API Stability Long-Term

The newAzureAdOidcIdentityProvider() GraphQL mutation field is used to set up a new Azure AD OIDC IDP. It's a root operation.

For more information on the Azure related to this field, see the Service Fabric & LogScale reference page.

Syntax

Below is the syntax for the newAzureAdOidcIdentityProvider() mutation field:

graphql
newAzureAdOidcIdentityProvider(
     name: string!,
     tenantId: string!,
     clientID: string!,
     clientSecret: string!,
     domains: [string!]!,
     enableDebug: boolean,
     scopeClaim: string
   ): OidcIdentityProvider!

Below is an example of how this mutation field might be used:

Raw
graphql
mutation {
  newAzureAdOidcIdentityProvider( 
     name: "myAzure-IDP",
     tenantId: "123abc",
     clientID: "456efg",
     clientSecret: "MD39xf83M301",
     domains: ["humio"],
     enableDebug: false    
  ) 
  { id }
}
Mac OS or Linux (curl)
shell
curl -v -X POST $YOUR_LOGSCALE_URL/graphql \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json" \
    -d @- << EOF
{"query" : "mutation {
  newAzureAdOidcIdentityProvider( 
     name: \"myAzure-IDP\",
     tenantId: \"123abc\",
     clientID: \"456efg\",
     clientSecret: \"MD39xf83M301\",
     domains: [\"humio\"],
     enableDebug: false    
  ) 
  { id }
}"
}
EOF
Mac OS or Linux (curl) One-line
shell
curl -v -X POST $YOUR_LOGSCALE_URL/graphql \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json" \
    -d @- << EOF
{"query" : "mutation {
  newAzureAdOidcIdentityProvider( 
     name: \"myAzure-IDP\",
     tenantId: \"123abc\",
     clientID: \"456efg\",
     clientSecret: \"MD39xf83M301\",
     domains: [\"humio\"],
     enableDebug: false    
  ) 
  { id }
}"
}
EOF
Windows Cmd and curl
shell
curl -v -X POST $YOUR_LOGSCALE_URL/graphql ^
    -H "Authorization: Bearer $TOKEN" ^
    -H "Content-Type: application/json" ^
    -d @'{"query" : "mutation { ^
  newAzureAdOidcIdentityProvider(  ^
     name: \"myAzure-IDP\", ^
     tenantId: \"123abc\", ^
     clientID: \"456efg\", ^
     clientSecret: \"MD39xf83M301\", ^
     domains: [\"humio\"], ^
     enableDebug: false     ^
  )  ^
  { id } ^
}" ^
} '
Windows Powershell and curl
powershell
curl.exe -X POST 
    -H "Authorization: Bearer $TOKEN"
    -H "Content-Type: application/json"
    -d '{"query" : "mutation {
  newAzureAdOidcIdentityProvider( 
     name: \"myAzure-IDP\",
     tenantId: \"123abc\",
     clientID: \"456efg\",
     clientSecret: \"MD39xf83M301\",
     domains: [\"humio\"],
     enableDebug: false    
  ) 
  { id }
}"
}'
    "$YOUR_LOGSCALE_URL/graphql"
Perl
perl
#!/usr/bin/perl

use HTTP::Request;
use LWP;

my $INGEST_TOKEN = "TOKEN";

my $uri = '$YOUR_LOGSCALE_URL/graphql';

my $json = '{"query" : "mutation {
  newAzureAdOidcIdentityProvider( 
     name: \"myAzure-IDP\",
     tenantId: \"123abc\",
     clientID: \"456efg\",
     clientSecret: \"MD39xf83M301\",
     domains: [\"humio\"],
     enableDebug: false    
  ) 
  { id }
}"
}';
my $req = HTTP::Request->new("POST", $uri );

$req->header("Authorization" => "Bearer $TOKEN");
$req->header("Content-Type" => "application/json");

$req->content( $json );

my $lwp = LWP::UserAgent->new;

my $result = $lwp->request( $req );

print $result->{"_content"},"\n";
Python
python
#! /usr/local/bin/python3

import requests

url = '$YOUR_LOGSCALE_URL/graphql'
mydata = r'''{"query" : "mutation {
  newAzureAdOidcIdentityProvider( 
     name: \"myAzure-IDP\",
     tenantId: \"123abc\",
     clientID: \"456efg\",
     clientSecret: \"MD39xf83M301\",
     domains: [\"humio\"],
     enableDebug: false    
  ) 
  { id }
}"
}'''

resp = requests.post(url,
                     data = mydata,
                     headers = {
   "Authorization" : "Bearer $TOKEN",
   "Content-Type" : "application/json"
}
)

print(resp.text)
Node.js
javascript
const https = require('https');

const data = JSON.stringify(
    {"query" : "mutation {
  newAzureAdOidcIdentityProvider( 
     name: \"myAzure-IDP\",
     tenantId: \"123abc\",
     clientID: \"456efg\",
     clientSecret: \"MD39xf83M301\",
     domains: [\"humio\"],
     enableDebug: false    
  ) 
  { id }
}"
}
);


const options = {
  hostname: '$YOUR_LOGSCALE_URL/graphql',
  path: '/graphql',
  port: 443,
  method: 'POST',
  headers: {
    'Content-Type': 'application/json',
    'Content-Length': data.length,
    Authorization: 'BEARER ' + process.env.TOKEN,
    'User-Agent': 'Node',
  },
};

const req = https.request(options, (res) => {
  let data = '';
  console.log(`statusCode: ${res.statusCode}`);

  res.on('data', (d) => {
    data += d;
  });
  res.on('end', () => {
    console.log(JSON.parse(data).data);
  });
});

req.on('error', (error) => {
  console.error(error);
});

req.write(data);
req.end();

Returned Datatypes

The returned datatype OidcIdentityProvider has several parameters. Below is a list of them along with a description of each:

Table: OidcIdentityProvider

ParameterTypeRequiredDefaultStabilityDescription
Some arguments may be required, as indicated in the Required column. For some fields, this column indicates that a result will always be returned for this column.
Table last updated: Sep 27, 2024
authenticationMethodAuthenticationMethodAuthyes  The authentication method used. See AuthenticationMethodAuth.
authorizationEndpointstring   A URL to the endpoint a user should be redirected to when authorizing.
clientIdstringyes  The unique identifier for the client.
clientSecretstringyes  The password for the client.
debugbooleanyes  Whether debugging is enabled.
defaultIdpbooleanyes  Whether the identity provider is the default.
domains[string]yes  The domains authorized by the OIDC identity providers.
federatedIdpstring   The Federated IdP.
groupsClaimstring   The name of the claim to interpret as the groups in LogScale. The value in the claim must be an array of strings. Optional. Defaults to humio-groups.
humioManagedbooleanyes  Whether authentication is managed by LogScale.
idstringyes  The unique identifier for the OIDC identity provider.
issuerstringyes  The issuer of the OIDC authentication.
jwksEndpointstring   A URL to the JWKS endpoint for retrieving keys for validating tokens. Required.
lazyCreateUsersbooleanyes  Whether to wait to create users until necessary.
namestringyes  The name of the OIDC identity provider.
registrationEndpointstring   To use OIDC as a client, PUBLIC_URL must be set, LogScale must be registered as a client with your OpenID provider, and the provider must allow %PUBLIC_URL%/auth/oidc as a valid redirect endpoint for the client.
scopeClaimstring   The scope claim.
scopes[string]yes  Comma-separated list of scopes to add in addition to the default requested scopes (openid, email, and profile).
tokenEndpointstring   A URL to the token endpoint used to exchange a authentication code to an access token. Required for clients.
tokenEndpointAuthMethodstringyes  A URL to the token endpoint used to exchange a authentication code to an access token. Required for clients.
userClaimstringyes  The name of the claim to interpret as username in LogScale. The value in the claim must be a string. Defaults to humio-user. Can be set to email if using emails as usernames.
userInfoEndpointstring   A URL to the user info endpoint used to retrieve user information from an access token.