newOIDCIdentityProvider()

API Stability	`Long-Term`

The newOIDCIdentityProvider() GraphQL mutation may be used to set up a new OIDC idp. It's a root operation.

For more information on OpenID Connect, see the Authenticating with OpenID Connect documentation page. You may also want to look at Authentication & Identity Providers for related information.

Syntax

Below is the syntax for the newOIDCIdentityProvider() mutation field:

graphql

newOIDCIdentityProvider(
     input: OidcConfigurationInput!
   ): OidcIdentityProvider!

Below is an example of how this mutation field might be used:

Show:

graphql

mutation {
  newOIDCIdentityProvider(input: { 
     name: "myOIDC",
     clientID: "123abc",
     clientSecret: "MD39xf83M301",
     issuer: "https://my.oidc-idp.com",
     tokenEndpointAuthMethod: "client_secret_basic",
     authorizationEndpoint: "https://my.oidc-idp.com/authorize",
     domains: ["humio"],
     scopes: ["profile", "email", "openid"],
     enableDebug: false    
       } ) 
  { id }
}

shell

curl -v -X POST $YOUR_LOGSCALE_URL/graphql \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json" \
    -d @- << EOF
{"query" : "mutation {
  newOIDCIdentityProvider(input: { 
     name: \"myOIDC\",
     clientID: \"123abc\",
     clientSecret: \"MD39xf83M301\",
     issuer: \"https://my.oidc-idp.com\",
     tokenEndpointAuthMethod: \"client_secret_basic\",
     authorizationEndpoint: \"https://my.oidc-idp.com/authorize\",
     domains: [\"humio\"],
     scopes: [\"profile\", \"email\", \"openid\"],
     enableDebug: false    
       } ) 
  { id }
}"
}
EOF

shell

curl -v -X POST $YOUR_LOGSCALE_URL/graphql \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json" \
    -d @- << EOF
{"query" : "mutation {
  newOIDCIdentityProvider(input: { 
     name: \"myOIDC\",
     clientID: \"123abc\",
     clientSecret: \"MD39xf83M301\",
     issuer: \"https://my.oidc-idp.com\",
     tokenEndpointAuthMethod: \"client_secret_basic\",
     authorizationEndpoint: \"https://my.oidc-idp.com/authorize\",
     domains: [\"humio\"],
     scopes: [\"profile\", \"email\", \"openid\"],
     enableDebug: false    
       } ) 
  { id }
}"
}
EOF

shell

curl -v -X POST $YOUR_LOGSCALE_URL/graphql ^
    -H "Authorization: Bearer $TOKEN" ^
    -H "Content-Type: application/json" ^
    -d @'{"query" : "mutation { ^
  newOIDCIdentityProvider(input: {  ^
     name: \"myOIDC\", ^
     clientID: \"123abc\", ^
     clientSecret: \"MD39xf83M301\", ^
     issuer: \"https://my.oidc-idp.com\", ^
     tokenEndpointAuthMethod: \"client_secret_basic\", ^
     authorizationEndpoint: \"https://my.oidc-idp.com/authorize\", ^
     domains: [\"humio\"], ^
     scopes: [\"profile\", \"email\", \"openid\"], ^
     enableDebug: false     ^
       } )  ^
  { id } ^
}" ^
} '

powershell

curl.exe -X POST 
    -H "Authorization: Bearer $TOKEN"
    -H "Content-Type: application/json"
    -d '{"query" : "mutation {
  newOIDCIdentityProvider(input: { 
     name: \"myOIDC\",
     clientID: \"123abc\",
     clientSecret: \"MD39xf83M301\",
     issuer: \"https://my.oidc-idp.com\",
     tokenEndpointAuthMethod: \"client_secret_basic\",
     authorizationEndpoint: \"https://my.oidc-idp.com/authorize\",
     domains: [\"humio\"],
     scopes: [\"profile\", \"email\", \"openid\"],
     enableDebug: false    
       } ) 
  { id }
}"
}'
    "$YOUR_LOGSCALE_URL/graphql"

perl

#!/usr/bin/perl

use HTTP::Request;
use LWP;

my $INGEST_TOKEN = "TOKEN";

my $uri = '$YOUR_LOGSCALE_URL/graphql';

my $json = '{"query" : "mutation {
  newOIDCIdentityProvider(input: { 
     name: \"myOIDC\",
     clientID: \"123abc\",
     clientSecret: \"MD39xf83M301\",
     issuer: \"https://my.oidc-idp.com\",
     tokenEndpointAuthMethod: \"client_secret_basic\",
     authorizationEndpoint: \"https://my.oidc-idp.com/authorize\",
     domains: [\"humio\"],
     scopes: [\"profile\", \"email\", \"openid\"],
     enableDebug: false    
       } ) 
  { id }
}"
}';
my $req = HTTP::Request->new("POST", $uri );

$req->header("Authorization" => "Bearer $TOKEN");
$req->header("Content-Type" => "application/json");

$req->content( $json );

my $lwp = LWP::UserAgent->new;

my $result = $lwp->request( $req );

print $result->{"_content"},"\n";

python

#! /usr/local/bin/python3

import requests

url = '$YOUR_LOGSCALE_URL/graphql'
mydata = r'''{"query" : "mutation {
  newOIDCIdentityProvider(input: { 
     name: \"myOIDC\",
     clientID: \"123abc\",
     clientSecret: \"MD39xf83M301\",
     issuer: \"https://my.oidc-idp.com\",
     tokenEndpointAuthMethod: \"client_secret_basic\",
     authorizationEndpoint: \"https://my.oidc-idp.com/authorize\",
     domains: [\"humio\"],
     scopes: [\"profile\", \"email\", \"openid\"],
     enableDebug: false    
       } ) 
  { id }
}"
}'''

resp = requests.post(url,
                     data = mydata,
                     headers = {
   "Authorization" : "Bearer $TOKEN",
   "Content-Type" : "application/json"
}
)

print(resp.text)

javascript

const https = require('https');

const data = JSON.stringify(
    {"query" : "mutation {
  newOIDCIdentityProvider(input: { 
     name: \"myOIDC\",
     clientID: \"123abc\",
     clientSecret: \"MD39xf83M301\",
     issuer: \"https://my.oidc-idp.com\",
     tokenEndpointAuthMethod: \"client_secret_basic\",
     authorizationEndpoint: \"https://my.oidc-idp.com/authorize\",
     domains: [\"humio\"],
     scopes: [\"profile\", \"email\", \"openid\"],
     enableDebug: false    
       } ) 
  { id }
}"
}
);


const options = {
  hostname: '$YOUR_LOGSCALE_URL/graphql',
  path: '/graphql',
  port: 443,
  method: 'POST',
  headers: {
    'Content-Type': 'application/json',
    'Content-Length': data.length,
    Authorization: 'BEARER ' + process.env.TOKEN,
    'User-Agent': 'Node',
  },
};

const req = https.request(options, (res) => {
  let data = '';
  console.log(`statusCode: ${res.statusCode}`);

  res.on('data', (d) => {
    data += d;
  });
  res.on('end', () => {
    console.log(JSON.parse(data).data);
  });
});

req.on('error', (error) => {
  console.error(error);
});

req.write(data);
req.end();

Given Datatypes

For OidcConfigurationInput, there are several parameters. Below is a list of them along with a description of each:

Table: OidcConfigurationInput

Parameter	Type	Required	Default	Stability	Description
Some arguments may be required, as indicated in the Required column. For some fields, this column indicates that a result will always be returned for this column.
Table last updated: Mar 28, 2025
`authorizationEndpoint`	string	yes		`Long-Term`	A URL to the endpoint a user should be redirected to when authorizing. Required for clients.
`clientID`	string	yes		`Long-Term`	The unique identifier of the client.
`clientSecret`	string	yes		`Long-Term`	The client's password or passphrase or the like for the identity provider.
`defaultIdp`	boolean			`Long-Term`	The default identity provider.
`domains`	[string]	yes		`Long-Term`	The domains for the OIDC authentication.
`enableDebug`	boolean	yes		`Long-Term`	Whether to enable debugging mode.
`federatedIdp`	string			`Long-Term`	The Federated IdP.
`groupsClaim`	string			`Long-Term`	The name of the claim to interpret as the groups in LogScale. The value in the claim must be an array of strings. Optional. Defaults to humio-groups.
`humioOwned`	boolean			`Long-Term`	Whther this is a LogScale owned OIDC.
`issuer`	string	yes		`Long-Term`	The OIDC issuer.
`JWKSEndpoint`	string			`Long-Term`	A URL to the JWKS endpoint for retrieving keys for validating tokens. Required.
`lazyCreateUsers`	boolean			`Long-Term`	Whether to create users at the last moment, and only when needed.
`name`	string	yes		`Long-Term`	The name of the OpenID Connect (OIDC) identity provider.
`registrationEndpoint`	string			`Long-Term`	LogScale will use the OIDC endpoint (%OIDC_PROVIDER%/.well-known/openid-configuration) to configure missing parameters.
`scopeClaim`	string			`Long-Term`	The scope claim.
`scopes`	[string]	yes		`Long-Term`	Comma-separated list of scopes to add in addition to the default requested scopes (openid, email, and profile). Optional.
`tokenEndpoint`	string			`Long-Term`	A URL to the token endpoint used to exchange a authentication code to an access token. Required for clients.
`tokenEndpointAuthMethod`	string	yes		`Long-Term`	The authentication method used to authenticate LogScale against the token endpoint. Can either be client_secret_basic or client_secret_post for placing the client id and secret in either basic auth or post data, respectively. Defaults to client_secret_basic, or client_secret_post if client_secret_basic is not supported as per the discovery endpoint.
`userClaim`	string		email	`Long-Term`	The name of the claim to interpret as username in LogScale. Defaults to humio-user. Can be set to email if using emails as usernames.
`userInfoEndpoint`	string			`Long-Term`	A URL to the user info endpoint used to retrieve user information from an access token. Required.

Returned Datatypes

The returned datatype OidcIdentityProvider also has several parameters. Below is a list of them and a description of each:

Table: OidcIdentityProvider

Parameter	Type	Required	Stability	Description
Some arguments may be required, as indicated in the Required column. For some fields, this column indicates that a result will always be returned for this column.
Table last updated: Sep 27, 2024
`authenticationMethod`	`AuthenticationMethodAuth`	yes	`Long-Term`	The authentication method used. See `AuthenticationMethodAuth`.
`authorizationEndpoint`	string		`Long-Term`	A URL to the endpoint a user should be redirected to when authorizing.
`clientId`	string	yes	`Long-Term`	The unique identifier for the client.
`clientSecret`	string	yes	`Long-Term`	The password for the client.
`debug`	boolean	yes	`Long-Term`	Whether debugging is enabled.
`defaultIdp`	boolean	yes	`Long-Term`	Whether the identity provider is the default.
`domains`	[string]	yes	`Long-Term`	The domains authorized by the OIDC identity providers.
`federatedIdp`	string		`Long-Term`	The Federated IdP.
`groupsClaim`	string		`Long-Term`	The name of the claim to interpret as the groups in LogScale. The value in the claim must be an array of strings. Optional. Defaults to humio-groups.
`humioManaged`	boolean	yes	`Long-Term`	Whether authentication is managed by LogScale.
`id`	string	yes	`Long-Term`	The unique identifier for the OIDC identity provider.
`issuer`	string	yes	`Long-Term`	The issuer of the OIDC authentication.
`jwksEndpoint`	string		`Long-Term`	A URL to the JWKS endpoint for retrieving keys for validating tokens. Required.
`lazyCreateUsers`	boolean	yes	`Long-Term`	Whether to wait to create users until necessary.
`name`	string	yes	`Long-Term`	The name of the OIDC identity provider.
`registrationEndpoint`	string		`Long-Term`	To use OIDC as a client, PUBLIC_URL must be set, LogScale must be registered as a client with your OpenID provider, and the provider must allow `%PUBLIC_URL%/auth/oidc` as a valid redirect endpoint for the client.
`scopeClaim`	string		`Long-Term`	The scope claim.
`scopes`	[string]	yes	`Long-Term`	Comma-separated list of scopes to add in addition to the default requested scopes (openid, email, and profile).
`tokenEndpoint`	string		`Long-Term`	A URL to the token endpoint used to exchange a authentication code to an access token. Required for clients.
`tokenEndpointAuthMethod`	string	yes	`Long-Term`	A URL to the token endpoint used to exchange a authentication code to an access token. Required for clients.
`userClaim`	string	yes	`Long-Term`	The name of the claim to interpret as username in LogScale. The value in the claim must be a string. Defaults to humio-user. Can be set to email if using emails as usernames.
`userInfoEndpoint`	string		`Long-Term`	A URL to the user info endpoint used to retrieve user information from an access token.

GraphQL Mutations

GraphQL API Stability

GraphQL Queries

GraphQL Datatypes