityLoginRedirectUrl string
Custom login page URL
AccessibilitySelfService bool
Enable self service. Default is false
AdminNote string
Application notes for admins.
AppLinksJson string
Displays specific appLinks for the app. The value for each application link should be boolean.
AppSettingsJson string
Application settings in JSON format
AuthenticationPolicy string
The ID of the associated appsignonpolicy. If this property is removed from the application the default sign-on-policy will be associated with this application.
AutoKeyRotation bool
Requested key rotation mode. If autokeyrotation isn't specified, the client automatically opts in for Okta's key rotation. You can update this property via the API or via the administrator UI. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object"
AutoSubmitToolbar bool
Display auto submit toolbar
ClientBasicSecret string
The user provided OAuth client secret key value, this can be set when tokenendpointauthmethod is clientsecretbasic. This does nothing when `omitsecret is set to true.
ClientId Changes to this property will trigger replacement. string
OAuth client ID. If set during creation, app is created with this id.
ClientSecret string
OAuth client secret value, this is output only. This will be in plain text in your statefile unless you set omit_secret above.
ClientUri string
URI to a web page providing information about the client.
ConsentMethod string
Early Access Property. Indicates whether user consent is required or implicit. Valid values: REQUIRED, TRUSTED. Default value is TRUSTED
EnduserNote string
Application notes for end users.
GrantTypes List<string>
List of OAuth 2.0 grant types. Conditional validation params found here https://developer.okta.com/docs/api/resources/apps#credentials-settings-details. Defaults to minimum requirements per app type.
GroupsClaim OAuthGroupsClaim
Groups claim for an OpenID Connect client application (argument is ignored when API auth is done with OAuth 2.0 credentials)
HideIos bool
Do not display application icon on mobile app
HideWeb bool
Do not display application icon to users
ImplicitAssignment bool
Early Access Property. Enable Federation Broker Mode.
IssuerMode string
Early Access Property. Indicates whether the Okta Authorization Server uses the original Okta org domain URL or a custom domain URL as the issuer of ID token for this client.
Jwks List<OAuthJwk>
JwksUri string
URL reference to JWKS
Label string
The Application's display name.
LoginMode string
The type of Idp-Initiated login that the client supports, if any
LoginScopes List<string>
List of scopes to use for the request
LoginUri string
URI that initiates login.
Logo string
Local file path to the logo. The file must be in PNG, JPG, or GIF format, and less than 1 MB in size.
LogoUri string
URI that references a logo for the client.
LogoUrl string
URL of the application's logo
Name string
Name of the app.
OmitSecret bool
This tells the provider not manage the clientsecret value in state. When this is false (the default), it will cause the auto-generated clientsecret to be persisted in the client_secret attribute in state. This also means that every time an update to this app is run, this value is also set on the API. If this changes from false => true, the client_secret is dropped from state and the secret at the time of the apply is what remains. If this is ever changes from true => false your app will be recreated, due to the need to regenerate a secret we can store in state.
PkceRequired bool
Require Proof Key for Code Exchange (PKCE) for additional verification key rotation mode. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object
PolicyUri string
URI to web page providing client policy document.
PostLogoutRedirectUris List<string>
List of URIs for redirection after logout. Note: see oktaappoauthpostlogoutredirecturi for appending to this list in a decentralized way.
Profile string
Custom JSON that represents an OAuth application's profile
RedirectUris List<string>
List of URIs for use in the redirect-based flow. This is required for all application types except service. Note: see oktaappoauthredirecturi for appending to this list in a decentralized way.
RefreshTokenLeeway int
Early Access Property Grace period for token rotation, required with grant types refresh_token
RefreshTokenRotation string
Early Access Property Refresh token rotation behavior, required with grant types refresh_token
ResponseTypes List<string>
List of OAuth 2.0 response type strings. Valid values are any combination of: code, token, and id_token.
SignOnMode string
Sign on mode of application.
Status string
Status of application. By default, it is ACTIVE
TokenEndpointAuthMethod string
Requested authentication method for the token endpoint, valid values include: 'clientsecretbasic', 'clientsecretpost', 'clientsecretjwt', 'privatekeyjwt', 'none', etc.
TosUri string
URI to web page providing client tos (terms of service).
Type Changes to this property will trigger replacement. string
The type of client application.
UserNameTemplate string
Username template. Default: ${source.login}
UserNameTemplatePushStatus string
Push username on update. Valid values: PUSH and DONT_PUSH
UserNameTemplateSuffix string
Username template suffix
UserNameTemplateType string
Username template type. Default: BUILT_IN
WildcardRedirect string
Early Access Property. Indicates if the client is allowed to use wildcard matching of redirect_uris
AccessibilityErrorRedirectUrl string
Custom error page URL
AccessibilityLoginRedirectUrl string
Custom login page URL
AccessibilitySelfService bool
Enable self service. Default is false
AdminNote string
Application notes for admins.
AppLinksJson string
Displays specific appLinks for the app. The value for each application link should be boolean.
AppSettingsJson string
Application settings in JSON format
AuthenticationPolicy string
The ID of the associated appsignonpolicy. If this property is removed from the application the default sign-on-policy will be associated with this application.
AutoKeyRotation bool
Requested key rotation mode. If autokeyrotation isn't specified, the client automatically opts in for Okta's key rotation. You can update this property via the API or via the administrator UI. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object"
AutoSubmitToolbar bool
Display auto submit toolbar
ClientBasicSecret string
The user provided OAuth client secret key value, this can be set when tokenendpointauthmethod is clientsecretbasic. This does nothing when `omitsecret is set to true.
ClientId Changes to this property will trigger replacement. string
OAuth client ID. If set during creation, app is created with this id.
ClientSecret string
OAuth client secret value, this is output only. This will be in plain text in your statefile unless you set omit_secret above.
ClientUri string
URI to a web page providing information about the client.
ConsentMethod string
Early Access Property. Indicates whether user consent is required or implicit. Valid values: REQUIRED, TRUSTED. Default value is TRUSTED
EnduserNote string
Application notes for end users.
GrantTypes []string
List of OAuth 2.0 grant types. Conditional validation params found here https://developer.okta.com/docs/api/resources/apps#credentials-settings-details. Defaults to minimum requirements per app type.
GroupsClaim OAuthGroupsClaimArgs
Groups claim for an OpenID Connect client application (argument is ignored when API auth is done with OAuth 2.0 credentials)
HideIos bool
Do not display application icon on mobile app
HideWeb bool
Do not display application icon to users
ImplicitAssignment bool
Early Access Property. Enable Federation Broker Mode.
IssuerMode string
Early Access Property. Indicates whether the Okta Authorization Server uses the original Okta org domain URL or a custom domain URL as the issuer of ID token for this client.
Jwks []OAuthJwkArgs
JwksUri string
URL reference to JWKS
Label string
The Application's display name.
LoginMode string
The type of Idp-Initiated login that the client supports, if any
LoginScopes []string
List of scopes to use for the request
LoginUri string
URI that initiates login.
Logo string
Local file path to the logo. The file must be in PNG, JPG, or GIF format, and less than 1 MB in size.
LogoUri string
URI that references a logo for the client.
LogoUrl string
URL of the application's logo
Name string
Name of the app.
OmitSecret bool
This tells the provider not manage the clientsecret value in state. When this is false (the default), it will cause the auto-generated clientsecret to be persisted in the client_secret attribute in state. This also means that every time an update to this app is run, this value is also set on the API. If this changes from false => true, the client_secret is dropped from state and the secret at the time of the apply is what remains. If this is ever changes from true => false your app will be recreated, due to the need to regenerate a secret we can store in state.
PkceRequired bool
Require Proof Key for Code Exchange (PKCE) for additional verification key rotation mode. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object
PolicyUri string
URI to web page providing client policy document.
PostLogoutRedirectUris []string
List of URIs for redirection after logout. Note: see oktaappoauthpostlogoutredirecturi for appending to this list in a decentralized way.
Profile string
Custom JSON that represents an OAuth application's profile
RedirectUris []string
List of URIs for use in the redirect-based flow. This is required for all application types except service. Note: see oktaappoauthredirecturi for appending to this list in a decentralized way.
RefreshTokenLeeway int
Early Access Property Grace period for token rotation, required with grant types refresh_token
RefreshTokenRotation string
Early Access Property Refresh token rotation behavior, required with grant types refresh_token
ResponseTypes []string
List of OAuth 2.0 response type strings. Valid values are any combination of: code, token, and id_token.
SignOnMode string
Sign on mode of application.
Status string
Status of application. By default, it is ACTIVE
TokenEndpointAuthMethod string
Requested authentication method for the token endpoint, valid values include: 'clientsecretbasic', 'clientsecretpost', 'clientsecretjwt', 'privatekeyjwt', 'none', etc.
TosUri string
URI to web page providing client tos (terms of service).
Type Changes to this property will trigger replacement. string
The type of client application.
UserNameTemplate string
Username template. Default: ${source.login}
UserNameTemplatePushStatus string
Push username on update. Valid values: PUSH and DONT_PUSH
UserNameTemplateSuffix string
Username template suffix
UserNameTemplateType string
Username template type. Default: BUILT_IN
WildcardRedirect string
Early Access Property. Indicates if the client is allowed to use wildcard matching of redirect_uris
accessibilityErrorRedirectUrl String
Custom error page URL
accessibilityLoginRedirectUrl String
Custom login page URL
accessibilitySelfService Boolean
Enable self service. Default is false
adminNote String
Application notes for admins.
appLinksJson String
Displays specific appLinks for the app. The value for each application link should be boolean.
appSettingsJson String
Application settings in JSON format
authenticationPolicy String
The ID of the associated appsignonpolicy. If this property is removed from the application the default sign-on-policy will be associated with this application.
autoKeyRotation Boolean
Requested key rotation mode. If autokeyrotation isn't specified, the client automatically opts in for Okta's key rotation. You can update this property via the API or via the administrator UI. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object"
autoSubmitToolbar Boolean
Display auto submit toolbar
clientBasicSecret String
The user provided OAuth client secret key value, this can be set when tokenendpointauthmethod is clientsecretbasic. This does nothing when `omitsecret is set to true.
clientId Changes to this property will trigger replacement. String
OAuth client ID. If set during creation, app is created with this id.
clientSecret String
OAuth client secret value, this is output only. This will be in plain text in your statefile unless you set omit_secret above.
clientUri String
URI to a web page providing information about the client.
consentMethod String
Early Access Property. Indicates whether user consent is required or implicit. Valid values: REQUIRED, TRUSTED. Default value is TRUSTED
enduserNote String
Application notes for end users.
grantTypes List<String>
List of OAuth 2.0 grant types. Conditional validation params found here https://developer.okta.com/docs/api/resources/apps#credentials-settings-details. Defaults to minimum requirements per app type.
groupsClaim OAuthGroupsClaim
Groups claim for an OpenID Connect client application (argument is ignored when API auth is done with OAuth 2.0 credentials)
hideIos Boolean
Do not display application icon on mobile app
hideWeb Boolean
Do not display application icon to users
implicitAssignment Boolean
Early Access Property. Enable Federation Broker Mode.
issuerMode String
Early Access Property. Indicates whether the Okta Authorization Server uses the original Okta org domain URL or a custom domain URL as the issuer of ID token for this client.
jwks List<OAuthJwk>
jwksUri String
URL reference to JWKS
label String
The Application's display name.
loginMode String
The type of Idp-Initiated login that the client supports, if any
loginScopes List<String>
List of scopes to use for the request
loginUri String
URI that initiates login.
logo String
Local file path to the logo. The file must be in PNG, JPG, or GIF format, and less than 1 MB in size.
logoUri String
URI that references a logo for the client.
logoUrl String
URL of the application's logo
name String
Name of the app.
omitSecret Boolean
This tells the provider not manage the clientsecret value in state. When this is false (the default), it will cause the auto-generated clientsecret to be persisted in the client_secret attribute in state. This also means that every time an update to this app is run, this value is also set on the API. If this changes from false => true, the client_secret is dropped from state and the secret at the time of the apply is what remains. If this is ever changes from true => false your app will be recreated, due to the need to regenerate a secret we can store in state.
pkceRequired Boolean
Require Proof Key for Code Exchange (PKCE) for additional verification key rotation mode. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object
policyUri String
URI to web page providing client policy document.
postLogoutRedirectUris List<String>
List of URIs for redirection after logout. Note: see oktaappoauthpostlogoutredirecturi for appending to this list in a decentralized way.
profile String
Custom JSON that represents an OAuth application's profile
redirectUris List<String>
List of URIs for use in the redirect-based flow. This is required for all application types except service. Note: see oktaappoauthredirecturi for appending to this list in a decentralized way.
refreshTokenLeeway Integer
Early Access Property Grace period for token rotation, required with grant types refresh_token
refreshTokenRotation String
Early Access Property Refresh token rotation behavior, required with grant types refresh_token
responseTypes List<String>
List of OAuth 2.0 response type strings. Valid values are any combination of: code, token, and id_token.
signOnMode String
Sign on mode of application.
status String
Status of application. By default, it is ACTIVE
tokenEndpointAuthMethod String
Requested authentication method for the token endpoint, valid values include: 'clientsecretbasic', 'clientsecretpost', 'clientsecretjwt', 'privatekeyjwt', 'none', etc.
tosUri String
URI to web page providing client tos (terms of service).
type Changes to this property will trigger replacement. String
The type of client application.
userNameTemplate String
Username template. Default: ${source.login}
userNameTemplatePushStatus String
Push username on update. Valid values: PUSH and DONT_PUSH
userNameTemplateSuffix String
Username template suffix
userNameTemplateType String
Username template type. Default: BUILT_IN
wildcardRedirect String
Early Access Property. Indicates if the client is allowed to use wildcard matching of redirect_uris
accessibilityErrorRedirectUrl string
Custom error page URL
accessibilityLoginRedirectUrl string
Custom login page URL
accessibilitySelfService boolean
Enable self service. Default is false
adminNote string
Application notes for admins.
appLinksJson string
Displays specific appLinks for the app. The value for each application link should be boolean.
appSettingsJson string
Application settings in JSON format
authenticationPolicy string
The ID of the associated appsignonpolicy. If this property is removed from the application the default sign-on-policy will be associated with this application.
autoKeyRotation boolean
Requested key rotation mode. If autokeyrotation isn't specified, the client automatically opts in for Okta's key rotation. You can update this property via the API or via the administrator UI. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object"
autoSubmitToolbar boolean
Display auto submit toolbar
clientBasicSecret string
The user provided OAuth client secret key value, this can be set when tokenendpointauthmethod is clientsecretbasic. This does nothing when `omitsecret is set to true.
clientId Changes to this property will trigger replacement. string
OAuth client ID. If set during creation, app is created with this id.
clientSecret string
OAuth client secret value, this is output only. This will be in plain text in your statefile unless you set omit_secret above.
clientUri string
URI to a web page providing information about the client.
consentMethod string
Early Access Property. Indicates whether user consent is required or implicit. Valid values: REQUIRED, TRUSTED. Default value is TRUSTED
enduserNote string
Application notes for end users.
grantTypes string[]
List of OAuth 2.0 grant types. Conditional validation params found here https://developer.okta.com/docs/api/resources/apps#credentials-settings-details. Defaults to minimum requirements per app type.
groupsClaim OAuthGroupsClaim
Groups claim for an OpenID Connect client application (argument is ignored when API auth is done with OAuth 2.0 credentials)
hideIos boolean
Do not display application icon on mobile app
hideWeb boolean
Do not display application icon to users
implicitAssignment boolean
Early Access Property. Enable Federation Broker Mode.
issuerMode string
Early Access Property. Indicates whether the Okta Authorization Server uses the original Okta org domain URL or a custom domain URL as the issuer of ID token for this client.
jwks OAuthJwk[]
jwksUri string
URL reference to JWKS
label string
The Application's display name.
loginMode string
The type of Idp-Initiated login that the client supports, if any
loginScopes string[]
List of scopes to use for the request
loginUri string
URI that initiates login.
logo string
Local file path to the logo. The file must be in PNG, JPG, or GIF format, and less than 1 MB in size.
logoUri string
URI that references a logo for the client.
logoUrl string
URL of the application's logo
name string
Name of the app.
omitSecret boolean
This tells the provider not manage the clientsecret value in state. When this is false (the default), it will cause the auto-generated clientsecret to be persisted in the client_secret attribute in state. This also means that every time an update to this app is run, this value is also set on the API. If this changes from false => true, the client_secret is dropped from state and the secret at the time of the apply is what remains. If this is ever changes from true => false your app will be recreated, due to the need to regenerate a secret we can store in state.
pkceRequired boolean
Require Proof Key for Code Exchange (PKCE) for additional verification key rotation mode. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object
policyUri string
URI to web page providing client policy document.
postLogoutRedirectUris string[]
List of URIs for redirection after logout. Note: see oktaappoauthpostlogoutredirecturi for appending to this list in a decentralized way.
profile string
Custom JSON that represents an OAuth application's profile
redirectUris string[]
List of URIs for use in the redirect-based flow. This is required for all application types except service. Note: see oktaappoauthredirecturi for appending to this list in a decentralized way.
refreshTokenLeeway number
Early Access Property Grace period for token rotation, required with grant types refresh_token
refreshTokenRotation string
Early Access Property Refresh token rotation behavior, required with grant types refresh_token
responseTypes string[]
List of OAuth 2.0 response type strings. Valid values are any combination of: code, token, and id_token.
signOnMode string
Sign on mode of application.
status string
Status of application. By default, it is ACTIVE
tokenEndpointAuthMethod string
Requested authentication method for the token endpoint, valid values include: 'clientsecretbasic', 'clientsecretpost', 'clientsecretjwt', 'privatekeyjwt', 'none', etc.
tosUri string
URI to web page providing client tos (terms of service).
type Changes to this property will trigger replacement. string
The type of client application.
userNameTemplate string
Username template. Default: ${source.login}
userNameTemplatePushStatus string
Push username on update. Valid values: PUSH and DONT_PUSH
userNameTemplateSuffix string
Username template suffix
userNameTemplateType string
Username template type. Default: BUILT_IN
wildcardRedirect string
Early Access Property. Indicates if the client is allowed to use wildcard matching of redirect_uris
accessibility_error_redirect_url str
Custom error page URL
accessibility_login_redirect_url str
Custom login page URL
accessibility_self_service bool
Enable self service. Default is false
admin_note str
Application notes for admins.
app_links_json str
Displays specific appLinks for the app. The value for each application link should be boolean.
app_settings_json str
Application settings in JSON format
authentication_policy str
The ID of the associated appsignonpolicy. If this property is removed from the application the default sign-on-policy will be associated with this application.
auto_key_rotation bool
Requested key rotation mode. If autokeyrotation isn't specified, the client automatically opts in for Okta's key rotation. You can update this property via the API or via the administrator UI. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object"
auto_submit_toolbar bool
Display auto submit toolbar
client_basic_secret str
The user provided OAuth client secret key value, this can be set when tokenendpointauthmethod is clientsecretbasic. This does nothing when `omitsecret is set to true.
client_id Changes to this property will trigger replacement. str
OAuth client ID. If set during creation, app is created with this id.
client_secret str
OAuth client secret value, this is output only. This will be in plain text in your statefile unless you set omit_secret above.
client_uri str
URI to a web page providing information about the client.
consent_method str
Early Access Property. Indicates whether user consent is required or implicit. Valid values: REQUIRED, TRUSTED. Default value is TRUSTED
enduser_note str
Application notes for end users.
grant_types Sequence[str]
List of OAuth 2.0 grant types. Conditional validation params found here https://developer.okta.com/docs/api/resources/apps#credentials-settings-details. Defaults to minimum requirements per app type.
groups_claim OAuthGroupsClaimArgs
Groups claim for an OpenID Connect client application (argument is ignored when API auth is done with OAuth 2.0 credentials)
hide_ios bool
Do not display application icon on mobile app
hide_web bool
Do not display application icon to users
implicit_assignment bool
Early Access Property. Enable Federation Broker Mode.
issuer_mode str
Early Access Property. Indicates whether the Okta Authorization Server uses the original Okta org domain URL or a custom domain URL as the issuer of ID token for this client.
jwks Sequence[OAuthJwkArgs]
jwks_uri str
URL reference to JWKS
label str
The Application's display name.
login_mode str
The type of Idp-Initiated login that the client supports, if any
login_scopes Sequence[str]
List of scopes to use for the request
login_uri str
URI that initiates login.
logo str
Local file path to the logo. The file must be in PNG, JPG, or GIF format, and less than 1 MB in size.
logo_uri str
URI that references a logo for the client.
logo_url str
URL of the application's logo
name str
Name of the app.
omit_secret bool
This tells the provider not manage the clientsecret value in state. When this is false (the default), it will cause the auto-generated clientsecret to be persisted in the client_secret attribute in state. This also means that every time an update to this app is run, this value is also set on the API. If this changes from false => true, the client_secret is dropped from state and the secret at the time of the apply is what remains. If this is ever changes from true => false your app will be recreated, due to the need to regenerate a secret we can store in state.
pkce_required bool
Require Proof Key for Code Exchange (PKCE) for additional verification key rotation mode. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object
policy_uri str
URI to web page providing client policy document.
post_logout_redirect_uris Sequence[str]
List of URIs for redirection after logout. Note: see oktaappoauthpostlogoutredirecturi for appending to this list in a decentralized way.
profile str
Custom JSON that represents an OAuth application's profile
redirect_uris Sequence[str]
List of URIs for use in the redirect-based flow. This is required for all application types except service. Note: see oktaappoauthredirecturi for appending to this list in a decentralized way.
refresh_token_leeway int
Early Access Property Grace period for token rotation, required with grant types refresh_token
refresh_token_rotation str
Early Access Property Refresh token rotation behavior, required with grant types refresh_token
response_types Sequence[str]
List of OAuth 2.0 response type strings. Valid values are any combination of: code, token, and id_token.
sign_on_mode str
Sign on mode of application.
status str
Status of application. By default, it is ACTIVE
token_endpoint_auth_method str
Requested authentication method for the token endpoint, valid values include: 'clientsecretbasic', 'clientsecretpost', 'clientsecretjwt', 'privatekeyjwt', 'none', etc.
tos_uri str
URI to web page providing client tos (terms of service).
type Changes to this property will trigger replacement. str
The type of client application.
user_name_template str
Username template. Default: ${source.login}
user_name_template_push_status str
Push username on update. Valid values: PUSH and DONT_PUSH
user_name_template_suffix str
Username template suffix
user_name_template_type str
Username template type. Default: BUILT_IN
wildcard_redirect str
Early Access Property. Indicates if the client is allowed to use wildcard matching of redirect_uris
accessibilityErrorRedirectUrl String
Custom error page URL
accessibilityLoginRedirectUrl String
Custom login page URL
accessibilitySelfService Boolean
Enable self service. Default is false
adminNote String
Application notes for admins.
appLinksJson String
Displays specific appLinks for the app. The value for each application link should be boolean.
appSettingsJson String
Application settings in JSON format
authenticationPolicy String
The ID of the associated appsignonpolicy. If this property is removed from the application the default sign-on-policy will be associated with this application.
autoKeyRotation Boolean
Requested key rotation mode. If autokeyrotation isn't specified, the client automatically opts in for Okta's key rotation. You can update this property via the API or via the administrator UI. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object"
autoSubmitToolbar Boolean
Display auto submit toolbar
clientBasicSecret String
The user provided OAuth client secret key value, this can be set when tokenendpointauthmethod is clientsecretbasic. This does nothing when `omitsecret is set to true.
clientId Changes to this property will trigger replacement. String
OAuth client ID. If set during creation, app is created with this id.
clientSecret String
OAuth client secret value, this is output only. This will be in plain text in your statefile unless you set omit_secret above.
clientUri String
URI to a web page providing information about the client.
consentMethod String
Early Access Property. Indicates whether user consent is required or implicit. Valid values: REQUIRED, TRUSTED. Default value is TRUSTED
enduserNote String
Application notes for end users.
grantTypes List<String>
List of OAuth 2.0 grant types. Conditional validation params found here https://developer.okta.com/docs/api/resources/apps#credentials-settings-details. Defaults to minimum requirements per app type.
groupsClaim Property Map
Groups claim for an OpenID Connect client application (argument is ignored when API auth is done with OAuth 2.0 credentials)
hideIos Boolean
Do not display application icon on mobile app
hideWeb Boolean
Do not display application icon to users
implicitAssignment Boolean
Early Access Property. Enable Federation Broker Mode.
issuerMode String
Early Access Property. Indicates whether the Okta Authorization Server uses the original Okta org domain URL or a custom domain URL as the issuer of ID token for this client.
jwks List<Property Map>
jwksUri String
URL reference to JWKS
label String
The Application's display name.
loginMode String
The type of Idp-Initiated login that the client supports, if any
loginScopes List<String>
List of scopes to use for the request
loginUri String
URI that initiates login.
logo String
Local file path to the logo. The file must be in PNG, JPG, or GIF format, and less than 1 MB in size.
logoUri String
URI that references a logo for the client.
logoUrl String
URL of the application's logo
name String
Name of the app.
omitSecret Boolean
This tells the provider not manage the clientsecret value in state. When this is false (the default), it will cause the auto-generated clientsecret to be persisted in the client_secret attribute in state. This also means that every time an update to this app is run, this value is also set on the API. If this changes from false => true, the client_secret is dropped from state and the secret at the time of the apply is what remains. If this is ever changes from true => false your app will be recreated, due to the need to regenerate a secret we can store in state.
pkceRequired Boolean
Require Proof Key for Code Exchange (PKCE) for additional verification key rotation mode. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object
policyUri String
URI to web page providing client policy document.
postLogoutRedirectUris List<String>
List of URIs for redirection after logout. Note: see oktaappoauthpostlogoutredirecturi for appending to this list in a decentralized way.
profile String
Custom JSON that represents an OAuth application's profile
redirectUris List<String>
List of URIs for use in the redirect-based flow. This is required for all application types except service. Note: see oktaappoauthredirecturi for appending to this list in a decentralized way.
refreshTokenLeeway Number
Early Access Property Grace period for token rotation, required with grant types refresh_token
refreshTokenRotation String
Early Access Property Refresh token rotation behavior, required with grant types refresh_token
responseTypes List<String>
List of OAuth 2.0 response type strings. Valid values are any combination of: code, token, and id_token.
signOnMode String
Sign on mode of application.
status String
Status of application. By default, it is ACTIVE
tokenEndpointAuthMethod String
Requested authentication method for the token endpoint, valid values include: 'clientsecretbasic', 'clientsecretpost', 'clientsecretjwt', 'privatekeyjwt', 'none', etc.
tosUri String
URI to web page providing client tos (terms of service).
type Changes to this property will trigger replacement. String
The type of client application.
userNameTemplate String
Username template. Default: ${source.login}
userNameTemplatePushStatus String
Push username on update. Valid values: PUSH and DONT_PUSH
userNameTemplateSuffix String
Username template suffix
userNameTemplateType String
Username template type. Default: BUILT_IN
wildcardRedirect String
Early Access Property. Indicates if the client is allowed to use wildcard matching of redirect_uris

Supporting Types

OAuthGroupsClaim
, OAuthGroupsClaimArgs

Name This property is required. string
Name of the claim that will be used in the token.
Type This property is required. string
Groups claim type.
Value This property is required. string
Value of the claim. Can be an Okta Expression Language statement that evaluates at the time the token is minted.
FilterType string
Groups claim filter. Can only be set if type is FILTER.
IssuerMode string
Issuer mode inherited from OAuth App
Name This property is required. string
Name of the claim that will be used in the token.
Type This property is required. string
Groups claim type.
Value This property is required. string
Value of the claim. Can be an Okta Expression Language statement that evaluates at the time the token is minted.
FilterType string
Groups claim filter. Can only be set if type is FILTER.
IssuerMode string
Issuer mode inherited from OAuth App
name This property is required. String
Name of the claim that will be used in the token.
type This property is required. String
Groups claim type.
value This property is required. String
Value of the claim. Can be an Okta Expression Language statement that evaluates at the time the token is minted.
filterType String
Groups claim filter. Can only be set if type is FILTER.
issuerMode String
Issuer mode inherited from OAuth App
name This property is required. string
Name of the claim that will be used in the token.
type This property is required. string
Groups claim type.
value This property is required. string
Value of the claim. Can be an Okta Expression Language statement that evaluates at the time the token is minted.
filterType string
Groups claim filter. Can only be set if type is FILTER.
issuerMode string
Issuer mode inherited from OAuth App
name This property is required. str
Name of the claim that will be used in the token.
type This property is required. str
Groups claim type.
value This property is required. str
Value of the claim. Can be an Okta Expression Language statement that evaluates at the time the token is minted.
filter_type str
Groups claim filter. Can only be set if type is FILTER.
issuer_mode str
Issuer mode inherited from OAuth App
name This property is required. String
Name of the claim that will be used in the token.
type This property is required. String
Groups claim type.
value This property is required. String
Value of the claim. Can be an Okta Expression Language statement that evaluates at the time the token is minted.
filterType String
Groups claim filter. Can only be set if type is FILTER.
issuerMode String
Issuer mode inherited from OAuth App

OAuthJwk
, OAuthJwkArgs

Kid This property is required. string
Key ID
Kty This property is required. string
Key type
E string
RSA Exponent
N string
RSA Modulus
X string
X coordinate of the elliptic curve point
Y string
Y coordinate of the elliptic curve point
Kid This property is required. string
Key ID
Kty This property is required. string
Key type
E string
RSA Exponent
N string
RSA Modulus
X string
X coordinate of the elliptic curve point
Y string
Y coordinate of the elliptic curve point
kid This property is required. String
Key ID
kty This property is required. String
Key type
e String
RSA Exponent
n String
RSA Modulus
x String
X coordinate of the elliptic curve point
y String
Y coordinate of the elliptic curve point
kid This property is required. string
Key ID
kty This property is required. string
Key type
e string
RSA Exponent
n string
RSA Modulus
x string
X coordinate of the elliptic curve point
y string
Y coordinate of the elliptic curve point
kid This property is required. str
Key ID
kty This property is required. str
Key type
e str
RSA Exponent
n str
RSA Modulus
x str
X coordinate of the elliptic curve point
y str
Y coordinate of the elliptic curve point
kid This property is required. String
Key ID
kty This property is required. String
Key type
e String
RSA Exponent
n String
RSA Modulus
x String
X coordinate of the elliptic curve point
y String
Y coordinate of the elliptic curve point

Import

$ pulumi import okta:app/oAuth:OAuth example <app_id>
Copy

To learn more about importing existing cloud resources, see Importing resources.

Package Details

Repository
Okta pulumi/pulumi-okta
License
Apache-2.0
Notes
This Pulumi package is based on the okta Terraform Provider.