FusionAuth v6.0.2, Feb 9 25

FusionAuth v6.0.2 published on Sunday, Feb 9, 2025 by Theo Gravity

fusionauth.FusionAuthIdpExternalJwt

Explore with Pulumi AI

FusionAuth v6.0.2 published on Sunday, Feb 9, 2025 by Theo Gravity

# External JWT Identity Provider Resource

This is a special type of identity provider that is only used via the JWT Reconcile API. This identity provider defines the claims inside the incoming JWT and how they map to fields in the FusionAuth User object.

In order for this identity provider to use the JWT, it also needs the public key or HMAC secret that the JWT was signed with. FusionAuth will verify that the JWT is valid and has not expired. Once the JWT has been validated, FusionAuth will reconcile it to ensure that the User exists and is up-to-date.

External JWT Identity Providers API

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as fusionauth from "pulumi-fusionauth";

const jwt = new fusionauth.FusionAuthIdpExternalJwt("jwt", {
    claimMap: {
        dept: "RegistrationData",
        first_name: "firstName",
        last_name: "lastName",
    },
    debug: false,
    enabled: true,
    headerKeyParameter: "kid",
    oauth2AuthorizationEndpoint: "https://acme.com/adfs/oauth2/authorize?client_id=cf3b00da-9551-460a-ad18-33232e6cbff0&response_type=code&redirect_uri=https://acme.com/oauth2/redirect",
    oauth2TokenEndpoint: "https://acme.com/adfs/oauth2/token",
    uniqueIdentityClaim: "email",
});

import pulumi
import theogravity_pulumi_fusionauth as fusionauth

jwt = fusionauth.FusionAuthIdpExternalJwt("jwt",
    claim_map={
        "dept": "RegistrationData",
        "first_name": "firstName",
        "last_name": "lastName",
    },
    debug=False,
    enabled=True,
    header_key_parameter="kid",
    oauth2_authorization_endpoint="https://acme.com/adfs/oauth2/authorize?client_id=cf3b00da-9551-460a-ad18-33232e6cbff0&response_type=code&redirect_uri=https://acme.com/oauth2/redirect",
    oauth2_token_endpoint="https://acme.com/adfs/oauth2/token",
    unique_identity_claim="email")

package main

import (
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
	"github.com/theogravity/pulumi-fusionauth/sdk/go/fusionauth"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := fusionauth.NewFusionAuthIdpExternalJwt(ctx, "jwt", &fusionauth.FusionAuthIdpExternalJwtArgs{
			ClaimMap: pulumi.StringMap{
				"dept":       pulumi.String("RegistrationData"),
				"first_name": pulumi.String("firstName"),
				"last_name":  pulumi.String("lastName"),
			},
			Debug:                       pulumi.Bool(false),
			Enabled:                     pulumi.Bool(true),
			HeaderKeyParameter:          pulumi.String("kid"),
			Oauth2AuthorizationEndpoint: pulumi.String("https://acme.com/adfs/oauth2/authorize?client_id=cf3b00da-9551-460a-ad18-33232e6cbff0&response_type=code&redirect_uri=https://acme.com/oauth2/redirect"),
			Oauth2TokenEndpoint:         pulumi.String("https://acme.com/adfs/oauth2/token"),
			UniqueIdentityClaim:         pulumi.String("email"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Fusionauth = theogravity.Fusionauth;

return await Deployment.RunAsync(() => 
{
    var jwt = new Fusionauth.FusionAuthIdpExternalJwt("jwt", new()
    {
        ClaimMap = 
        {
            { "dept", "RegistrationData" },
            { "first_name", "firstName" },
            { "last_name", "lastName" },
        },
        Debug = false,
        Enabled = true,
        HeaderKeyParameter = "kid",
        Oauth2AuthorizationEndpoint = "https://acme.com/adfs/oauth2/authorize?client_id=cf3b00da-9551-460a-ad18-33232e6cbff0&response_type=code&redirect_uri=https://acme.com/oauth2/redirect",
        Oauth2TokenEndpoint = "https://acme.com/adfs/oauth2/token",
        UniqueIdentityClaim = "email",
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.fusionauth.FusionAuthIdpExternalJwt;
import com.pulumi.fusionauth.FusionAuthIdpExternalJwtArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var jwt = new FusionAuthIdpExternalJwt("jwt", FusionAuthIdpExternalJwtArgs.builder()
            .claimMap(Map.ofEntries(
                Map.entry("dept", "RegistrationData"),
                Map.entry("first_name", "firstName"),
                Map.entry("last_name", "lastName")
            ))
            .debug(false)
            .enabled(true)
            .headerKeyParameter("kid")
            .oauth2AuthorizationEndpoint("https://acme.com/adfs/oauth2/authorize?client_id=cf3b00da-9551-460a-ad18-33232e6cbff0&response_type=code&redirect_uri=https://acme.com/oauth2/redirect")
            .oauth2TokenEndpoint("https://acme.com/adfs/oauth2/token")
            .uniqueIdentityClaim("email")
            .build());

    }
}

resources:
  jwt:
    type: fusionauth:FusionAuthIdpExternalJwt
    properties:
      claimMap:
        dept: RegistrationData
        first_name: firstName
        last_name: lastName
      debug: false
      enabled: true
      headerKeyParameter: kid
      oauth2AuthorizationEndpoint: https://acme.com/adfs/oauth2/authorize?client_id=cf3b00da-9551-460a-ad18-33232e6cbff0&response_type=code&redirect_uri=https://acme.com/oauth2/redirect
      oauth2TokenEndpoint: https://acme.com/adfs/oauth2/token
      uniqueIdentityClaim: email

Create FusionAuthIdpExternalJwt Resource

Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

Constructor syntax

new FusionAuthIdpExternalJwt(name: string, args: FusionAuthIdpExternalJwtArgs, opts?: CustomResourceOptions);

@overload
def FusionAuthIdpExternalJwt(resource_name: str,
                             args: FusionAuthIdpExternalJwtArgs,
                             opts: Optional[ResourceOptions] = None)

@overload
def FusionAuthIdpExternalJwt(resource_name: str,
                             opts: Optional[ResourceOptions] = None,
                             header_key_parameter: Optional[str] = None,
                             lambda_reconcile_id: Optional[str] = None,
                             default_key_id: Optional[str] = None,
                             name: Optional[str] = None,
                             oauth2_authorization_endpoint: Optional[str] = None,
                             enabled: Optional[bool] = None,
                             claim_map: Optional[Mapping[str, str]] = None,
                             idp_id: Optional[str] = None,
                             application_configurations: Optional[Sequence[FusionAuthIdpExternalJwtApplicationConfigurationArgs]] = None,
                             unique_identity_claim: Optional[str] = None,
                             debug: Optional[bool] = None,
                             domains: Optional[Sequence[str]] = None,
                             oauth2_email_claim: Optional[str] = None,
                             oauth2_email_verified_claim: Optional[str] = None,
                             oauth2_token_endpoint: Optional[str] = None,
                             oauth2_unique_id_claim: Optional[str] = None,
                             oauth2_username_claim: Optional[str] = None,
                             tenant_configurations: Optional[Sequence[FusionAuthIdpExternalJwtTenantConfigurationArgs]] = None,
                             linking_strategy: Optional[str] = None)

func NewFusionAuthIdpExternalJwt(ctx *Context, name string, args FusionAuthIdpExternalJwtArgs, opts ...ResourceOption) (*FusionAuthIdpExternalJwt, error)

public FusionAuthIdpExternalJwt(string name, FusionAuthIdpExternalJwtArgs args, CustomResourceOptions? opts = null)

public FusionAuthIdpExternalJwt(String name, FusionAuthIdpExternalJwtArgs args)
public FusionAuthIdpExternalJwt(String name, FusionAuthIdpExternalJwtArgs args, CustomResourceOptions options)

type: fusionauth:FusionAuthIdpExternalJwt
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

Parameters

name string: The unique name of the resource.
args FusionAuthIdpExternalJwtArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
args FusionAuthIdpExternalJwtArgs: The arguments to resource properties.
opts ResourceOptions: Bag of options to control resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args FusionAuthIdpExternalJwtArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args FusionAuthIdpExternalJwtArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

name String: The unique name of the resource.
args FusionAuthIdpExternalJwtArgs: The arguments to resource properties.
options CustomResourceOptions: Bag of options to control resource's behavior.

Constructor example

The following reference example uses placeholder values for all input properties.

var fusionAuthIdpExternalJwtResource = new Fusionauth.FusionAuthIdpExternalJwt("fusionAuthIdpExternalJwtResource", new()
{
    HeaderKeyParameter = "string",
    LambdaReconcileId = "string",
    DefaultKeyId = "string",
    Name = "string",
    Oauth2AuthorizationEndpoint = "string",
    Enabled = false,
    ClaimMap = 
    {
        { "string", "string" },
    },
    IdpId = "string",
    ApplicationConfigurations = new[]
    {
        new Fusionauth.Inputs.FusionAuthIdpExternalJwtApplicationConfigurationArgs
        {
            ApplicationId = "string",
            CreateRegistration = false,
            Enabled = false,
        },
    },
    Debug = false,
    Domains = new[]
    {
        "string",
    },
    Oauth2EmailClaim = "string",
    Oauth2EmailVerifiedClaim = "string",
    Oauth2TokenEndpoint = "string",
    Oauth2UniqueIdClaim = "string",
    Oauth2UsernameClaim = "string",
    TenantConfigurations = new[]
    {
        new Fusionauth.Inputs.FusionAuthIdpExternalJwtTenantConfigurationArgs
        {
            LimitUserLinkCountEnabled = false,
            LimitUserLinkCountMaximumLinks = 0,
            TenantId = "string",
        },
    },
    LinkingStrategy = "string",
});

example, err := fusionauth.NewFusionAuthIdpExternalJwt(ctx, "fusionAuthIdpExternalJwtResource", &fusionauth.FusionAuthIdpExternalJwtArgs{
	HeaderKeyParameter:          pulumi.String("string"),
	LambdaReconcileId:           pulumi.String("string"),
	DefaultKeyId:                pulumi.String("string"),
	Name:                        pulumi.String("string"),
	Oauth2AuthorizationEndpoint: pulumi.String("string"),
	Enabled:                     pulumi.Bool(false),
	ClaimMap: pulumi.StringMap{
		"string": pulumi.String("string"),
	},
	IdpId: pulumi.String("string"),
	ApplicationConfigurations: fusionauth.FusionAuthIdpExternalJwtApplicationConfigurationArray{
		&fusionauth.FusionAuthIdpExternalJwtApplicationConfigurationArgs{
			ApplicationId:      pulumi.String("string"),
			CreateRegistration: pulumi.Bool(false),
			Enabled:            pulumi.Bool(false),
		},
	},
	Debug: pulumi.Bool(false),
	Domains: pulumi.StringArray{
		pulumi.String("string"),
	},
	Oauth2EmailClaim:         pulumi.String("string"),
	Oauth2EmailVerifiedClaim: pulumi.String("string"),
	Oauth2TokenEndpoint:      pulumi.String("string"),
	Oauth2UniqueIdClaim:      pulumi.String("string"),
	Oauth2UsernameClaim:      pulumi.String("string"),
	TenantConfigurations: fusionauth.FusionAuthIdpExternalJwtTenantConfigurationArray{
		&fusionauth.FusionAuthIdpExternalJwtTenantConfigurationArgs{
			LimitUserLinkCountEnabled:      pulumi.Bool(false),
			LimitUserLinkCountMaximumLinks: pulumi.Int(0),
			TenantId:                       pulumi.String("string"),
		},
	},
	LinkingStrategy: pulumi.String("string"),
})

var fusionAuthIdpExternalJwtResource = new FusionAuthIdpExternalJwt("fusionAuthIdpExternalJwtResource", FusionAuthIdpExternalJwtArgs.builder()
    .headerKeyParameter("string")
    .lambdaReconcileId("string")
    .defaultKeyId("string")
    .name("string")
    .oauth2AuthorizationEndpoint("string")
    .enabled(false)
    .claimMap(Map.of("string", "string"))
    .idpId("string")
    .applicationConfigurations(FusionAuthIdpExternalJwtApplicationConfigurationArgs.builder()
        .applicationId("string")
        .createRegistration(false)
        .enabled(false)
        .build())
    .debug(false)
    .domains("string")
    .oauth2EmailClaim("string")
    .oauth2EmailVerifiedClaim("string")
    .oauth2TokenEndpoint("string")
    .oauth2UniqueIdClaim("string")
    .oauth2UsernameClaim("string")
    .tenantConfigurations(FusionAuthIdpExternalJwtTenantConfigurationArgs.builder()
        .limitUserLinkCountEnabled(false)
        .limitUserLinkCountMaximumLinks(0)
        .tenantId("string")
        .build())
    .linkingStrategy("string")
    .build());

fusion_auth_idp_external_jwt_resource = fusionauth.FusionAuthIdpExternalJwt("fusionAuthIdpExternalJwtResource",
    header_key_parameter="string",
    lambda_reconcile_id="string",
    default_key_id="string",
    name="string",
    oauth2_authorization_endpoint="string",
    enabled=False,
    claim_map={
        "string": "string",
    },
    idp_id="string",
    application_configurations=[{
        "application_id": "string",
        "create_registration": False,
        "enabled": False,
    }],
    debug=False,
    domains=["string"],
    oauth2_email_claim="string",
    oauth2_email_verified_claim="string",
    oauth2_token_endpoint="string",
    oauth2_unique_id_claim="string",
    oauth2_username_claim="string",
    tenant_configurations=[{
        "limit_user_link_count_enabled": False,
        "limit_user_link_count_maximum_links": 0,
        "tenant_id": "string",
    }],
    linking_strategy="string")

const fusionAuthIdpExternalJwtResource = new fusionauth.FusionAuthIdpExternalJwt("fusionAuthIdpExternalJwtResource", {
    headerKeyParameter: "string",
    lambdaReconcileId: "string",
    defaultKeyId: "string",
    name: "string",
    oauth2AuthorizationEndpoint: "string",
    enabled: false,
    claimMap: {
        string: "string",
    },
    idpId: "string",
    applicationConfigurations: [{
        applicationId: "string",
        createRegistration: false,
        enabled: false,
    }],
    debug: false,
    domains: ["string"],
    oauth2EmailClaim: "string",
    oauth2EmailVerifiedClaim: "string",
    oauth2TokenEndpoint: "string",
    oauth2UniqueIdClaim: "string",
    oauth2UsernameClaim: "string",
    tenantConfigurations: [{
        limitUserLinkCountEnabled: false,
        limitUserLinkCountMaximumLinks: 0,
        tenantId: "string",
    }],
    linkingStrategy: "string",
});

type: fusionauth:FusionAuthIdpExternalJwt
properties:
    applicationConfigurations:
        - applicationId: string
          createRegistration: false
          enabled: false
    claimMap:
        string: string
    debug: false
    defaultKeyId: string
    domains:
        - string
    enabled: false
    headerKeyParameter: string
    idpId: string
    lambdaReconcileId: string
    linkingStrategy: string
    name: string
    oauth2AuthorizationEndpoint: string
    oauth2EmailClaim: string
    oauth2EmailVerifiedClaim: string
    oauth2TokenEndpoint: string
    oauth2UniqueIdClaim: string
    oauth2UsernameClaim: string
    tenantConfigurations:
        - limitUserLinkCountEnabled: false
          limitUserLinkCountMaximumLinks: 0
          tenantId: string

FusionAuthIdpExternalJwt Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

The FusionAuthIdpExternalJwt resource accepts the following input properties:

HeaderKeyParameter string: The name header claim that identifies the public key used to verify the signature. In most cases this be kid or x5t.
ApplicationConfigurations List<theogravity.Fusionauth.Inputs.FusionAuthIdpExternalJwtApplicationConfiguration>: The configuration for each Application that the identity provider is enabled for.
ClaimMap Dictionary<string, string>: A map of incoming claims to User fields, User data or Registration data. The key of the map is the incoming claim name from the configured identity provider. The following are allowed values: birthDate, firstName, lastName, fullName, middleName, mobilePhone, imageUrl, timezone, UserData and RegistrationData.
Debug bool: Determines if debug is enabled for this provider. When enabled, each time this provider is invoked to reconcile a login an Event Log will be created.
DefaultKeyId string: When configured this key will be used to verify the signature of the JWT when the header key defined by the headerKeyParameter property is not found in the JWT header. In most cases, the JWT header will contain the key identifier and this value will be used to resolve the correct public key or X.509 certificate to verify the signature. This assumes the public key or X.509 certificate has already been imported using the Key API or Key Master in the FusionAuth admin UI.
Domains List<string>: An array of domains that are managed by this Identity Provider.
Enabled bool: Determines if this provider is enabled. If it is false then it will be disabled globally.
IdpId string: The ID to use for the new identity provider. If not specified a secure random UUID will be generated.
LambdaReconcileId string: The unique Id of the lambda to used during the user reconcile process to map custom claims from the external identity provider to the FusionAuth user.
LinkingStrategy string: The linking strategy to use when creating the link between the {idp_display_name} Identity Provider and the user.
Name string: The name of the Identity Provider.
Oauth2AuthorizationEndpoint string: The authorization endpoint for this Identity Provider. This value is not utilized by FusionAuth is only provided to be returned by the Lookup Identity Provider API response. During integration you may then utilize this value to perform the browser redirect to the OAuth2 authorize endpoint.
Oauth2EmailClaim string: The name of the claim that contains the user's email address. This will only be used when the linking_strategyis equal to LinkByEmail or LinkByEmailForExistingUser.
Oauth2EmailVerifiedClaim string: The name of the claim that identities if the user's email address has been verified. When the linking_strategy is equal to LinkByEmail or LinkByEmailForExistingUser and this claim is present and the value is false a link will not be established and an error will be returned indicating a link cannot be established using an unverified email address.
Oauth2TokenEndpoint string: The token endpoint for this Identity Provider. This value is not utilized by FusionAuth is only provided to be returned by the Lookup Identity Provider API response. During integration you may then utilize this value to complete the OAuth2 grant workflow.
Oauth2UniqueIdClaim string: The name of the claim that contains the user's unique user Id.
Oauth2UsernameClaim string: The name of the claim that contains the user's username. This will only be used when the linking_strategy is equal to LinkByUsername or LinkByUsernameForExistingUser.
TenantConfigurations List<theogravity.Fusionauth.Inputs.FusionAuthIdpExternalJwtTenantConfiguration>: The configuration for each Tenant that limits the number of links a user may have for a particular identity provider.
UniqueIdentityClaim string: (Optional) The name of the claim that represents the unique identify of the User. This will generally be email or the name of the claim that provides the email address.
Deprecated: This field is deprecated and will be removed in a future release. Prefer the use of oauth2_unique_id_claim.

HeaderKeyParameter string: The name header claim that identifies the public key used to verify the signature. In most cases this be kid or x5t.
ApplicationConfigurations []FusionAuthIdpExternalJwtApplicationConfigurationArgs: The configuration for each Application that the identity provider is enabled for.
ClaimMap map[string]string: A map of incoming claims to User fields, User data or Registration data. The key of the map is the incoming claim name from the configured identity provider. The following are allowed values: birthDate, firstName, lastName, fullName, middleName, mobilePhone, imageUrl, timezone, UserData and RegistrationData.
Debug bool: Determines if debug is enabled for this provider. When enabled, each time this provider is invoked to reconcile a login an Event Log will be created.
DefaultKeyId string: When configured this key will be used to verify the signature of the JWT when the header key defined by the headerKeyParameter property is not found in the JWT header. In most cases, the JWT header will contain the key identifier and this value will be used to resolve the correct public key or X.509 certificate to verify the signature. This assumes the public key or X.509 certificate has already been imported using the Key API or Key Master in the FusionAuth admin UI.
Domains []string: An array of domains that are managed by this Identity Provider.
Enabled bool: Determines if this provider is enabled. If it is false then it will be disabled globally.
IdpId string: The ID to use for the new identity provider. If not specified a secure random UUID will be generated.
LambdaReconcileId string: The unique Id of the lambda to used during the user reconcile process to map custom claims from the external identity provider to the FusionAuth user.
LinkingStrategy string: The linking strategy to use when creating the link between the {idp_display_name} Identity Provider and the user.
Name string: The name of the Identity Provider.
Oauth2AuthorizationEndpoint string: The authorization endpoint for this Identity Provider. This value is not utilized by FusionAuth is only provided to be returned by the Lookup Identity Provider API response. During integration you may then utilize this value to perform the browser redirect to the OAuth2 authorize endpoint.
Oauth2EmailClaim string: The name of the claim that contains the user's email address. This will only be used when the linking_strategyis equal to LinkByEmail or LinkByEmailForExistingUser.
Oauth2EmailVerifiedClaim string: The name of the claim that identities if the user's email address has been verified. When the linking_strategy is equal to LinkByEmail or LinkByEmailForExistingUser and this claim is present and the value is false a link will not be established and an error will be returned indicating a link cannot be established using an unverified email address.
Oauth2TokenEndpoint string: The token endpoint for this Identity Provider. This value is not utilized by FusionAuth is only provided to be returned by the Lookup Identity Provider API response. During integration you may then utilize this value to complete the OAuth2 grant workflow.
Oauth2UniqueIdClaim string: The name of the claim that contains the user's unique user Id.
Oauth2UsernameClaim string: The name of the claim that contains the user's username. This will only be used when the linking_strategy is equal to LinkByUsername or LinkByUsernameForExistingUser.
TenantConfigurations []FusionAuthIdpExternalJwtTenantConfigurationArgs: The configuration for each Tenant that limits the number of links a user may have for a particular identity provider.
UniqueIdentityClaim string: (Optional) The name of the claim that represents the unique identify of the User. This will generally be email or the name of the claim that provides the email address.
Deprecated: This field is deprecated and will be removed in a future release. Prefer the use of oauth2_unique_id_claim.

headerKeyParameter String: The name header claim that identifies the public key used to verify the signature. In most cases this be kid or x5t.
applicationConfigurations List<FusionAuthIdpExternalJwtApplicationConfiguration>: The configuration for each Application that the identity provider is enabled for.
claimMap Map<String,String>: A map of incoming claims to User fields, User data or Registration data. The key of the map is the incoming claim name from the configured identity provider. The following are allowed values: birthDate, firstName, lastName, fullName, middleName, mobilePhone, imageUrl, timezone, UserData and RegistrationData.
debug Boolean: Determines if debug is enabled for this provider. When enabled, each time this provider is invoked to reconcile a login an Event Log will be created.
defaultKeyId String: When configured this key will be used to verify the signature of the JWT when the header key defined by the headerKeyParameter property is not found in the JWT header. In most cases, the JWT header will contain the key identifier and this value will be used to resolve the correct public key or X.509 certificate to verify the signature. This assumes the public key or X.509 certificate has already been imported using the Key API or Key Master in the FusionAuth admin UI.
domains List<String>: An array of domains that are managed by this Identity Provider.
enabled Boolean: Determines if this provider is enabled. If it is false then it will be disabled globally.
idpId String: The ID to use for the new identity provider. If not specified a secure random UUID will be generated.
lambdaReconcileId String: The unique Id of the lambda to used during the user reconcile process to map custom claims from the external identity provider to the FusionAuth user.
linkingStrategy String: The linking strategy to use when creating the link between the {idp_display_name} Identity Provider and the user.
name String: The name of the Identity Provider.
oauth2AuthorizationEndpoint String: The authorization endpoint for this Identity Provider. This value is not utilized by FusionAuth is only provided to be returned by the Lookup Identity Provider API response. During integration you may then utilize this value to perform the browser redirect to the OAuth2 authorize endpoint.
oauth2EmailClaim String: The name of the claim that contains the user's email address. This will only be used when the linking_strategyis equal to LinkByEmail or LinkByEmailForExistingUser.
oauth2EmailVerifiedClaim String: The name of the claim that identities if the user's email address has been verified. When the linking_strategy is equal to LinkByEmail or LinkByEmailForExistingUser and this claim is present and the value is false a link will not be established and an error will be returned indicating a link cannot be established using an unverified email address.
oauth2TokenEndpoint String: The token endpoint for this Identity Provider. This value is not utilized by FusionAuth is only provided to be returned by the Lookup Identity Provider API response. During integration you may then utilize this value to complete the OAuth2 grant workflow.
oauth2UniqueIdClaim String: The name of the claim that contains the user's unique user Id.
oauth2UsernameClaim String: The name of the claim that contains the user's username. This will only be used when the linking_strategy is equal to LinkByUsername or LinkByUsernameForExistingUser.
tenantConfigurations List<FusionAuthIdpExternalJwtTenantConfiguration>: The configuration for each Tenant that limits the number of links a user may have for a particular identity provider.
uniqueIdentityClaim String: (Optional) The name of the claim that represents the unique identify of the User. This will generally be email or the name of the claim that provides the email address.
Deprecated: This field is deprecated and will be removed in a future release. Prefer the use of oauth2_unique_id_claim.

headerKeyParameter string: The name header claim that identifies the public key used to verify the signature. In most cases this be kid or x5t.
applicationConfigurations FusionAuthIdpExternalJwtApplicationConfiguration[]: The configuration for each Application that the identity provider is enabled for.
claimMap {[key: string]: string}: A map of incoming claims to User fields, User data or Registration data. The key of the map is the incoming claim name from the configured identity provider. The following are allowed values: birthDate, firstName, lastName, fullName, middleName, mobilePhone, imageUrl, timezone, UserData and RegistrationData.
debug boolean: Determines if debug is enabled for this provider. When enabled, each time this provider is invoked to reconcile a login an Event Log will be created.
defaultKeyId string: When configured this key will be used to verify the signature of the JWT when the header key defined by the headerKeyParameter property is not found in the JWT header. In most cases, the JWT header will contain the key identifier and this value will be used to resolve the correct public key or X.509 certificate to verify the signature. This assumes the public key or X.509 certificate has already been imported using the Key API or Key Master in the FusionAuth admin UI.
domains string[]: An array of domains that are managed by this Identity Provider.
enabled boolean: Determines if this provider is enabled. If it is false then it will be disabled globally.
idpId string: The ID to use for the new identity provider. If not specified a secure random UUID will be generated.
lambdaReconcileId string: The unique Id of the lambda to used during the user reconcile process to map custom claims from the external identity provider to the FusionAuth user.
linkingStrategy string: The linking strategy to use when creating the link between the {idp_display_name} Identity Provider and the user.
name string: The name of the Identity Provider.
oauth2AuthorizationEndpoint string: The authorization endpoint for this Identity Provider. This value is not utilized by FusionAuth is only provided to be returned by the Lookup Identity Provider API response. During integration you may then utilize this value to perform the browser redirect to the OAuth2 authorize endpoint.
oauth2EmailClaim string: The name of the claim that contains the user's email address. This will only be used when the linking_strategyis equal to LinkByEmail or LinkByEmailForExistingUser.
oauth2EmailVerifiedClaim string: The name of the claim that identities if the user's email address has been verified. When the linking_strategy is equal to LinkByEmail or LinkByEmailForExistingUser and this claim is present and the value is false a link will not be established and an error will be returned indicating a link cannot be established using an unverified email address.
oauth2TokenEndpoint string: The token endpoint for this Identity Provider. This value is not utilized by FusionAuth is only provided to be returned by the Lookup Identity Provider API response. During integration you may then utilize this value to complete the OAuth2 grant workflow.
oauth2UniqueIdClaim string: The name of the claim that contains the user's unique user Id.
oauth2UsernameClaim string: The name of the claim that contains the user's username. This will only be used when the linking_strategy is equal to LinkByUsername or LinkByUsernameForExistingUser.
tenantConfigurations FusionAuthIdpExternalJwtTenantConfiguration[]: The configuration for each Tenant that limits the number of links a user may have for a particular identity provider.
uniqueIdentityClaim string: (Optional) The name of the claim that represents the unique identify of the User. This will generally be email or the name of the claim that provides the email address.
Deprecated: This field is deprecated and will be removed in a future release. Prefer the use of oauth2_unique_id_claim.

header_key_parameter str: The name header claim that identifies the public key used to verify the signature. In most cases this be kid or x5t.
application_configurations Sequence[FusionAuthIdpExternalJwtApplicationConfigurationArgs]: The configuration for each Application that the identity provider is enabled for.
claim_map Mapping[str, str]: A map of incoming claims to User fields, User data or Registration data. The key of the map is the incoming claim name from the configured identity provider. The following are allowed values: birthDate, firstName, lastName, fullName, middleName, mobilePhone, imageUrl, timezone, UserData and RegistrationData.
debug bool: Determines if debug is enabled for this provider. When enabled, each time this provider is invoked to reconcile a login an Event Log will be created.
default_key_id str: When configured this key will be used to verify the signature of the JWT when the header key defined by the headerKeyParameter property is not found in the JWT header. In most cases, the JWT header will contain the key identifier and this value will be used to resolve the correct public key or X.509 certificate to verify the signature. This assumes the public key or X.509 certificate has already been imported using the Key API or Key Master in the FusionAuth admin UI.
domains Sequence[str]: An array of domains that are managed by this Identity Provider.
enabled bool: Determines if this provider is enabled. If it is false then it will be disabled globally.
idp_id str: The ID to use for the new identity provider. If not specified a secure random UUID will be generated.
lambda_reconcile_id str: The unique Id of the lambda to used during the user reconcile process to map custom claims from the external identity provider to the FusionAuth user.
linking_strategy str: The linking strategy to use when creating the link between the {idp_display_name} Identity Provider and the user.
name str: The name of the Identity Provider.
oauth2_authorization_endpoint str: The authorization endpoint for this Identity Provider. This value is not utilized by FusionAuth is only provided to be returned by the Lookup Identity Provider API response. During integration you may then utilize this value to perform the browser redirect to the OAuth2 authorize endpoint.
oauth2_email_claim str: The name of the claim that contains the user's email address. This will only be used when the linking_strategyis equal to LinkByEmail or LinkByEmailForExistingUser.
oauth2_email_verified_claim str: The name of the claim that identities if the user's email address has been verified. When the linking_strategy is equal to LinkByEmail or LinkByEmailForExistingUser and this claim is present and the value is false a link will not be established and an error will be returned indicating a link cannot be established using an unverified email address.
oauth2_token_endpoint str: The token endpoint for this Identity Provider. This value is not utilized by FusionAuth is only provided to be returned by the Lookup Identity Provider API response. During integration you may then utilize this value to complete the OAuth2 grant workflow.
oauth2_unique_id_claim str: The name of the claim that contains the user's unique user Id.
oauth2_username_claim str: The name of the claim that contains the user's username. This will only be used when the linking_strategy is equal to LinkByUsername or LinkByUsernameForExistingUser.
tenant_configurations Sequence[FusionAuthIdpExternalJwtTenantConfigurationArgs]: The configuration for each Tenant that limits the number of links a user may have for a particular identity provider.
unique_identity_claim str: (Optional) The name of the claim that represents the unique identify of the User. This will generally be email or the name of the claim that provides the email address.
Deprecated: This field is deprecated and will be removed in a future release. Prefer the use of oauth2_unique_id_claim.

headerKeyParameter String: The name header claim that identifies the public key used to verify the signature. In most cases this be kid or x5t.
applicationConfigurations List<Property Map>: The configuration for each Application that the identity provider is enabled for.
claimMap Map<String>: A map of incoming claims to User fields, User data or Registration data. The key of the map is the incoming claim name from the configured identity provider. The following are allowed values: birthDate, firstName, lastName, fullName, middleName, mobilePhone, imageUrl, timezone, UserData and RegistrationData.
debug Boolean: Determines if debug is enabled for this provider. When enabled, each time this provider is invoked to reconcile a login an Event Log will be created.
defaultKeyId String: When configured this key will be used to verify the signature of the JWT when the header key defined by the headerKeyParameter property is not found in the JWT header. In most cases, the JWT header will contain the key identifier and this value will be used to resolve the correct public key or X.509 certificate to verify the signature. This assumes the public key or X.509 certificate has already been imported using the Key API or Key Master in the FusionAuth admin UI.
domains List<String>: An array of domains that are managed by this Identity Provider.
enabled Boolean: Determines if this provider is enabled. If it is false then it will be disabled globally.
idpId String: The ID to use for the new identity provider. If not specified a secure random UUID will be generated.
lambdaReconcileId String: The unique Id of the lambda to used during the user reconcile process to map custom claims from the external identity provider to the FusionAuth user.
linkingStrategy String: The linking strategy to use when creating the link between the {idp_display_name} Identity Provider and the user.
name String: The name of the Identity Provider.
oauth2AuthorizationEndpoint String: The authorization endpoint for this Identity Provider. This value is not utilized by FusionAuth is only provided to be returned by the Lookup Identity Provider API response. During integration you may then utilize this value to perform the browser redirect to the OAuth2 authorize endpoint.
oauth2EmailClaim String: The name of the claim that contains the user's email address. This will only be used when the linking_strategyis equal to LinkByEmail or LinkByEmailForExistingUser.
oauth2EmailVerifiedClaim String: The name of the claim that identities if the user's email address has been verified. When the linking_strategy is equal to LinkByEmail or LinkByEmailForExistingUser and this claim is present and the value is false a link will not be established and an error will be returned indicating a link cannot be established using an unverified email address.
oauth2TokenEndpoint String: The token endpoint for this Identity Provider. This value is not utilized by FusionAuth is only provided to be returned by the Lookup Identity Provider API response. During integration you may then utilize this value to complete the OAuth2 grant workflow.
oauth2UniqueIdClaim String: The name of the claim that contains the user's unique user Id.
oauth2UsernameClaim String: The name of the claim that contains the user's username. This will only be used when the linking_strategy is equal to LinkByUsername or LinkByUsernameForExistingUser.
tenantConfigurations List<Property Map>: The configuration for each Tenant that limits the number of links a user may have for a particular identity provider.
uniqueIdentityClaim String: (Optional) The name of the claim that represents the unique identify of the User. This will generally be email or the name of the claim that provides the email address.
Deprecated: This field is deprecated and will be removed in a future release. Prefer the use of oauth2_unique_id_claim.

Outputs

All input properties are implicitly available as output properties. Additionally, the FusionAuthIdpExternalJwt resource produces the following output properties:

Id string: The provider-assigned unique ID for this managed resource.

Id string: The provider-assigned unique ID for this managed resource.

id String: The provider-assigned unique ID for this managed resource.

id string: The provider-assigned unique ID for this managed resource.

id str: The provider-assigned unique ID for this managed resource.

id String: The provider-assigned unique ID for this managed resource.

Look up Existing FusionAuthIdpExternalJwt Resource

Get an existing FusionAuthIdpExternalJwt resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: FusionAuthIdpExternalJwtState, opts?: CustomResourceOptions): FusionAuthIdpExternalJwt

@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        application_configurations: Optional[Sequence[FusionAuthIdpExternalJwtApplicationConfigurationArgs]] = None,
        claim_map: Optional[Mapping[str, str]] = None,
        debug: Optional[bool] = None,
        default_key_id: Optional[str] = None,
        domains: Optional[Sequence[str]] = None,
        enabled: Optional[bool] = None,
        header_key_parameter: Optional[str] = None,
        idp_id: Optional[str] = None,
        lambda_reconcile_id: Optional[str] = None,
        linking_strategy: Optional[str] = None,
        name: Optional[str] = None,
        oauth2_authorization_endpoint: Optional[str] = None,
        oauth2_email_claim: Optional[str] = None,
        oauth2_email_verified_claim: Optional[str] = None,
        oauth2_token_endpoint: Optional[str] = None,
        oauth2_unique_id_claim: Optional[str] = None,
        oauth2_username_claim: Optional[str] = None,
        tenant_configurations: Optional[Sequence[FusionAuthIdpExternalJwtTenantConfigurationArgs]] = None,
        unique_identity_claim: Optional[str] = None) -> FusionAuthIdpExternalJwt

func GetFusionAuthIdpExternalJwt(ctx *Context, name string, id IDInput, state *FusionAuthIdpExternalJwtState, opts ...ResourceOption) (*FusionAuthIdpExternalJwt, error)

public static FusionAuthIdpExternalJwt Get(string name, Input<string> id, FusionAuthIdpExternalJwtState? state, CustomResourceOptions? opts = null)

public static FusionAuthIdpExternalJwt get(String name, Output<String> id, FusionAuthIdpExternalJwtState state, CustomResourceOptions options)

resources:  _:    type: fusionauth:FusionAuthIdpExternalJwt    get:      id: ${id}

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

resource_name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

The following state arguments are supported:

ApplicationConfigurations List<theogravity.Fusionauth.Inputs.FusionAuthIdpExternalJwtApplicationConfiguration>: The configuration for each Application that the identity provider is enabled for.
ClaimMap Dictionary<string, string>: A map of incoming claims to User fields, User data or Registration data. The key of the map is the incoming claim name from the configured identity provider. The following are allowed values: birthDate, firstName, lastName, fullName, middleName, mobilePhone, imageUrl, timezone, UserData and RegistrationData.
Debug bool: Determines if debug is enabled for this provider. When enabled, each time this provider is invoked to reconcile a login an Event Log will be created.
DefaultKeyId string: When configured this key will be used to verify the signature of the JWT when the header key defined by the headerKeyParameter property is not found in the JWT header. In most cases, the JWT header will contain the key identifier and this value will be used to resolve the correct public key or X.509 certificate to verify the signature. This assumes the public key or X.509 certificate has already been imported using the Key API or Key Master in the FusionAuth admin UI.
Domains List<string>: An array of domains that are managed by this Identity Provider.
Enabled bool: Determines if this provider is enabled. If it is false then it will be disabled globally.
HeaderKeyParameter string: The name header claim that identifies the public key used to verify the signature. In most cases this be kid or x5t.
IdpId string: The ID to use for the new identity provider. If not specified a secure random UUID will be generated.
LambdaReconcileId string: The unique Id of the lambda to used during the user reconcile process to map custom claims from the external identity provider to the FusionAuth user.
LinkingStrategy string: The linking strategy to use when creating the link between the {idp_display_name} Identity Provider and the user.
Name string: The name of the Identity Provider.
Oauth2AuthorizationEndpoint string: The authorization endpoint for this Identity Provider. This value is not utilized by FusionAuth is only provided to be returned by the Lookup Identity Provider API response. During integration you may then utilize this value to perform the browser redirect to the OAuth2 authorize endpoint.
Oauth2EmailClaim string: The name of the claim that contains the user's email address. This will only be used when the linking_strategyis equal to LinkByEmail or LinkByEmailForExistingUser.
Oauth2EmailVerifiedClaim string: The name of the claim that identities if the user's email address has been verified. When the linking_strategy is equal to LinkByEmail or LinkByEmailForExistingUser and this claim is present and the value is false a link will not be established and an error will be returned indicating a link cannot be established using an unverified email address.
Oauth2TokenEndpoint string: The token endpoint for this Identity Provider. This value is not utilized by FusionAuth is only provided to be returned by the Lookup Identity Provider API response. During integration you may then utilize this value to complete the OAuth2 grant workflow.
Oauth2UniqueIdClaim string: The name of the claim that contains the user's unique user Id.
Oauth2UsernameClaim string: The name of the claim that contains the user's username. This will only be used when the linking_strategy is equal to LinkByUsername or LinkByUsernameForExistingUser.
TenantConfigurations List<theogravity.Fusionauth.Inputs.FusionAuthIdpExternalJwtTenantConfiguration>: The configuration for each Tenant that limits the number of links a user may have for a particular identity provider.
UniqueIdentityClaim string: (Optional) The name of the claim that represents the unique identify of the User. This will generally be email or the name of the claim that provides the email address.
Deprecated: This field is deprecated and will be removed in a future release. Prefer the use of oauth2_unique_id_claim.

ApplicationConfigurations []FusionAuthIdpExternalJwtApplicationConfigurationArgs: The configuration for each Application that the identity provider is enabled for.
ClaimMap map[string]string: A map of incoming claims to User fields, User data or Registration data. The key of the map is the incoming claim name from the configured identity provider. The following are allowed values: birthDate, firstName, lastName, fullName, middleName, mobilePhone, imageUrl, timezone, UserData and RegistrationData.
Debug bool: Determines if debug is enabled for this provider. When enabled, each time this provider is invoked to reconcile a login an Event Log will be created.
DefaultKeyId string: When configured this key will be used to verify the signature of the JWT when the header key defined by the headerKeyParameter property is not found in the JWT header. In most cases, the JWT header will contain the key identifier and this value will be used to resolve the correct public key or X.509 certificate to verify the signature. This assumes the public key or X.509 certificate has already been imported using the Key API or Key Master in the FusionAuth admin UI.
Domains []string: An array of domains that are managed by this Identity Provider.
Enabled bool: Determines if this provider is enabled. If it is false then it will be disabled globally.
HeaderKeyParameter string: The name header claim that identifies the public key used to verify the signature. In most cases this be kid or x5t.
IdpId string: The ID to use for the new identity provider. If not specified a secure random UUID will be generated.
LambdaReconcileId string: The unique Id of the lambda to used during the user reconcile process to map custom claims from the external identity provider to the FusionAuth user.
LinkingStrategy string: The linking strategy to use when creating the link between the {idp_display_name} Identity Provider and the user.
Name string: The name of the Identity Provider.
Oauth2AuthorizationEndpoint string: The authorization endpoint for this Identity Provider. This value is not utilized by FusionAuth is only provided to be returned by the Lookup Identity Provider API response. During integration you may then utilize this value to perform the browser redirect to the OAuth2 authorize endpoint.
Oauth2EmailClaim string: The name of the claim that contains the user's email address. This will only be used when the linking_strategyis equal to LinkByEmail or LinkByEmailForExistingUser.
Oauth2EmailVerifiedClaim string: The name of the claim that identities if the user's email address has been verified. When the linking_strategy is equal to LinkByEmail or LinkByEmailForExistingUser and this claim is present and the value is false a link will not be established and an error will be returned indicating a link cannot be established using an unverified email address.
Oauth2TokenEndpoint string: The token endpoint for this Identity Provider. This value is not utilized by FusionAuth is only provided to be returned by the Lookup Identity Provider API response. During integration you may then utilize this value to complete the OAuth2 grant workflow.
Oauth2UniqueIdClaim string: The name of the claim that contains the user's unique user Id.
Oauth2UsernameClaim string: The name of the claim that contains the user's username. This will only be used when the linking_strategy is equal to LinkByUsername or LinkByUsernameForExistingUser.
TenantConfigurations []FusionAuthIdpExternalJwtTenantConfigurationArgs: The configuration for each Tenant that limits the number of links a user may have for a particular identity provider.
UniqueIdentityClaim string: (Optional) The name of the claim that represents the unique identify of the User. This will generally be email or the name of the claim that provides the email address.
Deprecated: This field is deprecated and will be removed in a future release. Prefer the use of oauth2_unique_id_claim.

applicationConfigurations List<FusionAuthIdpExternalJwtApplicationConfiguration>: The configuration for each Application that the identity provider is enabled for.
claimMap Map<String,String>: A map of incoming claims to User fields, User data or Registration data. The key of the map is the incoming claim name from the configured identity provider. The following are allowed values: birthDate, firstName, lastName, fullName, middleName, mobilePhone, imageUrl, timezone, UserData and RegistrationData.
debug Boolean: Determines if debug is enabled for this provider. When enabled, each time this provider is invoked to reconcile a login an Event Log will be created.
defaultKeyId String: When configured this key will be used to verify the signature of the JWT when the header key defined by the headerKeyParameter property is not found in the JWT header. In most cases, the JWT header will contain the key identifier and this value will be used to resolve the correct public key or X.509 certificate to verify the signature. This assumes the public key or X.509 certificate has already been imported using the Key API or Key Master in the FusionAuth admin UI.
domains List<String>: An array of domains that are managed by this Identity Provider.
enabled Boolean: Determines if this provider is enabled. If it is false then it will be disabled globally.
headerKeyParameter String: The name header claim that identifies the public key used to verify the signature. In most cases this be kid or x5t.
idpId String: The ID to use for the new identity provider. If not specified a secure random UUID will be generated.
lambdaReconcileId String: The unique Id of the lambda to used during the user reconcile process to map custom claims from the external identity provider to the FusionAuth user.
linkingStrategy String: The linking strategy to use when creating the link between the {idp_display_name} Identity Provider and the user.
name String: The name of the Identity Provider.
oauth2AuthorizationEndpoint String: The authorization endpoint for this Identity Provider. This value is not utilized by FusionAuth is only provided to be returned by the Lookup Identity Provider API response. During integration you may then utilize this value to perform the browser redirect to the OAuth2 authorize endpoint.
oauth2EmailClaim String: The name of the claim that contains the user's email address. This will only be used when the linking_strategyis equal to LinkByEmail or LinkByEmailForExistingUser.
oauth2EmailVerifiedClaim String: The name of the claim that identities if the user's email address has been verified. When the linking_strategy is equal to LinkByEmail or LinkByEmailForExistingUser and this claim is present and the value is false a link will not be established and an error will be returned indicating a link cannot be established using an unverified email address.
oauth2TokenEndpoint String: The token endpoint for this Identity Provider. This value is not utilized by FusionAuth is only provided to be returned by the Lookup Identity Provider API response. During integration you may then utilize this value to complete the OAuth2 grant workflow.
oauth2UniqueIdClaim String: The name of the claim that contains the user's unique user Id.
oauth2UsernameClaim String: The name of the claim that contains the user's username. This will only be used when the linking_strategy is equal to LinkByUsername or LinkByUsernameForExistingUser.
tenantConfigurations List<FusionAuthIdpExternalJwtTenantConfiguration>: The configuration for each Tenant that limits the number of links a user may have for a particular identity provider.
uniqueIdentityClaim String: (Optional) The name of the claim that represents the unique identify of the User. This will generally be email or the name of the claim that provides the email address.
Deprecated: This field is deprecated and will be removed in a future release. Prefer the use of oauth2_unique_id_claim.

applicationConfigurations FusionAuthIdpExternalJwtApplicationConfiguration[]: The configuration for each Application that the identity provider is enabled for.
claimMap {[key: string]: string}: A map of incoming claims to User fields, User data or Registration data. The key of the map is the incoming claim name from the configured identity provider. The following are allowed values: birthDate, firstName, lastName, fullName, middleName, mobilePhone, imageUrl, timezone, UserData and RegistrationData.
debug boolean: Determines if debug is enabled for this provider. When enabled, each time this provider is invoked to reconcile a login an Event Log will be created.
defaultKeyId string: When configured this key will be used to verify the signature of the JWT when the header key defined by the headerKeyParameter property is not found in the JWT header. In most cases, the JWT header will contain the key identifier and this value will be used to resolve the correct public key or X.509 certificate to verify the signature. This assumes the public key or X.509 certificate has already been imported using the Key API or Key Master in the FusionAuth admin UI.
domains string[]: An array of domains that are managed by this Identity Provider.
enabled boolean: Determines if this provider is enabled. If it is false then it will be disabled globally.
headerKeyParameter string: The name header claim that identifies the public key used to verify the signature. In most cases this be kid or x5t.
idpId string: The ID to use for the new identity provider. If not specified a secure random UUID will be generated.
lambdaReconcileId string: The unique Id of the lambda to used during the user reconcile process to map custom claims from the external identity provider to the FusionAuth user.
linkingStrategy string: The linking strategy to use when creating the link between the {idp_display_name} Identity Provider and the user.
name string: The name of the Identity Provider.
oauth2AuthorizationEndpoint string: The authorization endpoint for this Identity Provider. This value is not utilized by FusionAuth is only provided to be returned by the Lookup Identity Provider API response. During integration you may then utilize this value to perform the browser redirect to the OAuth2 authorize endpoint.
oauth2EmailClaim string: The name of the claim that contains the user's email address. This will only be used when the linking_strategyis equal to LinkByEmail or LinkByEmailForExistingUser.
oauth2EmailVerifiedClaim string: The name of the claim that identities if the user's email address has been verified. When the linking_strategy is equal to LinkByEmail or LinkByEmailForExistingUser and this claim is present and the value is false a link will not be established and an error will be returned indicating a link cannot be established using an unverified email address.
oauth2TokenEndpoint string: The token endpoint for this Identity Provider. This value is not utilized by FusionAuth is only provided to be returned by the Lookup Identity Provider API response. During integration you may then utilize this value to complete the OAuth2 grant workflow.
oauth2UniqueIdClaim string: The name of the claim that contains the user's unique user Id.
oauth2UsernameClaim string: The name of the claim that contains the user's username. This will only be used when the linking_strategy is equal to LinkByUsername or LinkByUsernameForExistingUser.
tenantConfigurations FusionAuthIdpExternalJwtTenantConfiguration[]: The configuration for each Tenant that limits the number of links a user may have for a particular identity provider.
uniqueIdentityClaim string: (Optional) The name of the claim that represents the unique identify of the User. This will generally be email or the name of the claim that provides the email address.
Deprecated: This field is deprecated and will be removed in a future release. Prefer the use of oauth2_unique_id_claim.

application_configurations Sequence[FusionAuthIdpExternalJwtApplicationConfigurationArgs]: The configuration for each Application that the identity provider is enabled for.
claim_map Mapping[str, str]: A map of incoming claims to User fields, User data or Registration data. The key of the map is the incoming claim name from the configured identity provider. The following are allowed values: birthDate, firstName, lastName, fullName, middleName, mobilePhone, imageUrl, timezone, UserData and RegistrationData.
debug bool: Determines if debug is enabled for this provider. When enabled, each time this provider is invoked to reconcile a login an Event Log will be created.
default_key_id str: When configured this key will be used to verify the signature of the JWT when the header key defined by the headerKeyParameter property is not found in the JWT header. In most cases, the JWT header will contain the key identifier and this value will be used to resolve the correct public key or X.509 certificate to verify the signature. This assumes the public key or X.509 certificate has already been imported using the Key API or Key Master in the FusionAuth admin UI.
domains Sequence[str]: An array of domains that are managed by this Identity Provider.
enabled bool: Determines if this provider is enabled. If it is false then it will be disabled globally.
header_key_parameter str: The name header claim that identifies the public key used to verify the signature. In most cases this be kid or x5t.
idp_id str: The ID to use for the new identity provider. If not specified a secure random UUID will be generated.
lambda_reconcile_id str: The unique Id of the lambda to used during the user reconcile process to map custom claims from the external identity provider to the FusionAuth user.
linking_strategy str: The linking strategy to use when creating the link between the {idp_display_name} Identity Provider and the user.
name str: The name of the Identity Provider.
oauth2_authorization_endpoint str: The authorization endpoint for this Identity Provider. This value is not utilized by FusionAuth is only provided to be returned by the Lookup Identity Provider API response. During integration you may then utilize this value to perform the browser redirect to the OAuth2 authorize endpoint.
oauth2_email_claim str: The name of the claim that contains the user's email address. This will only be used when the linking_strategyis equal to LinkByEmail or LinkByEmailForExistingUser.
oauth2_email_verified_claim str: The name of the claim that identities if the user's email address has been verified. When the linking_strategy is equal to LinkByEmail or LinkByEmailForExistingUser and this claim is present and the value is false a link will not be established and an error will be returned indicating a link cannot be established using an unverified email address.
oauth2_token_endpoint str: The token endpoint for this Identity Provider. This value is not utilized by FusionAuth is only provided to be returned by the Lookup Identity Provider API response. During integration you may then utilize this value to complete the OAuth2 grant workflow.
oauth2_unique_id_claim str: The name of the claim that contains the user's unique user Id.
oauth2_username_claim str: The name of the claim that contains the user's username. This will only be used when the linking_strategy is equal to LinkByUsername or LinkByUsernameForExistingUser.
tenant_configurations Sequence[FusionAuthIdpExternalJwtTenantConfigurationArgs]: The configuration for each Tenant that limits the number of links a user may have for a particular identity provider.
unique_identity_claim str: (Optional) The name of the claim that represents the unique identify of the User. This will generally be email or the name of the claim that provides the email address.
Deprecated: This field is deprecated and will be removed in a future release. Prefer the use of oauth2_unique_id_claim.

applicationConfigurations List<Property Map>: The configuration for each Application that the identity provider is enabled for.
claimMap Map<String>: A map of incoming claims to User fields, User data or Registration data. The key of the map is the incoming claim name from the configured identity provider. The following are allowed values: birthDate, firstName, lastName, fullName, middleName, mobilePhone, imageUrl, timezone, UserData and RegistrationData.
debug Boolean: Determines if debug is enabled for this provider. When enabled, each time this provider is invoked to reconcile a login an Event Log will be created.
defaultKeyId String: When configured this key will be used to verify the signature of the JWT when the header key defined by the headerKeyParameter property is not found in the JWT header. In most cases, the JWT header will contain the key identifier and this value will be used to resolve the correct public key or X.509 certificate to verify the signature. This assumes the public key or X.509 certificate has already been imported using the Key API or Key Master in the FusionAuth admin UI.
domains List<String>: An array of domains that are managed by this Identity Provider.
enabled Boolean: Determines if this provider is enabled. If it is false then it will be disabled globally.
headerKeyParameter String: The name header claim that identifies the public key used to verify the signature. In most cases this be kid or x5t.
idpId String: The ID to use for the new identity provider. If not specified a secure random UUID will be generated.
lambdaReconcileId String: The unique Id of the lambda to used during the user reconcile process to map custom claims from the external identity provider to the FusionAuth user.
linkingStrategy String: The linking strategy to use when creating the link between the {idp_display_name} Identity Provider and the user.
name String: The name of the Identity Provider.
oauth2AuthorizationEndpoint String: The authorization endpoint for this Identity Provider. This value is not utilized by FusionAuth is only provided to be returned by the Lookup Identity Provider API response. During integration you may then utilize this value to perform the browser redirect to the OAuth2 authorize endpoint.
oauth2EmailClaim String: The name of the claim that contains the user's email address. This will only be used when the linking_strategyis equal to LinkByEmail or LinkByEmailForExistingUser.
oauth2EmailVerifiedClaim String: The name of the claim that identities if the user's email address has been verified. When the linking_strategy is equal to LinkByEmail or LinkByEmailForExistingUser and this claim is present and the value is false a link will not be established and an error will be returned indicating a link cannot be established using an unverified email address.
oauth2TokenEndpoint String: The token endpoint for this Identity Provider. This value is not utilized by FusionAuth is only provided to be returned by the Lookup Identity Provider API response. During integration you may then utilize this value to complete the OAuth2 grant workflow.
oauth2UniqueIdClaim String: The name of the claim that contains the user's unique user Id.
oauth2UsernameClaim String: The name of the claim that contains the user's username. This will only be used when the linking_strategy is equal to LinkByUsername or LinkByUsernameForExistingUser.
tenantConfigurations List<Property Map>: The configuration for each Tenant that limits the number of links a user may have for a particular identity provider.
uniqueIdentityClaim String: (Optional) The name of the claim that represents the unique identify of the User. This will generally be email or the name of the claim that provides the email address.
Deprecated: This field is deprecated and will be removed in a future release. Prefer the use of oauth2_unique_id_claim.

Supporting Types

FusionAuthIdpExternalJwtApplicationConfiguration, FusionAuthIdpExternalJwtApplicationConfigurationArgs

ApplicationId string: ID of the Application to apply this configuration to.
CreateRegistration bool: Determines if a UserRegistration is created for the User automatically or not. If a user doesn’t exist in FusionAuth and logs in through an identity provider, this boolean controls whether or not FusionAuth creates a registration for the User in the Application they are logging into.
Enabled bool: Determines if this identity provider is enabled for the Application specified by the applicationId key.

ApplicationId string: ID of the Application to apply this configuration to.
CreateRegistration bool: Determines if a UserRegistration is created for the User automatically or not. If a user doesn’t exist in FusionAuth and logs in through an identity provider, this boolean controls whether or not FusionAuth creates a registration for the User in the Application they are logging into.
Enabled bool: Determines if this identity provider is enabled for the Application specified by the applicationId key.

applicationId String: ID of the Application to apply this configuration to.
createRegistration Boolean: Determines if a UserRegistration is created for the User automatically or not. If a user doesn’t exist in FusionAuth and logs in through an identity provider, this boolean controls whether or not FusionAuth creates a registration for the User in the Application they are logging into.
enabled Boolean: Determines if this identity provider is enabled for the Application specified by the applicationId key.

applicationId string: ID of the Application to apply this configuration to.
createRegistration boolean: Determines if a UserRegistration is created for the User automatically or not. If a user doesn’t exist in FusionAuth and logs in through an identity provider, this boolean controls whether or not FusionAuth creates a registration for the User in the Application they are logging into.
enabled boolean: Determines if this identity provider is enabled for the Application specified by the applicationId key.

application_id str: ID of the Application to apply this configuration to.
create_registration bool: Determines if a UserRegistration is created for the User automatically or not. If a user doesn’t exist in FusionAuth and logs in through an identity provider, this boolean controls whether or not FusionAuth creates a registration for the User in the Application they are logging into.
enabled bool: Determines if this identity provider is enabled for the Application specified by the applicationId key.

applicationId String: ID of the Application to apply this configuration to.
createRegistration Boolean: Determines if a UserRegistration is created for the User automatically or not. If a user doesn’t exist in FusionAuth and logs in through an identity provider, this boolean controls whether or not FusionAuth creates a registration for the User in the Application they are logging into.
enabled Boolean: Determines if this identity provider is enabled for the Application specified by the applicationId key.

FusionAuthIdpExternalJwtTenantConfiguration, FusionAuthIdpExternalJwtTenantConfigurationArgs

LimitUserLinkCountEnabled bool: When enabled, the number of identity provider links a user may create is enforced by maximumLinks
LimitUserLinkCountMaximumLinks int: Determines if this provider is enabled. If it is false then it will be disabled globally.
TenantId string: The unique Id of the tenant that this configuration applies to.

LimitUserLinkCountEnabled bool: When enabled, the number of identity provider links a user may create is enforced by maximumLinks
LimitUserLinkCountMaximumLinks int: Determines if this provider is enabled. If it is false then it will be disabled globally.
TenantId string: The unique Id of the tenant that this configuration applies to.

limitUserLinkCountEnabled Boolean: When enabled, the number of identity provider links a user may create is enforced by maximumLinks
limitUserLinkCountMaximumLinks Integer: Determines if this provider is enabled. If it is false then it will be disabled globally.
tenantId String: The unique Id of the tenant that this configuration applies to.

limitUserLinkCountEnabled boolean: When enabled, the number of identity provider links a user may create is enforced by maximumLinks
limitUserLinkCountMaximumLinks number: Determines if this provider is enabled. If it is false then it will be disabled globally.
tenantId string: The unique Id of the tenant that this configuration applies to.

limit_user_link_count_enabled bool: When enabled, the number of identity provider links a user may create is enforced by maximumLinks
limit_user_link_count_maximum_links int: Determines if this provider is enabled. If it is false then it will be disabled globally.
tenant_id str: The unique Id of the tenant that this configuration applies to.

limitUserLinkCountEnabled Boolean: When enabled, the number of identity provider links a user may create is enforced by maximumLinks
limitUserLinkCountMaximumLinks Number: Determines if this provider is enabled. If it is false then it will be disabled globally.
tenantId String: The unique Id of the tenant that this configuration applies to.

Package Details

Repository: fusionauth theogravity/pulumi-fusionauth
License: MIT
Notes: This Pulumi package is based on the fusionauth Terraform Provider.

FusionAuth v6.0.2 published on Sunday, Feb 9, 2025 by Theo Gravity

theogravity/pulumi-fusionauth

fusionauth.FusionAuthIdpExternalJwt

On this page

On this page

# External JWT Identity Provider Resource

Example Usage

Create FusionAuthIdpExternalJwt Resource

Constructor syntax

Parameters

Constructor example

FusionAuthIdpExternalJwt Resource Properties

Inputs

Outputs

Look up Existing FusionAuthIdpExternalJwt Resource

Supporting Types

FusionAuthIdpExternalJwtApplicationConfiguration, FusionAuthIdpExternalJwtApplicationConfigurationArgs

FusionAuthIdpExternalJwtTenantConfiguration, FusionAuthIdpExternalJwtTenantConfigurationArgs

Package Details

On this page

On this page