API Stability Long-Term

The newOIDCIdentityProvider() GraphQL mutation may be used to set up a new OIDC identity provider. It's a root operation.

For more information on OpenID Connect, see the Authenticating with OpenID Connect documentation page. You may also want to look at Authentication and Identity Providers for related information.

Syntax

Below is the syntax for the newOIDCIdentityProvider() mutation field:

graphql
newOIDCIdentityProvider(
     input: OidcConfigurationInput!
   ): OidcIdentityProvider!

Below is an example of how this mutation field might be used:

Raw
graphql
mutation {
  newOIDCIdentityProvider(input: { 
     name: "myOIDC",
     clientID: "123abc",
     clientSecret: "MD39xf83M301",
     issuer: "https://my.oidc-idp.com",
     tokenEndpointAuthMethod: "client_secret_basic",
     authorizationEndpoint: "https://my.oidc-idp.com/authorize",
     domains: ["humio"],
     scopes: ["profile", "email", "openid"],
     enableDebug: false    
       } ) 
  { id }
}
Mac OS or Linux (curl)
shell
curl -v -X POST $YOUR_LOGSCALE_URL/graphql \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json" \
    -d @- << EOF
{"query" : "mutation {
  newOIDCIdentityProvider(input: { 
     name: \"myOIDC\",
     clientID: \"123abc\",
     clientSecret: \"MD39xf83M301\",
     issuer: \"https://my.oidc-idp.com\",
     tokenEndpointAuthMethod: \"client_secret_basic\",
     authorizationEndpoint: \"https://my.oidc-idp.com/authorize\",
     domains: [\"humio\"],
     scopes: [\"profile\", \"email\", \"openid\"],
     enableDebug: false    
       } ) 
  { id }
}"
}
EOF
Mac OS or Linux (curl) One-line
shell
curl -v -X POST $YOUR_LOGSCALE_URL/graphql \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json" \
    -d @- << EOF
{"query" : "mutation {
  newOIDCIdentityProvider(input: { 
     name: \"myOIDC\",
     clientID: \"123abc\",
     clientSecret: \"MD39xf83M301\",
     issuer: \"https://my.oidc-idp.com\",
     tokenEndpointAuthMethod: \"client_secret_basic\",
     authorizationEndpoint: \"https://my.oidc-idp.com/authorize\",
     domains: [\"humio\"],
     scopes: [\"profile\", \"email\", \"openid\"],
     enableDebug: false    
       } ) 
  { id }
}"
}
EOF
Windows Cmd and curl
shell
curl -v -X POST $YOUR_LOGSCALE_URL/graphql ^
    -H "Authorization: Bearer $TOKEN" ^
    -H "Content-Type: application/json" ^
    -d @'{"query" : "mutation { ^
  newOIDCIdentityProvider(input: {  ^
     name: \"myOIDC\", ^
     clientID: \"123abc\", ^
     clientSecret: \"MD39xf83M301\", ^
     issuer: \"https://my.oidc-idp.com\", ^
     tokenEndpointAuthMethod: \"client_secret_basic\", ^
     authorizationEndpoint: \"https://my.oidc-idp.com/authorize\", ^
     domains: [\"humio\"], ^
     scopes: [\"profile\", \"email\", \"openid\"], ^
     enableDebug: false     ^
       } )  ^
  { id } ^
}" ^
} '
Windows Powershell and curl
powershell
curl.exe -X POST 
    -H "Authorization: Bearer $TOKEN"
    -H "Content-Type: application/json"
    -d '{"query" : "mutation {
  newOIDCIdentityProvider(input: { 
     name: \"myOIDC\",
     clientID: \"123abc\",
     clientSecret: \"MD39xf83M301\",
     issuer: \"https://my.oidc-idp.com\",
     tokenEndpointAuthMethod: \"client_secret_basic\",
     authorizationEndpoint: \"https://my.oidc-idp.com/authorize\",
     domains: [\"humio\"],
     scopes: [\"profile\", \"email\", \"openid\"],
     enableDebug: false    
       } ) 
  { id }
}"
}'
    "$YOUR_LOGSCALE_URL/graphql"
Perl
perl
#!/usr/bin/perl

use HTTP::Request;
use LWP;

my $TOKEN = "TOKEN";

my $uri = '$YOUR_LOGSCALE_URL/graphql';

my $query = "mutation {
  newOIDCIdentityProvider(input: { 
     name: \"myOIDC\",
     clientID: \"123abc\",
     clientSecret: \"MD39xf83M301\",
     issuer: \"https://my.oidc-idp.com\",
     tokenEndpointAuthMethod: \"client_secret_basic\",
     authorizationEndpoint: \"https://my.oidc-idp.com/authorize\",
     domains: [\"humio\"],
     scopes: [\"profile\", \"email\", \"openid\"],
     enableDebug: false    
       } ) 
  { id }
}";
$query =~ s/\n/ /g;
my $json = sprintf('{"query" : "%s"}',$query);
my $req = HTTP::Request->new("POST", $uri );

$req->header("Authorization" => "Bearer $TOKEN");
$req->header("Content-Type" => "application/json");

$req->content( $json );

my $lwp = LWP::UserAgent->new;

my $result = $lwp->request( $req );

print $result->{"_content"},"\n";
Python
python
#! /usr/local/bin/python3

import requests

url = '$YOUR_LOGSCALE_URL/graphql'
mydata = r'''{"query" : "mutation {
  newOIDCIdentityProvider(input: { 
     name: \"myOIDC\",
     clientID: \"123abc\",
     clientSecret: \"MD39xf83M301\",
     issuer: \"https://my.oidc-idp.com\",
     tokenEndpointAuthMethod: \"client_secret_basic\",
     authorizationEndpoint: \"https://my.oidc-idp.com/authorize\",
     domains: [\"humio\"],
     scopes: [\"profile\", \"email\", \"openid\"],
     enableDebug: false    
       } ) 
  { id }
}"
}'''

resp = requests.post(url,
                     data = mydata,
                     headers = {
   "Authorization" : "Bearer $TOKEN",
   "Content-Type" : "application/json"
}
)

print(resp.text)
Node.js
javascript
const https = require('https');

const data = JSON.stringify(
    {"query" : "mutation {
  newOIDCIdentityProvider(input: { 
     name: \"myOIDC\",
     clientID: \"123abc\",
     clientSecret: \"MD39xf83M301\",
     issuer: \"https://my.oidc-idp.com\",
     tokenEndpointAuthMethod: \"client_secret_basic\",
     authorizationEndpoint: \"https://my.oidc-idp.com/authorize\",
     domains: [\"humio\"],
     scopes: [\"profile\", \"email\", \"openid\"],
     enableDebug: false    
       } ) 
  { id }
}"
}
);


const options = {
  hostname: '$YOUR_LOGSCALE_URL/graphql',
  path: '/graphql',
  port: 443,
  method: 'POST',
  headers: {
    'Content-Type': 'application/json',
    'Content-Length': data.length,
    Authorization: 'BEARER ' + process.env.TOKEN,
    'User-Agent': 'Node',
  },
};

const req = https.request(options, (res) => {
  let data = '';
  console.log(`statusCode: ${res.statusCode}`);

  res.on('data', (d) => {
    data += d;
  });
  res.on('end', () => {
    console.log(JSON.parse(data).data);
  });
});

req.on('error', (error) => {
  console.error(error);
});

req.write(data);
req.end();

Given Datatypes

For OidcConfigurationInput, there are several parameters. Below is a list of them along with a description of each:

Table: OidcConfigurationInput

ParameterTypeRequiredDefaultStabilityDescription
Some arguments may be required, as indicated in the Required column. For some fields, this column indicates that a result will always be returned for this column.
Table last updated: Mar 28, 2025
authorizationEndpointstringyes Long-TermA URL to the endpoint a user should be redirected to when authorizing. Required for clients.
clientIDstringyes Long-TermThe unique identifier of the client.
clientSecretstringyes Long-TermThe client's password or passphrase or the like for the identity provider.
defaultIdpboolean  Long-TermThe default identity provider.
domains[string]yes Long-TermThe domains for the OIDC authentication.
enableDebugbooleanyes Long-TermWhether to enable debugging mode.
federatedIdpstring  Long-TermThe Federated IdP.
groupsClaimstring  Long-TermThe name of the claim to interpret as the groups in LogScale. The value in the claim must be an array of strings. Optional. Defaults to humio-groups.
humioOwnedboolean  Long-TermWhether this is a LogScale owned OIDC.
issuerstringyes Long-TermThe OIDC issuer.
JWKSEndpointstring  Long-TermA URL to the JWKS endpoint for retrieving keys for validating tokens. Required.
lazyCreateUsersboolean  Long-TermWhether to create users at the last moment, and only when needed.
namestringyes Long-TermThe name of the OpenID Connect (OIDC) identity provider.
registrationEndpointstring  Long-TermLogScale will use the OIDC endpoint (%OIDC_PROVIDER%/.well-known/openid-configuration) to configure missing parameters.
scopeClaimstring  Long-TermThe scope claim.
scopes[string]yes Long-TermComma-separated list of scopes to add in addition to the default requested scopes (openid, email, and profile). Optional.
tokenEndpointstring  Long-TermA URL to the token endpoint used to exchange a authentication code to an access token. Required for clients.
tokenEndpointAuthMethodstringyes Long-TermThe authentication method used to authenticate LogScale against the token endpoint. Can either be client_secret_basic or client_secret_post for placing the client id and secret in either basic auth or post data, respectively. Defaults to client_secret_basic, or client_secret_post if client_secret_basic is not supported as per the discovery endpoint.
userClaimstring emailLong-TermThe name of the claim to interpret as username in LogScale. Defaults to humio-user. Can be set to email if using emails as usernames.
userInfoEndpointstring  Long-TermA URL to the user info endpoint used to retrieve user information from an access token. Required.

Returned Datatypes

The returned datatype OidcIdentityProvider also has several parameters. Below is a list of them and a description of each:

Table: OidcIdentityProvider

ParameterTypeRequiredDefaultStabilityDescription
Some arguments may be required, as indicated in the Required column. For some fields, this column indicates that a result will always be returned for this column.
Table last updated: Jun 26, 2025
authenticationMethodAuthenticationMethodAuthyes Long-TermThe authentication method used. See AuthenticationMethodAuth.
authorizationEndpointstring  Long-TermA URL to the endpoint a user should be redirected to when authorizing.
clientIdstringyes Long-TermThe unique identifier for the client.
clientSecretstringyes Long-TermThe password for the client.
debugbooleanyes Long-TermWhether debugging is enabled.
defaultIdpbooleanyes Long-TermWhether the identity provider is the default.
domains[string]yes Long-TermThe domains authorized by the OIDC identity providers.
federatedIdpstring  Long-TermThe Federated IdP.
groupsClaimstring  Long-TermThe name of the claim to interpret as the groups in LogScale. The value in the claim must be an array of strings. Optional. Defaults to humio-groups.
humioManagedbooleanyes Long-TermWhether authentication is managed by LogScale.
idstringyes Long-TermThe unique identifier for the OIDC identity provider.
issuerstringyes Long-TermThe issuer of the OIDC authentication.
jwksEndpointstring  Long-TermA URL to the JWKS endpoint for retrieving keys for validating tokens. Required.
lazyCreateUsersbooleanyes Long-TermWhether to wait to create users until necessary.
namestringyes Long-TermThe name of the OIDC identity provider.
registrationEndpointstring  Long-TermTo use OIDC as a client, PUBLIC_URL must be set, LogScale must be registered as a client with your OpenID provider, and the provider must allow %PUBLIC_URL%/auth/oidc as a valid redirect endpoint for the client.
scopeClaimstring  Long-TermThe scope claim.
scopes[string]yes Long-TermComma-separated list of scopes to add in addition to the default requested scopes (openid, email, and profile).
tokenEndpointstring  Long-TermA URL to the token endpoint used to exchange a authentication code to an access token. Required for clients.
tokenEndpointAuthMethodstringyes Long-TermA URL to the token endpoint used to exchange a authentication code to an access token. Required for clients.
userClaimstringyes Long-TermThe name of the claim to interpret as username in LogScale. The value in the claim must be a string. Defaults to humio-user. Can be set to email if using emails as usernames.
userInfoEndpointstring  Long-TermA URL to the user info endpoint used to retrieve user information from an access token.