API Stability Long-Term

The oidcIdentityProvider() GraphQL query is used to get information on an OIDC identity provider.

Syntax

Below is the syntax for the oidcIdentityProvider() query field:

graphql
oidcIdentityProvider(
      id: string!
   ): OidcIdentityProvider!

For the input, you'd give the unique identifier for the OIDC identity provider. But there are a several returned parameters that may be requested (see the Returned Datatype section). Below is an example of how this query field might be used:

Raw
graphql
query {
  oidcIdentityProvider(id: "1234") 
  {id, name, domains, issuer, 
   authenticationMethod{authType}
  }
}
Mac OS or Linux (curl)
shell
curl -v -X POST $YOUR_LOGSCALE_URL/graphql \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json" \
    -d @- << EOF
{"query" : "query {
  oidcIdentityProvider(id: \"1234\") 
  {id, name, domains, issuer, 
   authenticationMethod{authType}
  }
}"
}
EOF
Mac OS or Linux (curl) One-line
shell
curl -v -X POST $YOUR_LOGSCALE_URL/graphql \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json" \
    -d @- << EOF
{"query" : "query {
  oidcIdentityProvider(id: \"1234\") 
  {id, name, domains, issuer, 
   authenticationMethod{authType}
  }
}"
}
EOF
Windows Cmd and curl
shell
curl -v -X POST $YOUR_LOGSCALE_URL/graphql ^
    -H "Authorization: Bearer $TOKEN" ^
    -H "Content-Type: application/json" ^
    -d @'{"query" : "query { ^
  oidcIdentityProvider(id: \"1234\")  ^
  {id, name, domains, issuer,  ^
   authenticationMethod{authType} ^
  } ^
}" ^
} '
Windows Powershell and curl
powershell
curl.exe -X POST 
    -H "Authorization: Bearer $TOKEN"
    -H "Content-Type: application/json"
    -d '{"query" : "query {
  oidcIdentityProvider(id: \"1234\") 
  {id, name, domains, issuer, 
   authenticationMethod{authType}
  }
}"
}'
    "$YOUR_LOGSCALE_URL/graphql"
Perl
perl
#!/usr/bin/perl

use HTTP::Request;
use LWP;

my $TOKEN = "TOKEN";

my $uri = '$YOUR_LOGSCALE_URL/graphql';

my $json = '{"query" : "query {
  oidcIdentityProvider(id: \"1234\") 
  {id, name, domains, issuer, 
   authenticationMethod{authType}
  }
}"
}';
my $req = HTTP::Request->new("POST", $uri );

$req->header("Authorization" => "Bearer $TOKEN");
$req->header("Content-Type" => "application/json");

$req->content( $json );

my $lwp = LWP::UserAgent->new;

my $result = $lwp->request( $req );

print $result->{"_content"},"\n";
Python
python
#! /usr/local/bin/python3

import requests

url = '$YOUR_LOGSCALE_URL/graphql'
mydata = r'''{"query" : "query {
  oidcIdentityProvider(id: \"1234\") 
  {id, name, domains, issuer, 
   authenticationMethod{authType}
  }
}"
}'''

resp = requests.post(url,
                     data = mydata,
                     headers = {
   "Authorization" : "Bearer $TOKEN",
   "Content-Type" : "application/json"
}
)

print(resp.text)
Node.js
javascript
const https = require('https');

const data = JSON.stringify(
    {"query" : "query {
  oidcIdentityProvider(id: \"1234\") 
  {id, name, domains, issuer, 
   authenticationMethod{authType}
  }
}"
}
);


const options = {
  hostname: '$YOUR_LOGSCALE_URL/graphql',
  path: '/graphql',
  port: 443,
  method: 'POST',
  headers: {
    'Content-Type': 'application/json',
    'Content-Length': data.length,
    Authorization: 'BEARER ' + process.env.TOKEN,
    'User-Agent': 'Node',
  },
};

const req = https.request(options, (res) => {
  let data = '';
  console.log(`statusCode: ${res.statusCode}`);

  res.on('data', (d) => {
    data += d;
  });
  res.on('end', () => {
    console.log(JSON.parse(data).data);
  });
});

req.on('error', (error) => {
  console.error(error);
});

req.write(data);
req.end();

Returned Datatypes

For the returned datatype, OidcIdentityProvider, there are several parameters that may be given. Below is a list of them, along with a description of each:

Table: OidcIdentityProvider

ParameterTypeRequiredDefaultStabilityDescription
Some arguments may be required, as indicated in the Required column. For some fields, this column indicates that a result will always be returned for this column.
Table last updated: Jun 26, 2025
authenticationMethodAuthenticationMethodAuthyes Long-TermThe authentication method used. See AuthenticationMethodAuth.
authorizationEndpointstring  Long-TermA URL to the endpoint a user should be redirected to when authorizing.
clientIdstringyes Long-TermThe unique identifier for the client.
clientSecretstringyes Long-TermThe password for the client.
debugbooleanyes Long-TermWhether debugging is enabled.
defaultIdpbooleanyes Long-TermWhether the identity provider is the default.
domains[string]yes Long-TermThe domains authorized by the OIDC identity providers.
federatedIdpstring  Long-TermThe Federated IdP.
groupsClaimstring  Long-TermThe name of the claim to interpret as the groups in LogScale. The value in the claim must be an array of strings. Optional. Defaults to humio-groups.
humioManagedbooleanyes Long-TermWhether authentication is managed by LogScale.
idstringyes Long-TermThe unique identifier for the OIDC identity provider.
issuerstringyes Long-TermThe issuer of the OIDC authentication.
jwksEndpointstring  Long-TermA URL to the JWKS endpoint for retrieving keys for validating tokens. Required.
lazyCreateUsersbooleanyes Long-TermWhether to wait to create users until necessary.
namestringyes Long-TermThe name of the OIDC identity provider.
registrationEndpointstring  Long-TermTo use OIDC as a client, PUBLIC_URL must be set, LogScale must be registered as a client with your OpenID provider, and the provider must allow %PUBLIC_URL%/auth/oidc as a valid redirect endpoint for the client.
scopeClaimstring  Long-TermThe scope claim.
scopes[string]yes Long-TermComma-separated list of scopes to add in addition to the default requested scopes (openid, email, and profile).
tokenEndpointstring  Long-TermA URL to the token endpoint used to exchange a authentication code to an access token. Required for clients.
tokenEndpointAuthMethodstringyes Long-TermA URL to the token endpoint used to exchange a authentication code to an access token. Required for clients.
userClaimstringyes Long-TermThe name of the claim to interpret as username in LogScale. The value in the claim must be a string. Defaults to humio-user. Can be set to email if using emails as usernames.
userInfoEndpointstring  Long-TermA URL to the user info endpoint used to retrieve user information from an access token.