Okta v4.16.0, Apr 9 25

Okta v4.16.0 published on Wednesday, Apr 9, 2025 by Pulumi

okta.app.OAuth

Explore with Pulumi AI

Okta v4.16.0 published on Wednesday, Apr 9, 2025 by Pulumi

The private key format that an Okta OAuth app expects is PKCS#8 (unencrypted). The operator either uploads their own private key or Okta can generate one in the Admin UI Panel under the apps Client Credentials. PKCS#8 format can be identified by a header that starts with -----BEGIN PRIVATE KEY-----. If the operator has a PKCS#1 (unencrypted) format private key (the header starts with -----BEGIN RSA PRIVATE KEY-----) they can generate a PKCS#8 format key with openssl:

 openssl rsa -in pkcs1.pem -out pkcs8-example.pem

Create OAuth Resource

Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

new OAuth(name: string, args: OAuthArgs, opts?: CustomResourceOptions);

@overload
def OAuth(resource_name: str,
          args: OAuthArgs,
          opts: Optional[ResourceOptions] = None)

@overload
def OAuth(resource_name: str,
          opts: Optional[ResourceOptions] = None,
          label: Optional[str] = None,
          type: Optional[str] = None,
          client_uri: Optional[str] = None,
          admin_note: Optional[str] = None,
          app_links_json: Optional[str] = None,
          app_settings_json: Optional[str] = None,
          authentication_policy: Optional[str] = None,
          auto_key_rotation: Optional[bool] = None,
          auto_submit_toolbar: Optional[bool] = None,
          client_basic_secret: Optional[str] = None,
          client_id: Optional[str] = None,
          accessibility_error_redirect_url: Optional[str] = None,
          consent_method: Optional[str] = None,
          enduser_note: Optional[str] = None,
          grant_types: Optional[Sequence[str]] = None,
          groups_claim: Optional[OAuthGroupsClaimArgs] = None,
          hide_ios: Optional[bool] = None,
          hide_web: Optional[bool] = None,
          implicit_assignment: Optional[bool] = None,
          issuer_mode: Optional[str] = None,
          jwks: Optional[Sequence[OAuthJwkArgs]] = None,
          jwks_uri: Optional[str] = None,
          login_scopes: Optional[Sequence[str]] = None,
          accessibility_self_service: Optional[bool] = None,
          login_mode: Optional[str] = None,
          login_uri: Optional[str] = None,
          logo: Optional[str] = None,
          logo_uri: Optional[str] = None,
          omit_secret: Optional[bool] = None,
          pkce_required: Optional[bool] = None,
          policy_uri: Optional[str] = None,
          post_logout_redirect_uris: Optional[Sequence[str]] = None,
          profile: Optional[str] = None,
          redirect_uris: Optional[Sequence[str]] = None,
          refresh_token_leeway: Optional[int] = None,
          refresh_token_rotation: Optional[str] = None,
          response_types: Optional[Sequence[str]] = None,
          status: Optional[str] = None,
          token_endpoint_auth_method: Optional[str] = None,
          tos_uri: Optional[str] = None,
          accessibility_login_redirect_url: Optional[str] = None,
          user_name_template: Optional[str] = None,
          user_name_template_push_status: Optional[str] = None,
          user_name_template_suffix: Optional[str] = None,
          user_name_template_type: Optional[str] = None,
          wildcard_redirect: Optional[str] = None)

func NewOAuth(ctx *Context, name string, args OAuthArgs, opts ...ResourceOption) (*OAuth, error)

public OAuth(string name, OAuthArgs args, CustomResourceOptions? opts = null)

public OAuth(String name, OAuthArgs args)
public OAuth(String name, OAuthArgs args, CustomResourceOptions options)

type: okta:app:OAuth
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

Parameters

name string: The unique name of the resource.
args OAuthArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
args OAuthArgs: The arguments to resource properties.
opts ResourceOptions: Bag of options to control resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args OAuthArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args OAuthArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

name String: The unique name of the resource.
args OAuthArgs: The arguments to resource properties.
options CustomResourceOptions: Bag of options to control resource's behavior.

Constructor example

The following reference example uses placeholder values for all input properties.

TypeScript
Python
Go
C#
Java
YAML

var oauthResource = new Okta.App.OAuth("oauthResource", new()
{
    Label = "string",
    Type = "string",
    ClientUri = "string",
    AdminNote = "string",
    AppLinksJson = "string",
    AppSettingsJson = "string",
    AuthenticationPolicy = "string",
    AutoKeyRotation = false,
    AutoSubmitToolbar = false,
    ClientBasicSecret = "string",
    ClientId = "string",
    AccessibilityErrorRedirectUrl = "string",
    ConsentMethod = "string",
    EnduserNote = "string",
    GrantTypes = new[]
    {
        "string",
    },
    GroupsClaim = new Okta.App.Inputs.OAuthGroupsClaimArgs
    {
        Name = "string",
        Type = "string",
        Value = "string",
        FilterType = "string",
        IssuerMode = "string",
    },
    HideIos = false,
    HideWeb = false,
    ImplicitAssignment = false,
    IssuerMode = "string",
    Jwks = new[]
    {
        new Okta.App.Inputs.OAuthJwkArgs
        {
            Kid = "string",
            Kty = "string",
            E = "string",
            N = "string",
            X = "string",
            Y = "string",
        },
    },
    JwksUri = "string",
    LoginScopes = new[]
    {
        "string",
    },
    AccessibilitySelfService = false,
    LoginMode = "string",
    LoginUri = "string",
    Logo = "string",
    LogoUri = "string",
    OmitSecret = false,
    PkceRequired = false,
    PolicyUri = "string",
    PostLogoutRedirectUris = new[]
    {
        "string",
    },
    Profile = "string",
    RedirectUris = new[]
    {
        "string",
    },
    RefreshTokenLeeway = 0,
    RefreshTokenRotation = "string",
    ResponseTypes = new[]
    {
        "string",
    },
    Status = "string",
    TokenEndpointAuthMethod = "string",
    TosUri = "string",
    AccessibilityLoginRedirectUrl = "string",
    UserNameTemplate = "string",
    UserNameTemplatePushStatus = "string",
    UserNameTemplateSuffix = "string",
    UserNameTemplateType = "string",
    WildcardRedirect = "string",
});

example, err := app.NewOAuth(ctx, "oauthResource", &app.OAuthArgs{
	Label:                         pulumi.String("string"),
	Type:                          pulumi.String("string"),
	ClientUri:                     pulumi.String("string"),
	AdminNote:                     pulumi.String("string"),
	AppLinksJson:                  pulumi.String("string"),
	AppSettingsJson:               pulumi.String("string"),
	AuthenticationPolicy:          pulumi.String("string"),
	AutoKeyRotation:               pulumi.Bool(false),
	AutoSubmitToolbar:             pulumi.Bool(false),
	ClientBasicSecret:             pulumi.String("string"),
	ClientId:                      pulumi.String("string"),
	AccessibilityErrorRedirectUrl: pulumi.String("string"),
	ConsentMethod:                 pulumi.String("string"),
	EnduserNote:                   pulumi.String("string"),
	GrantTypes: pulumi.StringArray{
		pulumi.String("string"),
	},
	GroupsClaim: &app.OAuthGroupsClaimArgs{
		Name:       pulumi.String("string"),
		Type:       pulumi.String("string"),
		Value:      pulumi.String("string"),
		FilterType: pulumi.String("string"),
		IssuerMode: pulumi.String("string"),
	},
	HideIos:            pulumi.Bool(false),
	HideWeb:            pulumi.Bool(false),
	ImplicitAssignment: pulumi.Bool(false),
	IssuerMode:         pulumi.String("string"),
	Jwks: app.OAuthJwkArray{
		&app.OAuthJwkArgs{
			Kid: pulumi.String("string"),
			Kty: pulumi.String("string"),
			E:   pulumi.String("string"),
			N:   pulumi.String("string"),
			X:   pulumi.String("string"),
			Y:   pulumi.String("string"),
		},
	},
	JwksUri: pulumi.String("string"),
	LoginScopes: pulumi.StringArray{
		pulumi.String("string"),
	},
	AccessibilitySelfService: pulumi.Bool(false),
	LoginMode:                pulumi.String("string"),
	LoginUri:                 pulumi.String("string"),
	Logo:                     pulumi.String("string"),
	LogoUri:                  pulumi.String("string"),
	OmitSecret:               pulumi.Bool(false),
	PkceRequired:             pulumi.Bool(false),
	PolicyUri:                pulumi.String("string"),
	PostLogoutRedirectUris: pulumi.StringArray{
		pulumi.String("string"),
	},
	Profile: pulumi.String("string"),
	RedirectUris: pulumi.StringArray{
		pulumi.String("string"),
	},
	RefreshTokenLeeway:   pulumi.Int(0),
	RefreshTokenRotation: pulumi.String("string"),
	ResponseTypes: pulumi.StringArray{
		pulumi.String("string"),
	},
	Status:                        pulumi.String("string"),
	TokenEndpointAuthMethod:       pulumi.String("string"),
	TosUri:                        pulumi.String("string"),
	AccessibilityLoginRedirectUrl: pulumi.String("string"),
	UserNameTemplate:              pulumi.String("string"),
	UserNameTemplatePushStatus:    pulumi.String("string"),
	UserNameTemplateSuffix:        pulumi.String("string"),
	UserNameTemplateType:          pulumi.String("string"),
	WildcardRedirect:              pulumi.String("string"),
})

var oauthResource = new OAuth("oauthResource", OAuthArgs.builder()
    .label("string")
    .type("string")
    .clientUri("string")
    .adminNote("string")
    .appLinksJson("string")
    .appSettingsJson("string")
    .authenticationPolicy("string")
    .autoKeyRotation(false)
    .autoSubmitToolbar(false)
    .clientBasicSecret("string")
    .clientId("string")
    .accessibilityErrorRedirectUrl("string")
    .consentMethod("string")
    .enduserNote("string")
    .grantTypes("string")
    .groupsClaim(OAuthGroupsClaimArgs.builder()
        .name("string")
        .type("string")
        .value("string")
        .filterType("string")
        .issuerMode("string")
        .build())
    .hideIos(false)
    .hideWeb(false)
    .implicitAssignment(false)
    .issuerMode("string")
    .jwks(OAuthJwkArgs.builder()
        .kid("string")
        .kty("string")
        .e("string")
        .n("string")
        .x("string")
        .y("string")
        .build())
    .jwksUri("string")
    .loginScopes("string")
    .accessibilitySelfService(false)
    .loginMode("string")
    .loginUri("string")
    .logo("string")
    .logoUri("string")
    .omitSecret(false)
    .pkceRequired(false)
    .policyUri("string")
    .postLogoutRedirectUris("string")
    .profile("string")
    .redirectUris("string")
    .refreshTokenLeeway(0)
    .refreshTokenRotation("string")
    .responseTypes("string")
    .status("string")
    .tokenEndpointAuthMethod("string")
    .tosUri("string")
    .accessibilityLoginRedirectUrl("string")
    .userNameTemplate("string")
    .userNameTemplatePushStatus("string")
    .userNameTemplateSuffix("string")
    .userNameTemplateType("string")
    .wildcardRedirect("string")
    .build());

oauth_resource = okta.app.OAuth("oauthResource",
    label="string",
    type="string",
    client_uri="string",
    admin_note="string",
    app_links_json="string",
    app_settings_json="string",
    authentication_policy="string",
    auto_key_rotation=False,
    auto_submit_toolbar=False,
    client_basic_secret="string",
    client_id="string",
    accessibility_error_redirect_url="string",
    consent_method="string",
    enduser_note="string",
    grant_types=["string"],
    groups_claim={
        "name": "string",
        "type": "string",
        "value": "string",
        "filter_type": "string",
        "issuer_mode": "string",
    },
    hide_ios=False,
    hide_web=False,
    implicit_assignment=False,
    issuer_mode="string",
    jwks=[{
        "kid": "string",
        "kty": "string",
        "e": "string",
        "n": "string",
        "x": "string",
        "y": "string",
    }],
    jwks_uri="string",
    login_scopes=["string"],
    accessibility_self_service=False,
    login_mode="string",
    login_uri="string",
    logo="string",
    logo_uri="string",
    omit_secret=False,
    pkce_required=False,
    policy_uri="string",
    post_logout_redirect_uris=["string"],
    profile="string",
    redirect_uris=["string"],
    refresh_token_leeway=0,
    refresh_token_rotation="string",
    response_types=["string"],
    status="string",
    token_endpoint_auth_method="string",
    tos_uri="string",
    accessibility_login_redirect_url="string",
    user_name_template="string",
    user_name_template_push_status="string",
    user_name_template_suffix="string",
    user_name_template_type="string",
    wildcard_redirect="string")

const oauthResource = new okta.app.OAuth("oauthResource", {
    label: "string",
    type: "string",
    clientUri: "string",
    adminNote: "string",
    appLinksJson: "string",
    appSettingsJson: "string",
    authenticationPolicy: "string",
    autoKeyRotation: false,
    autoSubmitToolbar: false,
    clientBasicSecret: "string",
    clientId: "string",
    accessibilityErrorRedirectUrl: "string",
    consentMethod: "string",
    enduserNote: "string",
    grantTypes: ["string"],
    groupsClaim: {
        name: "string",
        type: "string",
        value: "string",
        filterType: "string",
        issuerMode: "string",
    },
    hideIos: false,
    hideWeb: false,
    implicitAssignment: false,
    issuerMode: "string",
    jwks: [{
        kid: "string",
        kty: "string",
        e: "string",
        n: "string",
        x: "string",
        y: "string",
    }],
    jwksUri: "string",
    loginScopes: ["string"],
    accessibilitySelfService: false,
    loginMode: "string",
    loginUri: "string",
    logo: "string",
    logoUri: "string",
    omitSecret: false,
    pkceRequired: false,
    policyUri: "string",
    postLogoutRedirectUris: ["string"],
    profile: "string",
    redirectUris: ["string"],
    refreshTokenLeeway: 0,
    refreshTokenRotation: "string",
    responseTypes: ["string"],
    status: "string",
    tokenEndpointAuthMethod: "string",
    tosUri: "string",
    accessibilityLoginRedirectUrl: "string",
    userNameTemplate: "string",
    userNameTemplatePushStatus: "string",
    userNameTemplateSuffix: "string",
    userNameTemplateType: "string",
    wildcardRedirect: "string",
});

type: okta:app:OAuth
properties:
    accessibilityErrorRedirectUrl: string
    accessibilityLoginRedirectUrl: string
    accessibilitySelfService: false
    adminNote: string
    appLinksJson: string
    appSettingsJson: string
    authenticationPolicy: string
    autoKeyRotation: false
    autoSubmitToolbar: false
    clientBasicSecret: string
    clientId: string
    clientUri: string
    consentMethod: string
    enduserNote: string
    grantTypes:
        - string
    groupsClaim:
        filterType: string
        issuerMode: string
        name: string
        type: string
        value: string
    hideIos: false
    hideWeb: false
    implicitAssignment: false
    issuerMode: string
    jwks:
        - e: string
          kid: string
          kty: string
          "n": string
          x: string
          "y": string
    jwksUri: string
    label: string
    loginMode: string
    loginScopes:
        - string
    loginUri: string
    logo: string
    logoUri: string
    omitSecret: false
    pkceRequired: false
    policyUri: string
    postLogoutRedirectUris:
        - string
    profile: string
    redirectUris:
        - string
    refreshTokenLeeway: 0
    refreshTokenRotation: string
    responseTypes:
        - string
    status: string
    tokenEndpointAuthMethod: string
    tosUri: string
    type: string
    userNameTemplate: string
    userNameTemplatePushStatus: string
    userNameTemplateSuffix: string
    userNameTemplateType: string
    wildcardRedirect: string

OAuth Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

The OAuth resource accepts the following input properties:

Label string: The Application's display name.
Type string: The type of client application.
AccessibilityErrorRedirectUrl string: Custom error page URL
AccessibilityLoginRedirectUrl string: Custom login page URL
AccessibilitySelfService bool: Enable self service. Default is false
AdminNote string: Application notes for admins.
AppLinksJson string: Displays specific appLinks for the app. The value for each application link should be boolean.
AppSettingsJson string: Application settings in JSON format
AuthenticationPolicy string: The ID of the associated appsignonpolicy. If this property is removed from the application the default sign-on-policy will be associated with this application.
AutoKeyRotation bool: Requested key rotation mode. If autokeyrotation isn't specified, the client automatically opts in for Okta's key rotation. You can update this property via the API or via the administrator UI. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object"
AutoSubmitToolbar bool: Display auto submit toolbar
ClientBasicSecret string: The user provided OAuth client secret key value, this can be set when tokenendpointauthmethod is clientsecretbasic. This does nothing when `omitsecret is set to true.
ClientId string: OAuth client ID. If set during creation, app is created with this id.
ClientUri string: URI to a web page providing information about the client.
ConsentMethod string: Early Access Property. Indicates whether user consent is required or implicit. Valid values: REQUIRED, TRUSTED. Default value is TRUSTED
EnduserNote string: Application notes for end users.
GrantTypes List<string>: List of OAuth 2.0 grant types. Conditional validation params found here https://developer.okta.com/docs/api/resources/apps#credentials-settings-details. Defaults to minimum requirements per app type.
GroupsClaim OAuthGroupsClaim: Groups claim for an OpenID Connect client application (argument is ignored when API auth is done with OAuth 2.0 credentials)
HideIos bool: Do not display application icon on mobile app
HideWeb bool: Do not display application icon to users
ImplicitAssignment bool: Early Access Property. Enable Federation Broker Mode.
IssuerMode string: Early Access Property. Indicates whether the Okta Authorization Server uses the original Okta org domain URL or a custom domain URL as the issuer of ID token for this client.
Jwks List<OAuthJwk>
JwksUri string: URL reference to JWKS
LoginMode string: The type of Idp-Initiated login that the client supports, if any
LoginScopes List<string>: List of scopes to use for the request
LoginUri string: URI that initiates login.
Logo string: Local file path to the logo. The file must be in PNG, JPG, or GIF format, and less than 1 MB in size.
LogoUri string: URI that references a logo for the client.
OmitSecret bool: This tells the provider not manage the clientsecret value in state. When this is false (the default), it will cause the auto-generated clientsecret to be persisted in the client_secret attribute in state. This also means that every time an update to this app is run, this value is also set on the API. If this changes from false => true, the client_secret is dropped from state and the secret at the time of the apply is what remains. If this is ever changes from true => false your app will be recreated, due to the need to regenerate a secret we can store in state.
PkceRequired bool: Require Proof Key for Code Exchange (PKCE) for additional verification key rotation mode. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object
PolicyUri string: URI to web page providing client policy document.
PostLogoutRedirectUris List<string>: List of URIs for redirection after logout. Note: see oktaappoauthpostlogoutredirecturi for appending to this list in a decentralized way.
Profile string: Custom JSON that represents an OAuth application's profile
RedirectUris List<string>: List of URIs for use in the redirect-based flow. This is required for all application types except service. Note: see oktaappoauthredirecturi for appending to this list in a decentralized way.
RefreshTokenLeeway int: Early Access Property Grace period for token rotation, required with grant types refresh_token
RefreshTokenRotation string: Early Access Property Refresh token rotation behavior, required with grant types refresh_token
ResponseTypes List<string>: List of OAuth 2.0 response type strings. Valid values are any combination of: code, token, and id_token.
Status string: Status of application. By default, it is ACTIVE
TokenEndpointAuthMethod string: Requested authentication method for the token endpoint, valid values include: 'clientsecretbasic', 'clientsecretpost', 'clientsecretjwt', 'privatekeyjwt', 'none', etc.
TosUri string: URI to web page providing client tos (terms of service).
UserNameTemplate string: Username template. Default: ${source.login}
UserNameTemplatePushStatus string: Push username on update. Valid values: PUSH and DONT_PUSH
UserNameTemplateSuffix string: Username template suffix
UserNameTemplateType string: Username template type. Default: BUILT_IN
WildcardRedirect string: Early Access Property. Indicates if the client is allowed to use wildcard matching of redirect_uris

Label string: The Application's display name.
Type string: The type of client application.
AccessibilityErrorRedirectUrl string: Custom error page URL
AccessibilityLoginRedirectUrl string: Custom login page URL
AccessibilitySelfService bool: Enable self service. Default is false
AdminNote string: Application notes for admins.
AppLinksJson string: Displays specific appLinks for the app. The value for each application link should be boolean.
AppSettingsJson string: Application settings in JSON format
AuthenticationPolicy string: The ID of the associated appsignonpolicy. If this property is removed from the application the default sign-on-policy will be associated with this application.
AutoKeyRotation bool: Requested key rotation mode. If autokeyrotation isn't specified, the client automatically opts in for Okta's key rotation. You can update this property via the API or via the administrator UI. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object"
AutoSubmitToolbar bool: Display auto submit toolbar
ClientBasicSecret string: The user provided OAuth client secret key value, this can be set when tokenendpointauthmethod is clientsecretbasic. This does nothing when `omitsecret is set to true.
ClientId string: OAuth client ID. If set during creation, app is created with this id.
ClientUri string: URI to a web page providing information about the client.
ConsentMethod string: Early Access Property. Indicates whether user consent is required or implicit. Valid values: REQUIRED, TRUSTED. Default value is TRUSTED
EnduserNote string: Application notes for end users.
GrantTypes []string: List of OAuth 2.0 grant types. Conditional validation params found here https://developer.okta.com/docs/api/resources/apps#credentials-settings-details. Defaults to minimum requirements per app type.
GroupsClaim OAuthGroupsClaimArgs: Groups claim for an OpenID Connect client application (argument is ignored when API auth is done with OAuth 2.0 credentials)
HideIos bool: Do not display application icon on mobile app
HideWeb bool: Do not display application icon to users
ImplicitAssignment bool: Early Access Property. Enable Federation Broker Mode.
IssuerMode string: Early Access Property. Indicates whether the Okta Authorization Server uses the original Okta org domain URL or a custom domain URL as the issuer of ID token for this client.
Jwks []OAuthJwkArgs
JwksUri string: URL reference to JWKS
LoginMode string: The type of Idp-Initiated login that the client supports, if any
LoginScopes []string: List of scopes to use for the request
LoginUri string: URI that initiates login.
Logo string: Local file path to the logo. The file must be in PNG, JPG, or GIF format, and less than 1 MB in size.
LogoUri string: URI that references a logo for the client.
OmitSecret bool: This tells the provider not manage the clientsecret value in state. When this is false (the default), it will cause the auto-generated clientsecret to be persisted in the client_secret attribute in state. This also means that every time an update to this app is run, this value is also set on the API. If this changes from false => true, the client_secret is dropped from state and the secret at the time of the apply is what remains. If this is ever changes from true => false your app will be recreated, due to the need to regenerate a secret we can store in state.
PkceRequired bool: Require Proof Key for Code Exchange (PKCE) for additional verification key rotation mode. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object
PolicyUri string: URI to web page providing client policy document.
PostLogoutRedirectUris []string: List of URIs for redirection after logout. Note: see oktaappoauthpostlogoutredirecturi for appending to this list in a decentralized way.
Profile string: Custom JSON that represents an OAuth application's profile
RedirectUris []string: List of URIs for use in the redirect-based flow. This is required for all application types except service. Note: see oktaappoauthredirecturi for appending to this list in a decentralized way.
RefreshTokenLeeway int: Early Access Property Grace period for token rotation, required with grant types refresh_token
RefreshTokenRotation string: Early Access Property Refresh token rotation behavior, required with grant types refresh_token
ResponseTypes []string: List of OAuth 2.0 response type strings. Valid values are any combination of: code, token, and id_token.
Status string: Status of application. By default, it is ACTIVE
TokenEndpointAuthMethod string: Requested authentication method for the token endpoint, valid values include: 'clientsecretbasic', 'clientsecretpost', 'clientsecretjwt', 'privatekeyjwt', 'none', etc.
TosUri string: URI to web page providing client tos (terms of service).
UserNameTemplate string: Username template. Default: ${source.login}
UserNameTemplatePushStatus string: Push username on update. Valid values: PUSH and DONT_PUSH
UserNameTemplateSuffix string: Username template suffix
UserNameTemplateType string: Username template type. Default: BUILT_IN
WildcardRedirect string: Early Access Property. Indicates if the client is allowed to use wildcard matching of redirect_uris

label String: The Application's display name.
type String: The type of client application.
accessibilityErrorRedirectUrl String: Custom error page URL
accessibilityLoginRedirectUrl String: Custom login page URL
accessibilitySelfService Boolean: Enable self service. Default is false
adminNote String: Application notes for admins.
appLinksJson String: Displays specific appLinks for the app. The value for each application link should be boolean.
appSettingsJson String: Application settings in JSON format
authenticationPolicy String: The ID of the associated appsignonpolicy. If this property is removed from the application the default sign-on-policy will be associated with this application.
autoKeyRotation Boolean: Requested key rotation mode. If autokeyrotation isn't specified, the client automatically opts in for Okta's key rotation. You can update this property via the API or via the administrator UI. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object"
autoSubmitToolbar Boolean: Display auto submit toolbar
clientBasicSecret String: The user provided OAuth client secret key value, this can be set when tokenendpointauthmethod is clientsecretbasic. This does nothing when `omitsecret is set to true.
clientId String: OAuth client ID. If set during creation, app is created with this id.
clientUri String: URI to a web page providing information about the client.
consentMethod String: Early Access Property. Indicates whether user consent is required or implicit. Valid values: REQUIRED, TRUSTED. Default value is TRUSTED
enduserNote String: Application notes for end users.
grantTypes List<String>: List of OAuth 2.0 grant types. Conditional validation params found here https://developer.okta.com/docs/api/resources/apps#credentials-settings-details. Defaults to minimum requirements per app type.
groupsClaim OAuthGroupsClaim: Groups claim for an OpenID Connect client application (argument is ignored when API auth is done with OAuth 2.0 credentials)
hideIos Boolean: Do not display application icon on mobile app
hideWeb Boolean: Do not display application icon to users
implicitAssignment Boolean: Early Access Property. Enable Federation Broker Mode.
issuerMode String: Early Access Property. Indicates whether the Okta Authorization Server uses the original Okta org domain URL or a custom domain URL as the issuer of ID token for this client.
jwks List<OAuthJwk>
jwksUri String: URL reference to JWKS
loginMode String: The type of Idp-Initiated login that the client supports, if any
loginScopes List<String>: List of scopes to use for the request
loginUri String: URI that initiates login.
logo String: Local file path to the logo. The file must be in PNG, JPG, or GIF format, and less than 1 MB in size.
logoUri String: URI that references a logo for the client.
omitSecret Boolean: This tells the provider not manage the clientsecret value in state. When this is false (the default), it will cause the auto-generated clientsecret to be persisted in the client_secret attribute in state. This also means that every time an update to this app is run, this value is also set on the API. If this changes from false => true, the client_secret is dropped from state and the secret at the time of the apply is what remains. If this is ever changes from true => false your app will be recreated, due to the need to regenerate a secret we can store in state.
pkceRequired Boolean: Require Proof Key for Code Exchange (PKCE) for additional verification key rotation mode. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object
policyUri String: URI to web page providing client policy document.
postLogoutRedirectUris List<String>: List of URIs for redirection after logout. Note: see oktaappoauthpostlogoutredirecturi for appending to this list in a decentralized way.
profile String: Custom JSON that represents an OAuth application's profile
redirectUris List<String>: List of URIs for use in the redirect-based flow. This is required for all application types except service. Note: see oktaappoauthredirecturi for appending to this list in a decentralized way.
refreshTokenLeeway Integer: Early Access Property Grace period for token rotation, required with grant types refresh_token
refreshTokenRotation String: Early Access Property Refresh token rotation behavior, required with grant types refresh_token
responseTypes List<String>: List of OAuth 2.0 response type strings. Valid values are any combination of: code, token, and id_token.
status String: Status of application. By default, it is ACTIVE
tokenEndpointAuthMethod String: Requested authentication method for the token endpoint, valid values include: 'clientsecretbasic', 'clientsecretpost', 'clientsecretjwt', 'privatekeyjwt', 'none', etc.
tosUri String: URI to web page providing client tos (terms of service).
userNameTemplate String: Username template. Default: ${source.login}
userNameTemplatePushStatus String: Push username on update. Valid values: PUSH and DONT_PUSH
userNameTemplateSuffix String: Username template suffix
userNameTemplateType String: Username template type. Default: BUILT_IN
wildcardRedirect String: Early Access Property. Indicates if the client is allowed to use wildcard matching of redirect_uris

label string: The Application's display name.
type string: The type of client application.
accessibilityErrorRedirectUrl string: Custom error page URL
accessibilityLoginRedirectUrl string: Custom login page URL
accessibilitySelfService boolean: Enable self service. Default is false
adminNote string: Application notes for admins.
appLinksJson string: Displays specific appLinks for the app. The value for each application link should be boolean.
appSettingsJson string: Application settings in JSON format
authenticationPolicy string: The ID of the associated appsignonpolicy. If this property is removed from the application the default sign-on-policy will be associated with this application.
autoKeyRotation boolean: Requested key rotation mode. If autokeyrotation isn't specified, the client automatically opts in for Okta's key rotation. You can update this property via the API or via the administrator UI. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object"
autoSubmitToolbar boolean: Display auto submit toolbar
clientBasicSecret string: The user provided OAuth client secret key value, this can be set when tokenendpointauthmethod is clientsecretbasic. This does nothing when `omitsecret is set to true.
clientId string: OAuth client ID. If set during creation, app is created with this id.
clientUri string: URI to a web page providing information about the client.
consentMethod string: Early Access Property. Indicates whether user consent is required or implicit. Valid values: REQUIRED, TRUSTED. Default value is TRUSTED
enduserNote string: Application notes for end users.
grantTypes string[]: List of OAuth 2.0 grant types. Conditional validation params found here https://developer.okta.com/docs/api/resources/apps#credentials-settings-details. Defaults to minimum requirements per app type.
groupsClaim OAuthGroupsClaim: Groups claim for an OpenID Connect client application (argument is ignored when API auth is done with OAuth 2.0 credentials)
hideIos boolean: Do not display application icon on mobile app
hideWeb boolean: Do not display application icon to users
implicitAssignment boolean: Early Access Property. Enable Federation Broker Mode.
issuerMode string: Early Access Property. Indicates whether the Okta Authorization Server uses the original Okta org domain URL or a custom domain URL as the issuer of ID token for this client.
jwks OAuthJwk[]
jwksUri string: URL reference to JWKS
loginMode string: The type of Idp-Initiated login that the client supports, if any
loginScopes string[]: List of scopes to use for the request
loginUri string: URI that initiates login.
logo string: Local file path to the logo. The file must be in PNG, JPG, or GIF format, and less than 1 MB in size.
logoUri string: URI that references a logo for the client.
omitSecret boolean: This tells the provider not manage the clientsecret value in state. When this is false (the default), it will cause the auto-generated clientsecret to be persisted in the client_secret attribute in state. This also means that every time an update to this app is run, this value is also set on the API. If this changes from false => true, the client_secret is dropped from state and the secret at the time of the apply is what remains. If this is ever changes from true => false your app will be recreated, due to the need to regenerate a secret we can store in state.
pkceRequired boolean: Require Proof Key for Code Exchange (PKCE) for additional verification key rotation mode. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object
policyUri string: URI to web page providing client policy document.
postLogoutRedirectUris string[]: List of URIs for redirection after logout. Note: see oktaappoauthpostlogoutredirecturi for appending to this list in a decentralized way.
profile string: Custom JSON that represents an OAuth application's profile
redirectUris string[]: List of URIs for use in the redirect-based flow. This is required for all application types except service. Note: see oktaappoauthredirecturi for appending to this list in a decentralized way.
refreshTokenLeeway number: Early Access Property Grace period for token rotation, required with grant types refresh_token
refreshTokenRotation string: Early Access Property Refresh token rotation behavior, required with grant types refresh_token
responseTypes string[]: List of OAuth 2.0 response type strings. Valid values are any combination of: code, token, and id_token.
status string: Status of application. By default, it is ACTIVE
tokenEndpointAuthMethod string: Requested authentication method for the token endpoint, valid values include: 'clientsecretbasic', 'clientsecretpost', 'clientsecretjwt', 'privatekeyjwt', 'none', etc.
tosUri string: URI to web page providing client tos (terms of service).
userNameTemplate string: Username template. Default: ${source.login}
userNameTemplatePushStatus string: Push username on update. Valid values: PUSH and DONT_PUSH
userNameTemplateSuffix string: Username template suffix
userNameTemplateType string: Username template type. Default: BUILT_IN
wildcardRedirect string: Early Access Property. Indicates if the client is allowed to use wildcard matching of redirect_uris

label str: The Application's display name.
type str: The type of client application.
accessibility_error_redirect_url str: Custom error page URL
accessibility_login_redirect_url str: Custom login page URL
accessibility_self_service bool: Enable self service. Default is false
admin_note str: Application notes for admins.
app_links_json str: Displays specific appLinks for the app. The value for each application link should be boolean.
app_settings_json str: Application settings in JSON format
authentication_policy str: The ID of the associated appsignonpolicy. If this property is removed from the application the default sign-on-policy will be associated with this application.
auto_key_rotation bool: Requested key rotation mode. If autokeyrotation isn't specified, the client automatically opts in for Okta's key rotation. You can update this property via the API or via the administrator UI. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object"
auto_submit_toolbar bool: Display auto submit toolbar
client_basic_secret str: The user provided OAuth client secret key value, this can be set when tokenendpointauthmethod is clientsecretbasic. This does nothing when `omitsecret is set to true.
client_id str: OAuth client ID. If set during creation, app is created with this id.
client_uri str: URI to a web page providing information about the client.
consent_method str: Early Access Property. Indicates whether user consent is required or implicit. Valid values: REQUIRED, TRUSTED. Default value is TRUSTED
enduser_note str: Application notes for end users.
grant_types Sequence[str]: List of OAuth 2.0 grant types. Conditional validation params found here https://developer.okta.com/docs/api/resources/apps#credentials-settings-details. Defaults to minimum requirements per app type.
groups_claim OAuthGroupsClaimArgs: Groups claim for an OpenID Connect client application (argument is ignored when API auth is done with OAuth 2.0 credentials)
hide_ios bool: Do not display application icon on mobile app
hide_web bool: Do not display application icon to users
implicit_assignment bool: Early Access Property. Enable Federation Broker Mode.
issuer_mode str: Early Access Property. Indicates whether the Okta Authorization Server uses the original Okta org domain URL or a custom domain URL as the issuer of ID token for this client.
jwks Sequence[OAuthJwkArgs]
jwks_uri str: URL reference to JWKS
login_mode str: The type of Idp-Initiated login that the client supports, if any
login_scopes Sequence[str]: List of scopes to use for the request
login_uri str: URI that initiates login.
logo str: Local file path to the logo. The file must be in PNG, JPG, or GIF format, and less than 1 MB in size.
logo_uri str: URI that references a logo for the client.
omit_secret bool: This tells the provider not manage the clientsecret value in state. When this is false (the default), it will cause the auto-generated clientsecret to be persisted in the client_secret attribute in state. This also means that every time an update to this app is run, this value is also set on the API. If this changes from false => true, the client_secret is dropped from state and the secret at the time of the apply is what remains. If this is ever changes from true => false your app will be recreated, due to the need to regenerate a secret we can store in state.
pkce_required bool: Require Proof Key for Code Exchange (PKCE) for additional verification key rotation mode. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object
policy_uri str: URI to web page providing client policy document.
post_logout_redirect_uris Sequence[str]: List of URIs for redirection after logout. Note: see oktaappoauthpostlogoutredirecturi for appending to this list in a decentralized way.
profile str: Custom JSON that represents an OAuth application's profile
redirect_uris Sequence[str]: List of URIs for use in the redirect-based flow. This is required for all application types except service. Note: see oktaappoauthredirecturi for appending to this list in a decentralized way.
refresh_token_leeway int: Early Access Property Grace period for token rotation, required with grant types refresh_token
refresh_token_rotation str: Early Access Property Refresh token rotation behavior, required with grant types refresh_token
response_types Sequence[str]: List of OAuth 2.0 response type strings. Valid values are any combination of: code, token, and id_token.
status str: Status of application. By default, it is ACTIVE
token_endpoint_auth_method str: Requested authentication method for the token endpoint, valid values include: 'clientsecretbasic', 'clientsecretpost', 'clientsecretjwt', 'privatekeyjwt', 'none', etc.
tos_uri str: URI to web page providing client tos (terms of service).
user_name_template str: Username template. Default: ${source.login}
user_name_template_push_status str: Push username on update. Valid values: PUSH and DONT_PUSH
user_name_template_suffix str: Username template suffix
user_name_template_type str: Username template type. Default: BUILT_IN
wildcard_redirect str: Early Access Property. Indicates if the client is allowed to use wildcard matching of redirect_uris

label String: The Application's display name.
type String: The type of client application.
accessibilityErrorRedirectUrl String: Custom error page URL
accessibilityLoginRedirectUrl String: Custom login page URL
accessibilitySelfService Boolean: Enable self service. Default is false
adminNote String: Application notes for admins.
appLinksJson String: Displays specific appLinks for the app. The value for each application link should be boolean.
appSettingsJson String: Application settings in JSON format
authenticationPolicy String: The ID of the associated appsignonpolicy. If this property is removed from the application the default sign-on-policy will be associated with this application.
autoKeyRotation Boolean: Requested key rotation mode. If autokeyrotation isn't specified, the client automatically opts in for Okta's key rotation. You can update this property via the API or via the administrator UI. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object"
autoSubmitToolbar Boolean: Display auto submit toolbar
clientBasicSecret String: The user provided OAuth client secret key value, this can be set when tokenendpointauthmethod is clientsecretbasic. This does nothing when `omitsecret is set to true.
clientId String: OAuth client ID. If set during creation, app is created with this id.
clientUri String: URI to a web page providing information about the client.
consentMethod String: Early Access Property. Indicates whether user consent is required or implicit. Valid values: REQUIRED, TRUSTED. Default value is TRUSTED
enduserNote String: Application notes for end users.
grantTypes List<String>: List of OAuth 2.0 grant types. Conditional validation params found here https://developer.okta.com/docs/api/resources/apps#credentials-settings-details. Defaults to minimum requirements per app type.
groupsClaim Property Map: Groups claim for an OpenID Connect client application (argument is ignored when API auth is done with OAuth 2.0 credentials)
hideIos Boolean: Do not display application icon on mobile app
hideWeb Boolean: Do not display application icon to users
implicitAssignment Boolean: Early Access Property. Enable Federation Broker Mode.
issuerMode String: Early Access Property. Indicates whether the Okta Authorization Server uses the original Okta org domain URL or a custom domain URL as the issuer of ID token for this client.
jwks List<Property Map>
jwksUri String: URL reference to JWKS
loginMode String: The type of Idp-Initiated login that the client supports, if any
loginScopes List<String>: List of scopes to use for the request
loginUri String: URI that initiates login.
logo String: Local file path to the logo. The file must be in PNG, JPG, or GIF format, and less than 1 MB in size.
logoUri String: URI that references a logo for the client.
omitSecret Boolean: This tells the provider not manage the clientsecret value in state. When this is false (the default), it will cause the auto-generated clientsecret to be persisted in the client_secret attribute in state. This also means that every time an update to this app is run, this value is also set on the API. If this changes from false => true, the client_secret is dropped from state and the secret at the time of the apply is what remains. If this is ever changes from true => false your app will be recreated, due to the need to regenerate a secret we can store in state.
pkceRequired Boolean: Require Proof Key for Code Exchange (PKCE) for additional verification key rotation mode. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object
policyUri String: URI to web page providing client policy document.
postLogoutRedirectUris List<String>: List of URIs for redirection after logout. Note: see oktaappoauthpostlogoutredirecturi for appending to this list in a decentralized way.
profile String: Custom JSON that represents an OAuth application's profile
redirectUris List<String>: List of URIs for use in the redirect-based flow. This is required for all application types except service. Note: see oktaappoauthredirecturi for appending to this list in a decentralized way.
refreshTokenLeeway Number: Early Access Property Grace period for token rotation, required with grant types refresh_token
refreshTokenRotation String: Early Access Property Refresh token rotation behavior, required with grant types refresh_token
responseTypes List<String>: List of OAuth 2.0 response type strings. Valid values are any combination of: code, token, and id_token.
status String: Status of application. By default, it is ACTIVE
tokenEndpointAuthMethod String: Requested authentication method for the token endpoint, valid values include: 'clientsecretbasic', 'clientsecretpost', 'clientsecretjwt', 'privatekeyjwt', 'none', etc.
tosUri String: URI to web page providing client tos (terms of service).
userNameTemplate String: Username template. Default: ${source.login}
userNameTemplatePushStatus String: Push username on update. Valid values: PUSH and DONT_PUSH
userNameTemplateSuffix String: Username template suffix
userNameTemplateType String: Username template type. Default: BUILT_IN
wildcardRedirect String: Early Access Property. Indicates if the client is allowed to use wildcard matching of redirect_uris

Outputs

All input properties are implicitly available as output properties. Additionally, the OAuth resource produces the following output properties:

ClientSecret string: OAuth client secret value, this is output only. This will be in plain text in your statefile unless you set omit_secret above.
Id string: The provider-assigned unique ID for this managed resource.
LogoUrl string: URL of the application's logo
Name string: Name of the app.
SignOnMode string: Sign on mode of application.

ClientSecret string: OAuth client secret value, this is output only. This will be in plain text in your statefile unless you set omit_secret above.
Id string: The provider-assigned unique ID for this managed resource.
LogoUrl string: URL of the application's logo
Name string: Name of the app.
SignOnMode string: Sign on mode of application.

clientSecret String: OAuth client secret value, this is output only. This will be in plain text in your statefile unless you set omit_secret above.
id String: The provider-assigned unique ID for this managed resource.
logoUrl String: URL of the application's logo
name String: Name of the app.
signOnMode String: Sign on mode of application.

clientSecret string: OAuth client secret value, this is output only. This will be in plain text in your statefile unless you set omit_secret above.
id string: The provider-assigned unique ID for this managed resource.
logoUrl string: URL of the application's logo
name string: Name of the app.
signOnMode string: Sign on mode of application.

client_secret str: OAuth client secret value, this is output only. This will be in plain text in your statefile unless you set omit_secret above.
id str: The provider-assigned unique ID for this managed resource.
logo_url str: URL of the application's logo
name str: Name of the app.
sign_on_mode str: Sign on mode of application.

clientSecret String: OAuth client secret value, this is output only. This will be in plain text in your statefile unless you set omit_secret above.
id String: The provider-assigned unique ID for this managed resource.
logoUrl String: URL of the application's logo
name String: Name of the app.
signOnMode String: Sign on mode of application.

Look up Existing OAuth Resource

Get an existing OAuth resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

TypeScript
Python
Go
C#
Java
YAML

public static get(name: string, id: Input<ID>, state?: OAuthState, opts?: CustomResourceOptions): OAuth

@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        accessibility_error_redirect_url: Optional[str] = None,
        accessibility_login_redirect_url: Optional[str] = None,
        accessibility_self_service: Optional[bool] = None,
        admin_note: Optional[str] = None,
        app_links_json: Optional[str] = None,
        app_settings_json: Optional[str] = None,
        authentication_policy: Optional[str] = None,
        auto_key_rotation: Optional[bool] = None,
        auto_submit_toolbar: Optional[bool] = None,
        client_basic_secret: Optional[str] = None,
        client_id: Optional[str] = None,
        client_secret: Optional[str] = None,
        client_uri: Optional[str] = None,
        consent_method: Optional[str] = None,
        enduser_note: Optional[str] = None,
        grant_types: Optional[Sequence[str]] = None,
        groups_claim: Optional[OAuthGroupsClaimArgs] = None,
        hide_ios: Optional[bool] = None,
        hide_web: Optional[bool] = None,
        implicit_assignment: Optional[bool] = None,
        issuer_mode: Optional[str] = None,
        jwks: Optional[Sequence[OAuthJwkArgs]] = None,
        jwks_uri: Optional[str] = None,
        label: Optional[str] = None,
        login_mode: Optional[str] = None,
        login_scopes: Optional[Sequence[str]] = None,
        login_uri: Optional[str] = None,
        logo: Optional[str] = None,
        logo_uri: Optional[str] = None,
        logo_url: Optional[str] = None,
        name: Optional[str] = None,
        omit_secret: Optional[bool] = None,
        pkce_required: Optional[bool] = None,
        policy_uri: Optional[str] = None,
        post_logout_redirect_uris: Optional[Sequence[str]] = None,
        profile: Optional[str] = None,
        redirect_uris: Optional[Sequence[str]] = None,
        refresh_token_leeway: Optional[int] = None,
        refresh_token_rotation: Optional[str] = None,
        response_types: Optional[Sequence[str]] = None,
        sign_on_mode: Optional[str] = None,
        status: Optional[str] = None,
        token_endpoint_auth_method: Optional[str] = None,
        tos_uri: Optional[str] = None,
        type: Optional[str] = None,
        user_name_template: Optional[str] = None,
        user_name_template_push_status: Optional[str] = None,
        user_name_template_suffix: Optional[str] = None,
        user_name_template_type: Optional[str] = None,
        wildcard_redirect: Optional[str] = None) -> OAuth

func GetOAuth(ctx *Context, name string, id IDInput, state *OAuthState, opts ...ResourceOption) (*OAuth, error)

public static OAuth Get(string name, Input<string> id, OAuthState? state, CustomResourceOptions? opts = null)

public static OAuth get(String name, Output<String> id, OAuthState state, CustomResourceOptions options)

resources:  _:    type: okta:app:OAuth    get:      id: ${id}

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

resource_name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

The following state arguments are supported:

AccessibilityErrorRedirectUrl string: Custom error page URL
AccessibilityLoginRedirectUrl string: Custom login page URL
AccessibilitySelfService bool: Enable self service. Default is false
AdminNote string: Application notes for admins.
AppLinksJson string: Displays specific appLinks for the app. The value for each application link should be boolean.
AppSettingsJson string: Application settings in JSON format
AuthenticationPolicy string: The ID of the associated appsignonpolicy. If this property is removed from the application the default sign-on-policy will be associated with this application.
AutoKeyRotation bool: Requested key rotation mode. If autokeyrotation isn't specified, the client automatically opts in for Okta's key rotation. You can update this property via the API or via the administrator UI. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object"
AutoSubmitToolbar bool: Display auto submit toolbar
ClientBasicSecret string: The user provided OAuth client secret key value, this can be set when tokenendpointauthmethod is clientsecretbasic. This does nothing when `omitsecret is set to true.
ClientId string: OAuth client ID. If set during creation, app is created with this id.
ClientSecret string: OAuth client secret value, this is output only. This will be in plain text in your statefile unless you set omit_secret above.
ClientUri string: URI to a web page providing information about the client.
ConsentMethod string: Early Access Property. Indicates whether user consent is required or implicit. Valid values: REQUIRED, TRUSTED. Default value is TRUSTED
EnduserNote string: Application notes for end users.
GrantTypes List<string>: List of OAuth 2.0 grant types. Conditional validation params found here https://developer.okta.com/docs/api/resources/apps#credentials-settings-details. Defaults to minimum requirements per app type.
GroupsClaim OAuthGroupsClaim: Groups claim for an OpenID Connect client application (argument is ignored when API auth is done with OAuth 2.0 credentials)
HideIos bool: Do not display application icon on mobile app
HideWeb bool: Do not display application icon to users
ImplicitAssignment bool: Early Access Property. Enable Federation Broker Mode.
IssuerMode string: Early Access Property. Indicates whether the Okta Authorization Server uses the original Okta org domain URL or a custom domain URL as the issuer of ID token for this client.
Jwks List<OAuthJwk>
JwksUri string: URL reference to JWKS
Label string: The Application's display name.
LoginMode string: The type of Idp-Initiated login that the client supports, if any
LoginScopes List<string>: List of scopes to use for the request
LoginUri string: URI that initiates login.
Logo string: Local file path to the logo. The file must be in PNG, JPG, or GIF format, and less than 1 MB in size.
LogoUri string: URI that references a logo for the client.
LogoUrl string: URL of the application's logo
Name string: Name of the app.
OmitSecret bool: This tells the provider not manage the clientsecret value in state. When this is false (the default), it will cause the auto-generated clientsecret to be persisted in the client_secret attribute in state. This also means that every time an update to this app is run, this value is also set on the API. If this changes from false => true, the client_secret is dropped from state and the secret at the time of the apply is what remains. If this is ever changes from true => false your app will be recreated, due to the need to regenerate a secret we can store in state.
PkceRequired bool: Require Proof Key for Code Exchange (PKCE) for additional verification key rotation mode. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object
PolicyUri string: URI to web page providing client policy document.
PostLogoutRedirectUris List<string>: List of URIs for redirection after logout. Note: see oktaappoauthpostlogoutredirecturi for appending to this list in a decentralized way.
Profile string: Custom JSON that represents an OAuth application's profile
RedirectUris List<string>: List of URIs for use in the redirect-based flow. This is required for all application types except service. Note: see oktaappoauthredirecturi for appending to this list in a decentralized way.
RefreshTokenLeeway int: Early Access Property Grace period for token rotation, required with grant types refresh_token
RefreshTokenRotation string: Early Access Property Refresh token rotation behavior, required with grant types refresh_token
ResponseTypes List<string>: List of OAuth 2.0 response type strings. Valid values are any combination of: code, token, and id_token.
SignOnMode string: Sign on mode of application.
Status string: Status of application. By default, it is ACTIVE
TokenEndpointAuthMethod string: Requested authentication method for the token endpoint, valid values include: 'clientsecretbasic', 'clientsecretpost', 'clientsecretjwt', 'privatekeyjwt', 'none', etc.
TosUri string: URI to web page providing client tos (terms of service).
Type string: The type of client application.
UserNameTemplate string: Username template. Default: ${source.login}
UserNameTemplatePushStatus string: Push username on update. Valid values: PUSH and DONT_PUSH
UserNameTemplateSuffix string: Username template suffix
UserNameTemplateType string: Username template type. Default: BUILT_IN
WildcardRedirect string: Early Access Property. Indicates if the client is allowed to use wildcard matching of redirect_uris

AccessibilityErrorRedirectUrl string: Custom error page URL
AccessibilityLoginRedirectUrl string: Custom login page URL
AccessibilitySelfService bool: Enable self service. Default is false
AdminNote string: Application notes for admins.
AppLinksJson string: Displays specific appLinks for the app. The value for each application link should be boolean.
AppSettingsJson string: Application settings in JSON format
AuthenticationPolicy string: The ID of the associated appsignonpolicy. If this property is removed from the application the default sign-on-policy will be associated with this application.
AutoKeyRotation bool: Requested key rotation mode. If autokeyrotation isn't specified, the client automatically opts in for Okta's key rotation. You can update this property via the API or via the administrator UI. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object"
AutoSubmitToolbar bool: Display auto submit toolbar
ClientBasicSecret string: The user provided OAuth client secret key value, this can be set when tokenendpointauthmethod is clientsecretbasic. This does nothing when `omitsecret is set to true.
ClientId string: OAuth client ID. If set during creation, app is created with this id.
ClientSecret string: OAuth client secret value, this is output only. This will be in plain text in your statefile unless you set omit_secret above.
ClientUri string: URI to a web page providing information about the client.
ConsentMethod string: Early Access Property. Indicates whether user consent is required or implicit. Valid values: REQUIRED, TRUSTED. Default value is TRUSTED
EnduserNote string: Application notes for end users.
GrantTypes []string: List of OAuth 2.0 grant types. Conditional validation params found here https://developer.okta.com/docs/api/resources/apps#credentials-settings-details. Defaults to minimum requirements per app type.
GroupsClaim OAuthGroupsClaimArgs: Groups claim for an OpenID Connect client application (argument is ignored when API auth is done with OAuth 2.0 credentials)
HideIos bool: Do not display application icon on mobile app
HideWeb bool: Do not display application icon to users
ImplicitAssignment bool: Early Access Property. Enable Federation Broker Mode.
IssuerMode string: Early Access Property. Indicates whether the Okta Authorization Server uses the original Okta org domain URL or a custom domain URL as the issuer of ID token for this client.
Jwks []OAuthJwkArgs
JwksUri string: URL reference to JWKS
Label string: The Application's display name.
LoginMode string: The type of Idp-Initiated login that the client supports, if any
LoginScopes []string: List of scopes to use for the request
LoginUri string: URI that initiates login.
Logo string: Local file path to the logo. The file must be in PNG, JPG, or GIF format, and less than 1 MB in size.
LogoUri string: URI that references a logo for the client.
LogoUrl string: URL of the application's logo
Name string: Name of the app.
OmitSecret bool: This tells the provider not manage the clientsecret value in state. When this is false (the default), it will cause the auto-generated clientsecret to be persisted in the client_secret attribute in state. This also means that every time an update to this app is run, this value is also set on the API. If this changes from false => true, the client_secret is dropped from state and the secret at the time of the apply is what remains. If this is ever changes from true => false your app will be recreated, due to the need to regenerate a secret we can store in state.
PkceRequired bool: Require Proof Key for Code Exchange (PKCE) for additional verification key rotation mode. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object
PolicyUri string: URI to web page providing client policy document.
PostLogoutRedirectUris []string: List of URIs for redirection after logout. Note: see oktaappoauthpostlogoutredirecturi for appending to this list in a decentralized way.
Profile string: Custom JSON that represents an OAuth application's profile
RedirectUris []string: List of URIs for use in the redirect-based flow. This is required for all application types except service. Note: see oktaappoauthredirecturi for appending to this list in a decentralized way.
RefreshTokenLeeway int: Early Access Property Grace period for token rotation, required with grant types refresh_token
RefreshTokenRotation string: Early Access Property Refresh token rotation behavior, required with grant types refresh_token
ResponseTypes []string: List of OAuth 2.0 response type strings. Valid values are any combination of: code, token, and id_token.
SignOnMode string: Sign on mode of application.
Status string: Status of application. By default, it is ACTIVE
TokenEndpointAuthMethod string: Requested authentication method for the token endpoint, valid values include: 'clientsecretbasic', 'clientsecretpost', 'clientsecretjwt', 'privatekeyjwt', 'none', etc.
TosUri string: URI to web page providing client tos (terms of service).
Type string: The type of client application.
UserNameTemplate string: Username template. Default: ${source.login}
UserNameTemplatePushStatus string: Push username on update. Valid values: PUSH and DONT_PUSH
UserNameTemplateSuffix string: Username template suffix
UserNameTemplateType string: Username template type. Default: BUILT_IN
WildcardRedirect string: Early Access Property. Indicates if the client is allowed to use wildcard matching of redirect_uris

accessibilityErrorRedirectUrl String: Custom error page URL
accessibilityLoginRedirectUrl String: Custom login page URL
accessibilitySelfService Boolean: Enable self service. Default is false
adminNote String: Application notes for admins.
appLinksJson String: Displays specific appLinks for the app. The value for each application link should be boolean.
appSettingsJson String: Application settings in JSON format
authenticationPolicy String: The ID of the associated appsignonpolicy. If this property is removed from the application the default sign-on-policy will be associated with this application.
autoKeyRotation Boolean: Requested key rotation mode. If autokeyrotation isn't specified, the client automatically opts in for Okta's key rotation. You can update this property via the API or via the administrator UI. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object"
autoSubmitToolbar Boolean: Display auto submit toolbar
clientBasicSecret String: The user provided OAuth client secret key value, this can be set when tokenendpointauthmethod is clientsecretbasic. This does nothing when `omitsecret is set to true.
clientId String: OAuth client ID. If set during creation, app is created with this id.
clientSecret String: OAuth client secret value, this is output only. This will be in plain text in your statefile unless you set omit_secret above.
clientUri String: URI to a web page providing information about the client.
consentMethod String: Early Access Property. Indicates whether user consent is required or implicit. Valid values: REQUIRED, TRUSTED. Default value is TRUSTED
enduserNote String: Application notes for end users.
grantTypes List<String>: List of OAuth 2.0 grant types. Conditional validation params found here https://developer.okta.com/docs/api/resources/apps#credentials-settings-details. Defaults to minimum requirements per app type.
groupsClaim OAuthGroupsClaim: Groups claim for an OpenID Connect client application (argument is ignored when API auth is done with OAuth 2.0 credentials)
hideIos Boolean: Do not display application icon on mobile app
hideWeb Boolean: Do not display application icon to users
implicitAssignment Boolean: Early Access Property. Enable Federation Broker Mode.
issuerMode String: Early Access Property. Indicates whether the Okta Authorization Server uses the original Okta org domain URL or a custom domain URL as the issuer of ID token for this client.
jwks List<OAuthJwk>
jwksUri String: URL reference to JWKS
label String: The Application's display name.
loginMode String: The type of Idp-Initiated login that the client supports, if any
loginScopes List<String>: List of scopes to use for the request
loginUri String: URI that initiates login.
logo String: Local file path to the logo. The file must be in PNG, JPG, or GIF format, and less than 1 MB in size.
logoUri String: URI that references a logo for the client.
logoUrl String: URL of the application's logo
name String: Name of the app.
omitSecret Boolean: This tells the provider not manage the clientsecret value in state. When this is false (the default), it will cause the auto-generated clientsecret to be persisted in the client_secret attribute in state. This also means that every time an update to this app is run, this value is also set on the API. If this changes from false => true, the client_secret is dropped from state and the secret at the time of the apply is what remains. If this is ever changes from true => false your app will be recreated, due to the need to regenerate a secret we can store in state.
pkceRequired Boolean: Require Proof Key for Code Exchange (PKCE) for additional verification key rotation mode. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object
policyUri String: URI to web page providing client policy document.
postLogoutRedirectUris List<String>: List of URIs for redirection after logout. Note: see oktaappoauthpostlogoutredirecturi for appending to this list in a decentralized way.
profile String: Custom JSON that represents an OAuth application's profile
redirectUris List<String>: List of URIs for use in the redirect-based flow. This is required for all application types except service. Note: see oktaappoauthredirecturi for appending to this list in a decentralized way.
refreshTokenLeeway Integer: Early Access Property Grace period for token rotation, required with grant types refresh_token
refreshTokenRotation String: Early Access Property Refresh token rotation behavior, required with grant types refresh_token
responseTypes List<String>: List of OAuth 2.0 response type strings. Valid values are any combination of: code, token, and id_token.
signOnMode String: Sign on mode of application.
status String: Status of application. By default, it is ACTIVE
tokenEndpointAuthMethod String: Requested authentication method for the token endpoint, valid values include: 'clientsecretbasic', 'clientsecretpost', 'clientsecretjwt', 'privatekeyjwt', 'none', etc.
tosUri String: URI to web page providing client tos (terms of service).
type String: The type of client application.
userNameTemplate String: Username template. Default: ${source.login}
userNameTemplatePushStatus String: Push username on update. Valid values: PUSH and DONT_PUSH
userNameTemplateSuffix String: Username template suffix
userNameTemplateType String: Username template type. Default: BUILT_IN
wildcardRedirect String: Early Access Property. Indicates if the client is allowed to use wildcard matching of redirect_uris

accessibilityErrorRedirectUrl string: Custom error page URL
accessibilityLoginRedirectUrl string: Custom login page URL
accessibilitySelfService boolean: Enable self service. Default is false
adminNote string: Application notes for admins.
appLinksJson string: Displays specific appLinks for the app. The value for each application link should be boolean.
appSettingsJson string: Application settings in JSON format
authenticationPolicy string: The ID of the associated appsignonpolicy. If this property is removed from the application the default sign-on-policy will be associated with this application.
autoKeyRotation boolean: Requested key rotation mode. If autokeyrotation isn't specified, the client automatically opts in for Okta's key rotation. You can update this property via the API or via the administrator UI. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object"
autoSubmitToolbar boolean: Display auto submit toolbar
clientBasicSecret string: The user provided OAuth client secret key value, this can be set when tokenendpointauthmethod is clientsecretbasic. This does nothing when `omitsecret is set to true.
clientId string: OAuth client ID. If set during creation, app is created with this id.
clientSecret string: OAuth client secret value, this is output only. This will be in plain text in your statefile unless you set omit_secret above.
clientUri string: URI to a web page providing information about the client.
consentMethod string: Early Access Property. Indicates whether user consent is required or implicit. Valid values: REQUIRED, TRUSTED. Default value is TRUSTED
enduserNote string: Application notes for end users.
grantTypes string[]: List of OAuth 2.0 grant types. Conditional validation params found here https://developer.okta.com/docs/api/resources/apps#credentials-settings-details. Defaults to minimum requirements per app type.
groupsClaim OAuthGroupsClaim: Groups claim for an OpenID Connect client application (argument is ignored when API auth is done with OAuth 2.0 credentials)
hideIos boolean: Do not display application icon on mobile app
hideWeb boolean: Do not display application icon to users
implicitAssignment boolean: Early Access Property. Enable Federation Broker Mode.
issuerMode string: Early Access Property. Indicates whether the Okta Authorization Server uses the original Okta org domain URL or a custom domain URL as the issuer of ID token for this client.
jwks OAuthJwk[]
jwksUri string: URL reference to JWKS
label string: The Application's display name.
loginMode string: The type of Idp-Initiated login that the client supports, if any
loginScopes string[]: List of scopes to use for the request
loginUri string: URI that initiates login.
logo string: Local file path to the logo. The file must be in PNG, JPG, or GIF format, and less than 1 MB in size.
logoUri string: URI that references a logo for the client.
logoUrl string: URL of the application's logo
name string: Name of the app.
omitSecret boolean: This tells the provider not manage the clientsecret value in state. When this is false (the default), it will cause the auto-generated clientsecret to be persisted in the client_secret attribute in state. This also means that every time an update to this app is run, this value is also set on the API. If this changes from false => true, the client_secret is dropped from state and the secret at the time of the apply is what remains. If this is ever changes from true => false your app will be recreated, due to the need to regenerate a secret we can store in state.
pkceRequired boolean: Require Proof Key for Code Exchange (PKCE) for additional verification key rotation mode. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object
policyUri string: URI to web page providing client policy document.
postLogoutRedirectUris string[]: List of URIs for redirection after logout. Note: see oktaappoauthpostlogoutredirecturi for appending to this list in a decentralized way.
profile string: Custom JSON that represents an OAuth application's profile
redirectUris string[]: List of URIs for use in the redirect-based flow. This is required for all application types except service. Note: see oktaappoauthredirecturi for appending to this list in a decentralized way.
refreshTokenLeeway number: Early Access Property Grace period for token rotation, required with grant types refresh_token
refreshTokenRotation string: Early Access Property Refresh token rotation behavior, required with grant types refresh_token
responseTypes string[]: List of OAuth 2.0 response type strings. Valid values are any combination of: code, token, and id_token.
signOnMode string: Sign on mode of application.
status string: Status of application. By default, it is ACTIVE
tokenEndpointAuthMethod string: Requested authentication method for the token endpoint, valid values include: 'clientsecretbasic', 'clientsecretpost', 'clientsecretjwt', 'privatekeyjwt', 'none', etc.
tosUri string: URI to web page providing client tos (terms of service).
type string: The type of client application.
userNameTemplate string: Username template. Default: ${source.login}
userNameTemplatePushStatus string: Push username on update. Valid values: PUSH and DONT_PUSH
userNameTemplateSuffix string: Username template suffix
userNameTemplateType string: Username template type. Default: BUILT_IN
wildcardRedirect string: Early Access Property. Indicates if the client is allowed to use wildcard matching of redirect_uris

accessibility_error_redirect_url str: Custom error page URL
accessibility_login_redirect_url str: Custom login page URL
accessibility_self_service bool: Enable self service. Default is false
admin_note str: Application notes for admins.
app_links_json str: Displays specific appLinks for the app. The value for each application link should be boolean.
app_settings_json str: Application settings in JSON format
authentication_policy str: The ID of the associated appsignonpolicy. If this property is removed from the application the default sign-on-policy will be associated with this application.
auto_key_rotation bool: Requested key rotation mode. If autokeyrotation isn't specified, the client automatically opts in for Okta's key rotation. You can update this property via the API or via the administrator UI. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object"
auto_submit_toolbar bool: Display auto submit toolbar
client_basic_secret str: The user provided OAuth client secret key value, this can be set when tokenendpointauthmethod is clientsecretbasic. This does nothing when `omitsecret is set to true.
client_id str: OAuth client ID. If set during creation, app is created with this id.
client_secret str: OAuth client secret value, this is output only. This will be in plain text in your statefile unless you set omit_secret above.
client_uri str: URI to a web page providing information about the client.
consent_method str: Early Access Property. Indicates whether user consent is required or implicit. Valid values: REQUIRED, TRUSTED. Default value is TRUSTED
enduser_note str: Application notes for end users.
grant_types Sequence[str]: List of OAuth 2.0 grant types. Conditional validation params found here https://developer.okta.com/docs/api/resources/apps#credentials-settings-details. Defaults to minimum requirements per app type.
groups_claim OAuthGroupsClaimArgs: Groups claim for an OpenID Connect client application (argument is ignored when API auth is done with OAuth 2.0 credentials)
hide_ios bool: Do not display application icon on mobile app
hide_web bool: Do not display application icon to users
implicit_assignment bool: Early Access Property. Enable Federation Broker Mode.
issuer_mode str: Early Access Property. Indicates whether the Okta Authorization Server uses the original Okta org domain URL or a custom domain URL as the issuer of ID token for this client.
jwks Sequence[OAuthJwkArgs]
jwks_uri str: URL reference to JWKS
label str: The Application's display name.
login_mode str: The type of Idp-Initiated login that the client supports, if any
login_scopes Sequence[str]: List of scopes to use for the request
login_uri str: URI that initiates login.
logo str: Local file path to the logo. The file must be in PNG, JPG, or GIF format, and less than 1 MB in size.
logo_uri str: URI that references a logo for the client.
logo_url str: URL of the application's logo
name str: Name of the app.
omit_secret bool: This tells the provider not manage the clientsecret value in state. When this is false (the default), it will cause the auto-generated clientsecret to be persisted in the client_secret attribute in state. This also means that every time an update to this app is run, this value is also set on the API. If this changes from false => true, the client_secret is dropped from state and the secret at the time of the apply is what remains. If this is ever changes from true => false your app will be recreated, due to the need to regenerate a secret we can store in state.
pkce_required bool: Require Proof Key for Code Exchange (PKCE) for additional verification key rotation mode. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object
policy_uri str: URI to web page providing client policy document.
post_logout_redirect_uris Sequence[str]: List of URIs for redirection after logout. Note: see oktaappoauthpostlogoutredirecturi for appending to this list in a decentralized way.
profile str: Custom JSON that represents an OAuth application's profile
redirect_uris Sequence[str]: List of URIs for use in the redirect-based flow. This is required for all application types except service. Note: see oktaappoauthredirecturi for appending to this list in a decentralized way.
refresh_token_leeway int: Early Access Property Grace period for token rotation, required with grant types refresh_token
refresh_token_rotation str: Early Access Property Refresh token rotation behavior, required with grant types refresh_token
response_types Sequence[str]: List of OAuth 2.0 response type strings. Valid values are any combination of: code, token, and id_token.
sign_on_mode str: Sign on mode of application.
status str: Status of application. By default, it is ACTIVE
token_endpoint_auth_method str: Requested authentication method for the token endpoint, valid values include: 'clientsecretbasic', 'clientsecretpost', 'clientsecretjwt', 'privatekeyjwt', 'none', etc.
tos_uri str: URI to web page providing client tos (terms of service).
type str: The type of client application.
user_name_template str: Username template. Default: ${source.login}
user_name_template_push_status str: Push username on update. Valid values: PUSH and DONT_PUSH
user_name_template_suffix str: Username template suffix
user_name_template_type str: Username template type. Default: BUILT_IN
wildcard_redirect str: Early Access Property. Indicates if the client is allowed to use wildcard matching of redirect_uris

accessibilityErrorRedirectUrl String: Custom error page URL
accessibilityLoginRedirectUrl String: Custom login page URL
accessibilitySelfService Boolean: Enable self service. Default is false
adminNote String: Application notes for admins.
appLinksJson String: Displays specific appLinks for the app. The value for each application link should be boolean.
appSettingsJson String: Application settings in JSON format
authenticationPolicy String: The ID of the associated appsignonpolicy. If this property is removed from the application the default sign-on-policy will be associated with this application.
autoKeyRotation Boolean: Requested key rotation mode. If autokeyrotation isn't specified, the client automatically opts in for Okta's key rotation. You can update this property via the API or via the administrator UI. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object"
autoSubmitToolbar Boolean: Display auto submit toolbar
clientBasicSecret String: The user provided OAuth client secret key value, this can be set when tokenendpointauthmethod is clientsecretbasic. This does nothing when `omitsecret is set to true.
clientId String: OAuth client ID. If set during creation, app is created with this id.
clientSecret String: OAuth client secret value, this is output only. This will be in plain text in your statefile unless you set omit_secret above.
clientUri String: URI to a web page providing information about the client.
consentMethod String: Early Access Property. Indicates whether user consent is required or implicit. Valid values: REQUIRED, TRUSTED. Default value is TRUSTED
enduserNote String: Application notes for end users.
grantTypes List<String>: List of OAuth 2.0 grant types. Conditional validation params found here https://developer.okta.com/docs/api/resources/apps#credentials-settings-details. Defaults to minimum requirements per app type.
groupsClaim Property Map: Groups claim for an OpenID Connect client application (argument is ignored when API auth is done with OAuth 2.0 credentials)
hideIos Boolean: Do not display application icon on mobile app
hideWeb Boolean: Do not display application icon to users
implicitAssignment Boolean: Early Access Property. Enable Federation Broker Mode.
issuerMode String: Early Access Property. Indicates whether the Okta Authorization Server uses the original Okta org domain URL or a custom domain URL as the issuer of ID token for this client.
jwks List<Property Map>
jwksUri String: URL reference to JWKS
label String: The Application's display name.
loginMode String: The type of Idp-Initiated login that the client supports, if any
loginScopes List<String>: List of scopes to use for the request
loginUri String: URI that initiates login.
logo String: Local file path to the logo. The file must be in PNG, JPG, or GIF format, and less than 1 MB in size.
logoUri String: URI that references a logo for the client.
logoUrl String: URL of the application's logo
name String: Name of the app.
omitSecret Boolean: This tells the provider not manage the clientsecret value in state. When this is false (the default), it will cause the auto-generated clientsecret to be persisted in the client_secret attribute in state. This also means that every time an update to this app is run, this value is also set on the API. If this changes from false => true, the client_secret is dropped from state and the secret at the time of the apply is what remains. If this is ever changes from true => false your app will be recreated, due to the need to regenerate a secret we can store in state.
pkceRequired Boolean: Require Proof Key for Code Exchange (PKCE) for additional verification key rotation mode. See: https://developer.okta.com/docs/reference/api/apps/#oauth-credential-object
policyUri String: URI to web page providing client policy document.
postLogoutRedirectUris List<String>: List of URIs for redirection after logout. Note: see oktaappoauthpostlogoutredirecturi for appending to this list in a decentralized way.
profile String: Custom JSON that represents an OAuth application's profile
redirectUris List<String>: List of URIs for use in the redirect-based flow. This is required for all application types except service. Note: see oktaappoauthredirecturi for appending to this list in a decentralized way.
refreshTokenLeeway Number: Early Access Property Grace period for token rotation, required with grant types refresh_token
refreshTokenRotation String: Early Access Property Refresh token rotation behavior, required with grant types refresh_token
responseTypes List<String>: List of OAuth 2.0 response type strings. Valid values are any combination of: code, token, and id_token.
signOnMode String: Sign on mode of application.
status String: Status of application. By default, it is ACTIVE
tokenEndpointAuthMethod String: Requested authentication method for the token endpoint, valid values include: 'clientsecretbasic', 'clientsecretpost', 'clientsecretjwt', 'privatekeyjwt', 'none', etc.
tosUri String: URI to web page providing client tos (terms of service).
type String: The type of client application.
userNameTemplate String: Username template. Default: ${source.login}
userNameTemplatePushStatus String: Push username on update. Valid values: PUSH and DONT_PUSH
userNameTemplateSuffix String: Username template suffix
userNameTemplateType String: Username template type. Default: BUILT_IN
wildcardRedirect String: Early Access Property. Indicates if the client is allowed to use wildcard matching of redirect_uris

Supporting Types

OAuthGroupsClaim
, OAuthGroupsClaimArgs

Name string: Name of the claim that will be used in the token.
Type string: Groups claim type.
Value string: Value of the claim. Can be an Okta Expression Language statement that evaluates at the time the token is minted.
FilterType string: Groups claim filter. Can only be set if type is FILTER.
IssuerMode string: Issuer mode inherited from OAuth App

Name string: Name of the claim that will be used in the token.
Type string: Groups claim type.
Value string: Value of the claim. Can be an Okta Expression Language statement that evaluates at the time the token is minted.
FilterType string: Groups claim filter. Can only be set if type is FILTER.
IssuerMode string: Issuer mode inherited from OAuth App

name String: Name of the claim that will be used in the token.
type String: Groups claim type.
value String: Value of the claim. Can be an Okta Expression Language statement that evaluates at the time the token is minted.
filterType String: Groups claim filter. Can only be set if type is FILTER.
issuerMode String: Issuer mode inherited from OAuth App

name string: Name of the claim that will be used in the token.
type string: Groups claim type.
value string: Value of the claim. Can be an Okta Expression Language statement that evaluates at the time the token is minted.
filterType string: Groups claim filter. Can only be set if type is FILTER.
issuerMode string: Issuer mode inherited from OAuth App

name str: Name of the claim that will be used in the token.
type str: Groups claim type.
value str: Value of the claim. Can be an Okta Expression Language statement that evaluates at the time the token is minted.
filter_type str: Groups claim filter. Can only be set if type is FILTER.
issuer_mode str: Issuer mode inherited from OAuth App

name String: Name of the claim that will be used in the token.
type String: Groups claim type.
value String: Value of the claim. Can be an Okta Expression Language statement that evaluates at the time the token is minted.
filterType String: Groups claim filter. Can only be set if type is FILTER.
issuerMode String: Issuer mode inherited from OAuth App

OAuthJwk
, OAuthJwkArgs

Kid string: Key ID
Kty string: Key type
E string: RSA Exponent
N string: RSA Modulus
X string: X coordinate of the elliptic curve point
Y string: Y coordinate of the elliptic curve point

Kid string: Key ID
Kty string: Key type
E string: RSA Exponent
N string: RSA Modulus
X string: X coordinate of the elliptic curve point
Y string: Y coordinate of the elliptic curve point

kid String: Key ID
kty String: Key type
e String: RSA Exponent
n String: RSA Modulus
x String: X coordinate of the elliptic curve point
y String: Y coordinate of the elliptic curve point

kid string: Key ID
kty string: Key type
e string: RSA Exponent
n string: RSA Modulus
x string: X coordinate of the elliptic curve point
y string: Y coordinate of the elliptic curve point

kid str: Key ID
kty str: Key type
e str: RSA Exponent
n str: RSA Modulus
x str: X coordinate of the elliptic curve point
y str: Y coordinate of the elliptic curve point

kid String: Key ID
kty String: Key type
e String: RSA Exponent
n String: RSA Modulus
x String: X coordinate of the elliptic curve point
y String: Y coordinate of the elliptic curve point

Import

$ pulumi import okta:app/oAuth:OAuth example <app_id>

To learn more about importing existing cloud resources, see Importing resources.

Package Details

Repository: Okta pulumi/pulumi-okta
License: Apache-2.0
Notes: This Pulumi package is based on the okta Terraform Provider.

Okta v4.16.0 published on Wednesday, Apr 9, 2025 by Pulumi

pulumi/pulumi-okta

okta.app.OAuth

On this page

On this page

Private Keys

Create OAuth Resource

Constructor syntax

Parameters

Constructor example

OAuth Resource Properties

Inputs

Outputs

Look up Existing OAuth Resource

Supporting Types

OAuthGroupsClaim
, OAuthGroupsClaimArgs

OAuthJwk
, OAuthJwkArgs

Import

Package Details

On this page

On this page

okta.app.OAuth

On this page

On this page

Private Keys

Create OAuth Resource

Constructor syntax

Parameters

Constructor example

OAuth Resource Properties

Inputs

Outputs

Look up Existing OAuth Resource

Supporting Types

OAuthGroupsClaim, OAuthGroupsClaimArgs

OAuthJwk, OAuthJwkArgs

Import

Package Details

On this page

On this page

OAuthGroupsClaim
, OAuthGroupsClaimArgs

OAuthJwk
, OAuthJwkArgs