The newOIDCIdentityProvider() GraphQL mutation may be used to set up a new OIDC idp. It's a root operation.

For more information on OpenID Connect, see the Authenticating with OpenID Connect documentation page. You may also want to look at Authentication & Identity Providers for related information.

Syntax

Below is the syntax for the newOIDCIdentityProvider() mutation field: 

newOIDCIdentityProvider(input: OidcConfigurationInput!): OidcIdentityProvider!

Given Datatypes

For the given datatype, OidcConfigurationInput, there are several parameters that may be given. Below is a list of them along with their datatypes and a description of each:

Table: OidcConfigurationInput

ParameterTypeRequired[a]DefaultDescription
namestringyes The name of the OpenID Connect (OIDC) identity provider.
clientIDstringyes The unique identifier of the client.
clientSecretstringyes The client's password or passphrase or the like for the identity provider.
issuerstringyes The OIDC issuer.
tokenEndpointAuthMethodstringyes The authentication method used to authenticate LogScale against the token endpoint. Can either be client_secret_basic or client_secret_post for placing the client id and secret in either basic auth or post data, respectively. Defaults to client_secret_basic, or client_secret_post if client_secret_basic is not supported as per the discovery endpoint.
authorizationEndpointstringyes A URL to the endpoint a user should be redirected to when authorizing. Required for clients.
tokenEndpointstring  A URL to the token endpoint used to exchange a authentication code to an access token. Required for clients.
userInfoEndpointstring  A URL to the user info endpoint used to retrieve user information from an access token. Required.
registrationEndpointstring  LogScale will use the OIDC endpoint (%OIDC_PROVIDER%/.well-known/openid-configuration) to configure missing parameters.
groupsClaimstring  The name of the claim to interpret as the groups in LogScale. The value in the claim must be an array of strings. Optional. Defaults to humio-groups.
JWKSEndpointstring  A URL to the JWKS endpoint for retrieving keys for validating tokens. Required.
domains[string]yes The domains for the OIDC authentication.
scopes[string]yes Comma-separated list of scopes to add in addition to the default requested scopes (openid, email, and profile). Optional.
userClaimstring = 'email'  The name of the claim to interpret as username in LogScale. The value in the claim must be a string. Defaults to humio-user. Can be set to email if using emails as usernames.
enableDebugbooleanyes Whether to enable debugging mode.
defaultIdpboolean  The default identity provider.
humioOwnedboolean  Whther this is a LogScale owned OIDC.
lazyCreateUsersboolean  Whether to create users at the last moment, and only when needed.

[a] Some arguments may be required, as indicated in this column. For some fields, this column indicates that a result will always be returned for it.


Returned Datatypes

The returned datatype OidcIdentityProvider has its own parameters. Below is a list of them along with their datatypes and a description of each:

Table: OidcIdentityProvider

ParameterTypeRequired[a]DefaultDescription
idstringyes The unique identifier for the OIDC identity provider.
namestringyes The name of the OIDC identity provider.
clientIdstringyes The unique identifier for the client.
clientSecretstringyes The password for the client.
domains[string]yes The domains authorized by the OIDC identity providers.
issuerstringyes The issuer of the OIDC authentication.
tokenEndpointAuthMethodstringyes A URL to the token endpoint used to exchange a authentication code to an access token. Required for clients.
userClaimstringyes The name of the claim to interpret as username in LogScale. The value in the claim must be a string. Defaults to humio-user. Can be set to email if using emails as usernames.
scopes[string]yes Comma-separated list of scopes to add in addition to the default requested scopes (openid, email, and profile).
userInfoEndpointstring  A URL to the user info endpoint used to retrieve user information from an access token.
registrationEndpointstring  To use OIDC as a client, PUBLIC_URL must be set, LogScale must be registered as a client with your OpenID provider, and the provider must allow %PUBLIC_URL%/auth/oidc as a valid redirect endpoint for the client.
tokenEndpointstring  A URL to the token endpoint used to exchange a authentication code to an access token. Required for clients.
groupsClaimstring  The name of the claim to interpret as the groups in LogScale. The value in the claim must be an array of strings. Optional. Defaults to humio-groups.
jwksEndpointstring  A URL to the JWKS endpoint for retrieving keys for validating tokens. Required.
authenticationMethodAuthenticationMethodAuthyes The authentication method used (see AuthenticationMethodAuth Table).
authorizationEndpointstring  A URL to the endpoint a user should be redirected to when authorizing.
debugbooleanyes Whether debugging is enabled.
defaultIdpbooleanyes Whether the identity provider is the default.
humioManagedbooleanyes Whether authentication is managed by LogScale.
lazyCreateUsersbooleanyes Whether to wait to create users until necessary.

[a] Some arguments may be required, as indicated in this column. For some fields, this column indicates that a result will always be returned for it.