pulumi-fusionauth
Version:
A Pulumi package for managing FusionAuth instances.
915 lines • 122 kB
TypeScript
import * as pulumi from "@pulumi/pulumi";
import * as inputs from "../types/input";
export interface FusionAuthApiKeyPermissionsEndpoint {
/**
* HTTP DELETE Verb
*/
delete?: pulumi.Input<boolean>;
endpoint: pulumi.Input<string>;
/**
* HTTP GET Verb
*/
get?: pulumi.Input<boolean>;
/**
* HTTP PATCH Verb
*/
patch?: pulumi.Input<boolean>;
/**
* HTTP POST Verb
*/
post?: pulumi.Input<boolean>;
/**
* HTTP PUT Verb
*/
put?: pulumi.Input<boolean>;
}
export interface FusionAuthApplicationAccessControlConfiguration {
/**
* The Id of the IP Access Control List limiting access to this application.
*/
uiIpAccessControlListId?: pulumi.Input<string>;
}
export interface FusionAuthApplicationCleanSpeakConfiguration {
/**
* An array of UUIDs that map to the CleanSpeak applications for this Application. It is possible that a single Application in FusionAuth might have multiple Applications in CleanSpeak. For example, a FusionAuth Application for a game might have one CleanSpeak Application for usernames and another Application for chat.
*/
applicationIds?: pulumi.Input<pulumi.Input<string>[]>;
usernameModeration?: pulumi.Input<inputs.FusionAuthApplicationCleanSpeakConfigurationUsernameModeration>;
}
export interface FusionAuthApplicationCleanSpeakConfigurationUsernameModeration {
/**
* The Id of the CleanSpeak application that usernames are sent to for moderation.
*/
applicationId?: pulumi.Input<string>;
/**
* True if CleanSpeak username moderation is enabled.
*/
enabled?: pulumi.Input<boolean>;
}
export interface FusionAuthApplicationEmailConfiguration {
/**
* The Id of the Email Template used to send emails to users when their email address is updated. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
*/
emailUpdateTemplateId?: pulumi.Input<string>;
/**
* The Id of the Email Template used to send emails to users to verify that their email address is valid. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
*/
emailVerificationTemplateId?: pulumi.Input<string>;
/**
* The Id of the Email Template used to verify user emails. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
*/
emailVerifiedTemplateId?: pulumi.Input<string>;
/**
* The Id of the Email Template that is used when a user is sent a forgot password email. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
*/
forgotPasswordTemplateId?: pulumi.Input<string>;
/**
* The Id of the Email Template used to send emails to users when another user attempts to create an account with their login Id. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
*/
loginIdInUseOnCreateTemplateId?: pulumi.Input<string>;
/**
* The Id of the Email Template used to send emails to users when another user attempts to update an existing account to use their login Id. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
*/
loginIdInUseOnUpdateTemplateId?: pulumi.Input<string>;
/**
* The Id of the Email Template used to send emails to users when they log in on a new device. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
*/
loginNewDeviceTemplateId?: pulumi.Input<string>;
/**
* The Id of the Email Template used to send emails to users when a suspicious login occurs. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
*/
loginSuspiciousTemplateId?: pulumi.Input<string>;
/**
* The Id of the Email Template used to send emails to users when they have completed a 'forgot password' workflow and their password has been reset. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
*/
passwordResetSuccessTemplateId?: pulumi.Input<string>;
/**
* The Id of the Email Template used to send emails to users when their password has been updated. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
*/
passwordUpdateTemplateId?: pulumi.Input<string>;
/**
* The Id of the Passwordless Email Template, sent to users when they start a passwordless login. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
*/
passwordlessEmailTemplateId?: pulumi.Input<string>;
/**
* The Id of the Email Template that is used when a user had their account created for them and they must set their password manually and they are sent an email to set their password. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
*/
setPasswordEmailTemplateId?: pulumi.Input<string>;
/**
* The Id of the Email Template used to send emails to users when a MFA method has been added to their account. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
*/
twoFactorMethodAddTemplateId?: pulumi.Input<string>;
/**
* The Id of the Email Template used to send emails to users when a MFA method has been removed from their account. When configured, this value will take precedence over the same configuration from the Tenant when an application context is known.
*/
twoFactorMethodRemoveTemplateId?: pulumi.Input<string>;
}
export interface FusionAuthApplicationFormConfiguration {
/**
* The unique Id of the form to use for the Add and Edit User Registration form when used in the FusionAuth admin UI.
*/
adminRegistrationFormId?: pulumi.Input<string>;
selfServiceFormConfiguration?: pulumi.Input<inputs.FusionAuthApplicationFormConfigurationSelfServiceFormConfiguration>;
/**
* The unique Id of the form to to enable authenticated users to manage their profile on the account page.
*/
selfServiceFormId?: pulumi.Input<string>;
}
export interface FusionAuthApplicationFormConfigurationSelfServiceFormConfiguration {
/**
* When enabled a user will be required to provide their current password when changing their password on a self-service account form.
*/
requireCurrentPasswordOnPasswordChange?: pulumi.Input<boolean>;
}
export interface FusionAuthApplicationJwtConfiguration {
/**
* The Id of the signing key used to sign the access token.
*/
accessTokenId?: pulumi.Input<string>;
/**
* Indicates if this application is using the JWT configuration defined here or the global JWT configuration defined by the System Configuration. If this is false the signing algorithm configured in the System Configuration will be used. If true the signing algorithm defined in this application will be used.
*/
enabled?: pulumi.Input<boolean>;
/**
* The Id of the signing key used to sign the Id token.
*/
idTokenKeyId?: pulumi.Input<string>;
/**
* The Refresh Token expiration policy. The possible values are: Fixed - the expiration is calculated from the time the token is issued. SlidingWindow - the expiration is calculated from the last time the token was used. SlidingWindowWithMaximumLifetime - the expiration is calculated from the last time the token was used, or until `refreshTokenSlidingWindowMaximumTtlInMinutes` is reached.
*/
refreshTokenExpirationPolicy?: pulumi.Input<string>;
/**
* The maximum lifetime of a refresh token when using a refresh token expiration policy of `SlidingWindowWithMaximumLifetime`. Value must be greater than 0.
*/
refreshTokenSlidingWindowMaximumTtlInMinutes?: pulumi.Input<number>;
/**
* The length of time in minutes the JWT refresh token will live before it is expired and is not able to be exchanged for a JWT.
*/
refreshTokenTtlMinutes?: pulumi.Input<number>;
/**
* The refresh token usage policy. The following are valid values: Reusable - the token does not change after it was issued. OneTimeUse - the token value will be changed each time the token is used to refresh a JWT. The client must store the new value after each usage. Defaults to Reusable.
*/
refreshTokenUsagePolicy?: pulumi.Input<string>;
/**
* The length of time in seconds the JWT will live before it is expired and no longer valid.
*/
ttlSeconds?: pulumi.Input<number>;
}
export interface FusionAuthApplicationLambdaConfiguration {
/**
* The Id of the Lambda that will be invoked when an access token is generated for this application. This will be utilized during OAuth2 and OpenID Connect authentication requests as well as when an access token is generated for the Login API.
*/
accessTokenPopulateId?: pulumi.Input<string>;
/**
* The Id of the Lambda that will be invoked when an Id token is generated for this application during an OpenID Connect authentication request.
*/
idTokenPopulateId?: pulumi.Input<string>;
/**
* The Id of the Lambda that will be invoked when a a SAML response is generated during a SAML authentication request.
*/
samlv2PopulateId?: pulumi.Input<string>;
/**
* The unique Id of the lambda that will be used to perform additional validation on registration form steps.
*/
selfServiceRegistrationValidationId?: pulumi.Input<string>;
/**
* The Id of the Lambda that will be invoked when a UserInfo response is generated for this application.
*/
userinfoPopulateId?: pulumi.Input<string>;
}
export interface FusionAuthApplicationLoginConfiguration {
/**
* Indicates if a JWT may be refreshed using a Refresh Token for this application. This configuration is separate from issuing new Refresh Tokens which is controlled by the generateRefreshTokens parameter. This configuration indicates specifically if an existing Refresh Token may be used to request a new JWT using the Refresh API.
*/
allowTokenRefresh?: pulumi.Input<boolean>;
/**
* Indicates if a Refresh Token should be issued from the Login API
*/
generateRefreshTokens?: pulumi.Input<boolean>;
/**
* Indicates if the Login API should require an API key. If you set this value to false and your FusionAuth API is on a public network, anyone may attempt to use the Login API.
*/
requireAuthentication?: pulumi.Input<boolean>;
}
export interface FusionAuthApplicationMultiFactorConfiguration {
/**
* The Id of the email template that is used when notifying a user to complete a multi-factor authentication request.
*/
emailTemplateId?: pulumi.Input<string>;
/**
* When enabled and a user has one or more two-factor methods configured, the user will be required to complete a two-factor challenge during login. When disabled, even when a user has configured one or more two-factor methods, the user will not be required to complete a two-factor challenge during login. When required, the user will be required to complete a two-factor challenge during login. Possible values are `Enabled`, `Disabled` or `Required`.
*/
loginPolicy?: pulumi.Input<string>;
/**
* The Id of the SMS template that is used when notifying a user to complete a multi-factor authentication request.
*/
smsTemplateId?: pulumi.Input<string>;
/**
* When `multi_factor_configuration.login_policy` is set to `Enabled`, this trust policy is utilized when determining if a user must complete a two-factor challenge during login. Possible values are `Any`, `This` or `None`.
*/
trustPolicy?: pulumi.Input<string>;
}
export interface FusionAuthApplicationOauthConfiguration {
/**
* An array of URLs that are the authorized origins for FusionAuth OAuth.
*/
authorizedOriginUrls?: pulumi.Input<pulumi.Input<string>[]>;
/**
* An array of URLs that are the authorized redirect URLs for FusionAuth OAuth.
*/
authorizedRedirectUrls?: pulumi.Input<pulumi.Input<string>[]>;
/**
* Determines whether wildcard expressions will be allowed in the authorizedRedirectUrls and authorized_origin_urls.
*/
authorizedUrlValidationPolicy?: pulumi.Input<string>;
/**
* Determines the client authentication requirements for the OAuth 2.0 Token endpoint.
*/
clientAuthenticationPolicy?: pulumi.Input<string>;
/**
* The OAuth 2.0 client id. If you leave this blank during a POST, a client id will be generated for you. If you leave this blank during PUT, the previous value will be maintained. For both POST and PUT you can provide a value and it will be stored.
*/
clientId?: pulumi.Input<string>;
/**
* The OAuth 2.0 client secret. If you leave this blank during a POST, a secure secret will be generated for you. If you leave this blank during PUT, the previous value will be maintained. For both POST and PUT you can provide a value and it will be stored.
*/
clientSecret?: pulumi.Input<string>;
/**
* Controls the policy for prompting a user to consent to requested OAuth scopes. This configuration only takes effect when `application.oauthConfiguration.relationship` is `ThirdParty`. The possible values are:
* * `AlwaysPrompt` - Always prompt the user for consent.
* * `RememberDecision` - Remember previous consents; only prompt if the choice expires or if the requested or required scopes have changed. The duration of this persisted choice is controlled by the Tenant’s `externalIdentifierConfiguration.rememberOAuthScopeConsentChoiceTimeToLiveInSeconds` value.
* * `NeverPrompt` - The user will be never be prompted to consent to requested OAuth scopes. Permission will be granted implicitly as if this were a `FirstParty` application. This configuration is meant for testing purposes only and should not be used in production.
*/
consentMode?: pulumi.Input<string>;
/**
* Whether or not FusionAuth will log a debug Event Log. This is particular useful for debugging the authorization code exchange with the Token endpoint during an Authorization Code grant."
*/
debug?: pulumi.Input<boolean>;
/**
* The device verification URL to be used with the Device Code grant type, this field is required when deviceCode is enabled.
*/
deviceVerificationUrl?: pulumi.Input<string>;
/**
* The enabled grants for this application. In order to utilize a particular grant with the OAuth 2.0 endpoints you must have enabled the grant.
*/
enabledGrants?: pulumi.Input<pulumi.Input<string>[]>;
/**
* Determines if the OAuth 2.0 Token endpoint will generate a refresh token when the offlineAccess scope is requested.
*/
generateRefreshTokens?: pulumi.Input<boolean>;
/**
* Behavior when /oauth2/logout is called.
*/
logoutBehavior?: pulumi.Input<string>;
/**
* The logout URL for the Application. FusionAuth will redirect to this URL after the user logs out of OAuth.
*/
logoutUrl?: pulumi.Input<string>;
/**
* Determines the PKCE requirements when using the authorization code grant.
*/
proofKeyForCodeExchangePolicy?: pulumi.Input<string>;
/**
* Configures which of the default scopes are enabled and required.
*/
providedScopePolicies?: pulumi.Input<pulumi.Input<inputs.FusionAuthApplicationOauthConfigurationProvidedScopePolicy>[]>;
/**
* The application’s relationship to the OAuth server. The possible values are:
* * `FirstParty` - The application has the same owner as the authorization server. Consent to requested OAuth scopes is granted implicitly.
* * `ThirdParty` - The application is external to the authorization server. Users will be prompted to consent to requested OAuth scopes based on the application object’s `oauthConfiguration.consentMode` value. Note: An Essentials or Enterprise plan is required to utilize third-party applications.
*/
relationship?: pulumi.Input<string>;
/**
* Determines if the OAuth 2.0 Token endpoint requires client authentication. If this is enabled, the client must provide client credentials when using the Token endpoint. The clientId and clientSecret may be provided using a Basic Authorization HTTP header, or by sending these parameters in the request body using POST data.
*
* @deprecated In version 1.28.0 and beyond, client authentication can be managed via oauth_configuration.client_authentication_policy.
*/
requireClientAuthentication?: pulumi.Input<boolean>;
/**
* When enabled the user will be required to be registered, or complete registration before redirecting to the configured callback in the authorization code grant or the implicit grant. This configuration does not currently apply to any other grant.
*/
requireRegistration?: pulumi.Input<boolean>;
/**
* Controls the policy for handling of OAuth scopes when populating JWTs and the UserInfo response. The possible values are:
* * `Compatibility` - OAuth workflows will populate JWT and UserInfo claims in a manner compatible with versions of FusionAuth before version 1.50.0.
* * `Strict` - OAuth workflows will populate token and UserInfo claims according to the OpenID Connect 1.0 specification based on requested and consented scopes.
*/
scopeHandlingPolicy: pulumi.Input<string>;
/**
* Controls the policy for handling unknown scopes on an OAuth request. The possible values are:
* * `Allow` - Unknown scopes will be allowed on the request, passed through the OAuth workflow, and written to the resulting tokens without consent.
* * `Remove` - Unknown scopes will be removed from the OAuth workflow, but the workflow will proceed without them.
* * `Reject` - Unknown scopes will be rejected and cause the OAuth workflow to fail with an error.
*/
unknownScopePolicy: pulumi.Input<string>;
}
export interface FusionAuthApplicationOauthConfigurationProvidedScopePolicy {
address?: pulumi.Input<inputs.FusionAuthApplicationOauthConfigurationProvidedScopePolicyAddress>;
email?: pulumi.Input<inputs.FusionAuthApplicationOauthConfigurationProvidedScopePolicyEmail>;
phone?: pulumi.Input<inputs.FusionAuthApplicationOauthConfigurationProvidedScopePolicyPhone>;
profile?: pulumi.Input<inputs.FusionAuthApplicationOauthConfigurationProvidedScopePolicyProfile>;
}
export interface FusionAuthApplicationOauthConfigurationProvidedScopePolicyAddress {
enabled?: pulumi.Input<boolean>;
required?: pulumi.Input<boolean>;
}
export interface FusionAuthApplicationOauthConfigurationProvidedScopePolicyEmail {
enabled?: pulumi.Input<boolean>;
required?: pulumi.Input<boolean>;
}
export interface FusionAuthApplicationOauthConfigurationProvidedScopePolicyPhone {
enabled?: pulumi.Input<boolean>;
required?: pulumi.Input<boolean>;
}
export interface FusionAuthApplicationOauthConfigurationProvidedScopePolicyProfile {
enabled?: pulumi.Input<boolean>;
required?: pulumi.Input<boolean>;
}
export interface FusionAuthApplicationRegistrationConfiguration {
birthDate?: pulumi.Input<inputs.FusionAuthApplicationRegistrationConfigurationBirthDate>;
/**
* Determines if the password should be confirmed during self service registration, this means that the user will be required to type the password twice.
*/
confirmPassword?: pulumi.Input<boolean>;
/**
* Determines if self service registration is enabled for this application. When this value is false, you may still use the Registration API, this only affects if the self service option is available during the OAuth 2.0 login.
*/
enabled?: pulumi.Input<boolean>;
firstName?: pulumi.Input<inputs.FusionAuthApplicationRegistrationConfigurationFirstName>;
/**
* The Id of an associated Form when using advanced registration configuration type. This field is required when application.registrationConfiguration.type is set to advanced.
*/
formId?: pulumi.Input<string>;
fullName?: pulumi.Input<inputs.FusionAuthApplicationRegistrationConfigurationFullName>;
lastName?: pulumi.Input<inputs.FusionAuthApplicationRegistrationConfigurationLastName>;
/**
* The unique login Id that will be collected during registration, this value can be email or username. Leaving the default value of email is preferred because an email address is globally unique.
*/
loginIdType?: pulumi.Input<string>;
middleName?: pulumi.Input<inputs.FusionAuthApplicationRegistrationConfigurationMiddleName>;
mobilePhone?: pulumi.Input<inputs.FusionAuthApplicationRegistrationConfigurationMobilePhone>;
preferredLanguages?: pulumi.Input<inputs.FusionAuthApplicationRegistrationConfigurationPreferredLanguages>;
/**
* The type of registration flow.
*/
type?: pulumi.Input<string>;
}
export interface FusionAuthApplicationRegistrationConfigurationBirthDate {
enabled?: pulumi.Input<boolean>;
required?: pulumi.Input<boolean>;
}
export interface FusionAuthApplicationRegistrationConfigurationFirstName {
enabled?: pulumi.Input<boolean>;
required?: pulumi.Input<boolean>;
}
export interface FusionAuthApplicationRegistrationConfigurationFullName {
enabled?: pulumi.Input<boolean>;
required?: pulumi.Input<boolean>;
}
export interface FusionAuthApplicationRegistrationConfigurationLastName {
enabled?: pulumi.Input<boolean>;
required?: pulumi.Input<boolean>;
}
export interface FusionAuthApplicationRegistrationConfigurationMiddleName {
enabled?: pulumi.Input<boolean>;
required?: pulumi.Input<boolean>;
}
export interface FusionAuthApplicationRegistrationConfigurationMobilePhone {
enabled?: pulumi.Input<boolean>;
required?: pulumi.Input<boolean>;
}
export interface FusionAuthApplicationRegistrationConfigurationPreferredLanguages {
enabled?: pulumi.Input<boolean>;
required?: pulumi.Input<boolean>;
}
export interface FusionAuthApplicationRegistrationDeletePolicy {
/**
* Indicates that users without a verified registration for this application will have their registration permanently deleted after application.registrationDeletePolicy.unverified.numberOfDaysToRetain days.
*/
unverifiedEnabled?: pulumi.Input<boolean>;
/**
* The number of days from registration a user’s registration will be retained before being deleted for not completing registration verification. This field is required when application.registrationDeletePolicy.enabled is set to true. Value must be greater than 0.
*/
unverifiedNumberOfDaysToRetain?: pulumi.Input<number>;
}
export interface FusionAuthApplicationSamlv2Configuration {
assertionEncryptionConfiguration?: pulumi.Input<inputs.FusionAuthApplicationSamlv2ConfigurationAssertionEncryptionConfiguration>;
/**
* The audience for the SAML response sent to back to the service provider from FusionAuth. Some service providers require different audience values than the issuer and this configuration option lets you change the audience in the response.
*/
audience?: pulumi.Input<string>;
/**
* An array of URLs that are the authorized redirect URLs for FusionAuth OAuth.
*/
authorizedRedirectUrls: pulumi.Input<pulumi.Input<string>[]>;
/**
* The URL of the callback (sometimes called the Assertion Consumer Service or ACS). This is where FusionAuth sends the browser after the user logs in via SAML.
*
* @deprecated In version 1.20.0 and beyond, Callback URLs can be managed via authorized_redirect_urls.
*/
callbackUrl?: pulumi.Input<string>;
/**
* Whether or not FusionAuth will log SAML debug messages to the event log. This is useful for debugging purposes.
*/
debug?: pulumi.Input<boolean>;
/**
* Default verification key to use for HTTP Redirect Bindings, and for POST Bindings when no key is found in request.
*/
defaultVerificationKeyId?: pulumi.Input<string>;
/**
* Whether or not the SAML IdP for this Application is enabled or not.
*/
enabled?: pulumi.Input<boolean>;
initiatedLogin?: pulumi.Input<inputs.FusionAuthApplicationSamlv2ConfigurationInitiatedLogin>;
/**
* The issuer that identifies the service provider and allows FusionAuth to load the correct Application and SAML configuration. If you don’t know the issuer, you can often times put in anything here and FusionAuth will display an error message with the issuer from the service provider when you test the SAML login.
*/
issuer: pulumi.Input<string>;
/**
* The id of the Key used to sign the SAML response. If you do not specify this property, FusionAuth will create a new key and associate it with this Application.
*/
keyId?: pulumi.Input<string>;
loginHintConfiguration?: pulumi.Input<inputs.FusionAuthApplicationSamlv2ConfigurationLoginHintConfiguration>;
logout?: pulumi.Input<inputs.FusionAuthApplicationSamlv2ConfigurationLogout>;
/**
* The URL that the browser is taken to after the user logs out of the SAML service provider. Often service providers need this URL in order to correctly hook up single-logout. Note that FusionAuth does not support the SAML single-logout profile because most service providers to not support it properly.
*/
logoutUrl?: pulumi.Input<string>;
/**
* If set to true, will force verification through the key store.
*/
requiredSignedRequests?: pulumi.Input<boolean>;
/**
* The XML signature canonicalization method used when digesting and signing the SAML response. Unfortunately, many service providers do not correctly implement the XML signature specifications and force a specific canonicalization method. This setting allows you to change the canonicalization method to match the service provider. Often, service providers don’t even document their required method. You might need to contact enterprise support at the service provider to figure out what method they use.
*/
xmlSignatureCanonicalizationMethod?: pulumi.Input<string>;
/**
* The location to place the XML signature when signing a successful SAML response.
*/
xmlSignatureLocation?: pulumi.Input<string>;
}
export interface FusionAuthApplicationSamlv2ConfigurationAssertionEncryptionConfiguration {
/**
* The message digest algorithm to use when encrypting the symmetric key for transport. The possible values are: SHA1 - SHA-1 hashing algorithm, SHA256 - SHA-256 hashing algorithm, SHA384 - SHA-384 hashing algorithm or SHA512 - SHA-512 hashing algorithm. Using SHA256 or higher is recommended.
*/
digestAlgorithm?: pulumi.Input<string>;
/**
* Determines if SAML assertion encryption is enabled for this Application.
*/
enabled?: pulumi.Input<boolean>;
/**
* The symmetric key encryption algorithm that will be used to encrypt SAML assertions. A new symmetric key will be generated every time an assertion is encrypted. AES ciphers can operate in Cipher Block Chaining (CBC) or Galois/Counter Mode (GCM). The possible values are: AES128, AES192, AES256, AES128GCM, AES192GCM, AES256GCM or TripleDES.
*/
encryptionAlgorithm?: pulumi.Input<string>;
/**
* The location that the encrypted symmetric key information will be placed in the SAML response in relation to the EncryptedData element containing the encrypted assertion value. The possible values are: Child (The EncryptedKey element will be wrapped in a KeyInfo element and added inside the EncryptedData) or Sibling (The EncryptedKey element will be added to the document as a sibling of EncryptedData).
*/
keyLocation?: pulumi.Input<string>;
/**
* The encryption algorithm used to encrypt the symmetric key for transport in the SAML response. The possible values are: RSAv15, RSA_OAEP or RSA_OAEP_MGF1P.
*/
keyTransportAlgorithm?: pulumi.Input<string>;
/**
* The unique Id of the Key used to encrypt the symmetric key for transport in the SAML response. The selected Key must contain an RSA certificate. This parameter is required when application.samlv2Configuration.assertionEncryptionConfiguration.enabled is set to true.
*/
keyTransportEncryptionKeyId?: pulumi.Input<string>;
/**
* The mask generation function and hash function to use for the Optimal Asymmetric Encryption Padding when encrypting a symmetric key for transport. The possible values are: MGF1_SHA1, MGF1_SHA224, MGF1_SHA256, MGF1_SHA384 or MGF1_SHA512. This value is only used when the `application.samlv2Configuration.assertionEncryptionConfiguration.keyTransportAlgorithm` is set to RSA_OAEP. RSAv15 does not require a message digest function, and RSA_OAEP_MGF1P will always use MGF1_SHA1 regardless of this value.
*/
maskGenerationFunction?: pulumi.Input<string>;
}
export interface FusionAuthApplicationSamlv2ConfigurationInitiatedLogin {
/**
* Determines if SAML v2 IdP initiated login is enabled for this application. See application.samlv2Configuration.authorizedRedirectURLs for information on which destination URLs are allowed.
*/
enabled?: pulumi.Input<boolean>;
/**
* The value sent in the AuthN response to the SAML v2 Service Provider in the NameID assertion.
*/
nameIdFormat?: pulumi.Input<string>;
}
export interface FusionAuthApplicationSamlv2ConfigurationLoginHintConfiguration {
/**
* When enabled, FusionAuth will accept a username or email address as a login hint on a custom HTTP request parameter.
*/
enabled?: pulumi.Input<boolean>;
/**
* The name of the parameter that will be used to pass the login hint to the SAML v2 IdP.
*/
parameterName?: pulumi.Input<string>;
}
export interface FusionAuthApplicationSamlv2ConfigurationLogout {
/**
* This configuration is functionally equivalent to the Logout Behavior found in the OAuth2 configuration.
*/
behavior?: pulumi.Input<string>;
/**
* The unique Id of the Key used to verify the signature if the public key cannot be determined by the KeyInfo element when using POST bindings, or the key used to verify the signature when using HTTP Redirect bindings.
*/
defaultVerificationKeyId?: pulumi.Input<string>;
/**
* The unique Id of the Key used to sign the SAML Logout response.
*/
keyId?: pulumi.Input<string>;
/**
* Set this parameter equal to true to require the SAML v2 Service Provider to sign the Logout request. When this value is true all Logout requests missing a signature will be rejected.
*/
requireSignedRequests?: pulumi.Input<boolean>;
singleLogout?: pulumi.Input<inputs.FusionAuthApplicationSamlv2ConfigurationLogoutSingleLogout>;
/**
* The XML signature canonicalization method used when digesting and signing the SAML Logout response. Unfortunately, many service providers do not correctly implement the XML signature specifications and force a specific canonicalization method. This setting allows you to change the canonicalization method to match the service provider. Often, service providers don’t even document their required method. You might need to contact enterprise support at the service provider to figure out what method they use.
*/
xmlSignatureCanonicalizationMethod?: pulumi.Input<string>;
}
export interface FusionAuthApplicationSamlv2ConfigurationLogoutSingleLogout {
/**
* Whether or not SAML Single Logout for this SAML IdP is enabled.
*/
enabled?: pulumi.Input<boolean>;
/**
* The unique Id of the Key used to sign the SAML Single Logout response.
*/
keyId?: pulumi.Input<string>;
/**
* The URL at which you want to receive the LogoutRequest from FusionAuth.
*/
url?: pulumi.Input<string>;
/**
* The XML signature canonicalization method used when digesting and signing the SAML Single Logout response. Unfortunately, many service providers do not correctly implement the XML signature specifications and force a specific canonicalization method. This setting allows you to change the canonicalization method to match the service provider. Often, service providers don’t even document their required method. You might need to contact enterprise support at the service provider to figure out what method they use.
*/
xmlSignatureCanonicalizationMethod?: pulumi.Input<string>;
}
export interface FusionAuthApplicationWebauthnConfiguration {
/**
* Indicates if this application enables WebAuthn workflows based on the configuration defined here or the Tenant WebAuthn configuration. If this is false, WebAuthn workflows will be enabled based on the Tenant configuration. If true, WebAuthn workflows will be enabled according to the configuration of this application.
*/
bootstrapWorkflowEnabled?: pulumi.Input<boolean>;
/**
* Whether the WebAuthn bootstrap workflow is enabled for this application. This overrides the tenant configuration. Has no effect if application.webAuthnConfiguration.enabled is false.
*/
enabled?: pulumi.Input<boolean>;
/**
* Whether the WebAuthn reauthentication workflow is enabled for this application. This overrides the tenant configuration. Has no effect if application.webAuthnConfiguration.enabled is false.
*/
reauthenticationWorkflowEnabled?: pulumi.Input<boolean>;
}
export interface FusionAuthEntityTypeJwtConfiguration {
/**
* The unique ID of the signing key used to sign the access token. Required when
* enabled is set to true.
*/
accessTokenKeyId?: pulumi.Input<string>;
/**
* Indicates if this application is using the JWT configuration defined here or the global JWT
* configuration defined by the Tenant. If this is false the signing algorithm configured in the Tenant will be used.
* If true the signing algorithm defined in this application will be used.
*/
enabled?: pulumi.Input<boolean>;
/**
* The length of time in seconds the JWT will live before it is expired and no longer valid. Required when enabled is set to true.
*/
timeToLiveInSeconds?: pulumi.Input<number>;
}
export interface FusionAuthFormFieldValidator {
/**
* Determines if user input should be validated.
*/
enabled?: pulumi.Input<boolean>;
/**
* A regular expression used to validate user input. Must be a valid regular expression pattern.
*/
expression?: pulumi.Input<string>;
}
export interface FusionAuthFormStep {
/**
* An ordered list of Form Field Ids assigned to this step.
*/
fields: pulumi.Input<pulumi.Input<string>[]>;
}
export interface FusionAuthIdpAppleApplicationConfiguration {
/**
* ID of the Application to apply this configuration to.
*/
applicationId?: pulumi.Input<string>;
/**
* The Apple Bundle identifier found in your Apple Developer Account which has been configured for Sign in with Apple. The Bundle identifier is used to Sign in with Apple from native applications. The request must include `bundleId` or `servicesId` . If `servicesId` is omitted, this field is required.
*/
bundleId?: pulumi.Input<string>;
/**
* This is an optional Application specific override for the top level button text.
*/
buttonText?: pulumi.Input<string>;
/**
* Determines if a UserRegistration is created for the User automatically or not. If a user doesn’t exist in FusionAuth and logs in through an identity provider, this boolean controls whether or not FusionAuth creates a registration for the User in the Application they are logging into.
*/
createRegistration?: pulumi.Input<boolean>;
/**
* Determines if this identity provider is enabled for the Application specified by the applicationId key.
*/
enabled?: pulumi.Input<boolean>;
/**
* This is an optional Application specific override for the top level keyId.
*/
keyId?: pulumi.Input<string>;
/**
* This is an optional Application specific override for for the top level scope.
*/
scope?: pulumi.Input<string>;
/**
* This is an optional Application specific override for for the top level servicesId.
*/
servicesId?: pulumi.Input<string>;
/**
* This is an optional Application specific override for for the top level teamId.
*/
teamId?: pulumi.Input<string>;
}
export interface FusionAuthIdpAppleTenantConfiguration {
/**
* When enabled, the number of identity provider links a user may create is enforced by maximumLinks
*/
limitUserLinkCountEnabled?: pulumi.Input<boolean>;
/**
* Determines if this provider is enabled. If it is false then it will be disabled globally.
*/
limitUserLinkCountMaximumLinks?: pulumi.Input<number>;
/**
* The unique Id of the tenant that this configuration applies to.
*/
tenantId?: pulumi.Input<string>;
}
export interface FusionAuthIdpExternalJwtApplicationConfiguration {
/**
* ID of the Application to apply this configuration to.
*/
applicationId?: pulumi.Input<string>;
/**
* Determines if a UserRegistration is created for the User automatically or not. If a user doesn’t exist in FusionAuth and logs in through an identity provider, this boolean controls whether or not FusionAuth creates a registration for the User in the Application they are logging into.
*/
createRegistration?: pulumi.Input<boolean>;
/**
* Determines if this identity provider is enabled for the Application specified by the applicationId key.
*/
enabled?: pulumi.Input<boolean>;
}
export interface FusionAuthIdpExternalJwtTenantConfiguration {
/**
* When enabled, the number of identity provider links a user may create is enforced by maximumLinks
*/
limitUserLinkCountEnabled?: pulumi.Input<boolean>;
/**
* Determines if this provider is enabled. If it is false then it will be disabled globally.
*/
limitUserLinkCountMaximumLinks?: pulumi.Input<number>;
/**
* The unique Id of the tenant that this configuration applies to.
*/
tenantId?: pulumi.Input<string>;
}
export interface FusionAuthIdpFacebookApplicationConfiguration {
/**
* This is an optional Application specific override for the top level `appId`.
*/
appId?: pulumi.Input<string>;
/**
* ID of the FusionAuth Application to apply this configuration to.
*/
applicationId?: pulumi.Input<string>;
/**
* This is an optional Application specific override for the top level `buttonText`.
*/
buttonText?: pulumi.Input<string>;
/**
* This is an optional Application specific override for the top level `clientSecret`.
*/
clientSecret?: pulumi.Input<string>;
/**
* Determines if a `UserRegistration` is created for the User automatically or not. If a user doesn’t exist in FusionAuth and logs in through an identity provider, this boolean controls whether or not FusionAuth creates a registration for the User in the Application they are logging into.
*/
createRegistration?: pulumi.Input<boolean>;
/**
* Determines if this identity provider is enabled for the Application specified by the `applicationId` property.
*/
enabled?: pulumi.Input<boolean>;
/**
* This is an optional Application specific override for the top level `fields`.
*/
fields?: pulumi.Input<string>;
/**
* This is an optional Application specific override for the top level `permissions`.
*/
permissions?: pulumi.Input<string>;
}
export interface FusionAuthIdpFacebookTenantConfiguration {
/**
* When enabled, the number of identity provider links a user may create is enforced by maximumLinks
*/
limitUserLinkCountEnabled?: pulumi.Input<boolean>;
/**
* Determines if this provider is enabled. If it is false then it will be disabled globally.
*/
limitUserLinkCountMaximumLinks?: pulumi.Input<number>;
/**
* The unique Id of the tenant that this configuration applies to.
*/
tenantId?: pulumi.Input<string>;
}
export interface FusionAuthIdpGoogleApplicationConfiguration {
/**
* ID of the Application to apply this configuration to.
*/
applicationId?: pulumi.Input<string>;
/**
* This is an optional Application specific override for the top level button text.
*/
buttonText?: pulumi.Input<string>;
/**
* This is an optional Application specific override for the top level client id.
*/
clientId?: pulumi.Input<string>;
/**
* This is an optional Application specific override for the top level client secret.
*/
clientSecret?: pulumi.Input<string>;
/**
* Determines if a UserRegistration is created for the User automatically or not. If a user doesn’t exist in FusionAuth and logs in through an identity provider, this boolean controls whether or not FusionAuth creates a registration for the User in the Application they are logging into.
*/
createRegistration?: pulumi.Input<boolean>;
/**
* Determines if this identity provider is enabled for the Application specified by the applicationId key.
*/
enabled?: pulumi.Input<boolean>;
/**
* This is an optional Application specific override for the top level properties.
*/
properties?: pulumi.Input<inputs.FusionAuthIdpGoogleApplicationConfigurationProperties>;
/**
* This is an optional Application specific override for for the top level scope.
*/
scope?: pulumi.Input<string>;
}
export interface FusionAuthIdpGoogleApplicationConfigurationProperties {
/**
* This is an optional Application specific override for the top level properties.api . If this `loginMethod` is set to UsePopup, or the Application configuration is unset and the top level loginMethod is set to UsePopup, and this value contains the conflicting ux_mode=redirect property, that single property will be replaced with ux_mode=popup.
*/
api?: pulumi.Input<string>;
/**
* This is an optional Application specific override for the top level `button`.
*/
button?: pulumi.Input<string>;
}
export interface FusionAuthIdpGoogleProperties {
/**
* Google Identity Services login API configuration in a properties file formatted String. Any attribute from Google's documentation can be added. Properties can be referenced in templates that support Google login to initialize the API via HTML or JavaScript. The properties specified in this field should not include the data- prefix on the property name. If the `loginMethod` is set to UsePopup and this value contains the conflicting ux_mode=redirect property, that single property will be replaced with ux_mode=popup.
*/
api?: pulumi.Input<string>;
/**
* Google Identity Services button configuration in a properties file formatted String. Any attribute from Google's documentation can be added. Properties can be referenced in templates that support Google login to render the login button via HTML or JavaScript. The properties specified in this field should not include the data- prefix on the property name.
*/
button?: pulumi.Input<string>;
}
export interface FusionAuthIdpGoogleTenantConfiguration {
/**
* When enabled, the number of identity provider links a user may create is enforced by maximumLinks
*/
limitUserLinkCountEnabled?: pulumi.Input<boolean>;
/**
* Determines if this provider is enabled. If it is false then it will be disabled globally.
*/
limitUserLinkCountMaximumLinks?: pulumi.Input<number>;
/**
* The unique Id of the tenant that this configuration applies to.
*/
tenantId?: pulumi.Input<string>;
}
export interface FusionAuthIdpLinkedInApplicationConfiguration {
/**
* ID of the FusionAuth Application to apply this configuration to.
*/
applicationId?: pulumi.Input<string>;
/**
* This is an optional Application specific override for the top level `buttonText`.
*/
buttonText?: pulumi.Input<string>;
/**
* This is an optional Application specific override for the top level `clientId`.
*/
clientId?: pulumi.Input<string>;
/**
* This is an optional Application specific override for the top level `clientSecret`.
*/
clientSecret?: pulumi.Input<string>;
/**
* Determines if a `UserRegistration` is created for the User automatically or not. If a user doesn’t exist in FusionAuth and logs in through an identity provider, this boolean controls whether or not FusionAuth creates a registration for the User in the Application they are logging into.
*/
createRegistration?: pulumi.Input<boolean>;
/**
* Determines if this identity provider is enabled for the Application specified by the `applicationId` property.
*/
enabled?: pulumi.Input<boolean>;
/**
* This is an optional Application specific override for the top level `scope`.
*/
scope?: pulumi.Input<string>;
}
export interface FusionAuthIdpLinkedInTenantConfiguration {
/**
* When enabled, the number of identity provider links a user may create is enforced by maximumLinks
*/
limitUserLinkCountEnabled?: pulumi.Input<boolean>;
/**
* Determines if this provider is enabled. If it is false then it will be disabled globally.
*/
limitUserLinkCountMaximumLinks?: pulumi.Input<number>;
/**
* The unique Id of the tenant that this configuration applies to.
*/
tenantId?: pulumi.Input<string>;
}
export interface FusionAuthIdpOpenIdConnectApplicationConfiguration {
/**
* ID of the Application to apply this configuration to.
*/
applicationId?: pulumi.Input<string>;
/**
* This is an optional Application specific override for the top level button image URL.
*/
buttonImageUrl?: pulumi.Input<string>;
/**
* This is an optional Application specific override for the top level button text.
*/
buttonText?: pulumi.Input<string>;
/**
* Determines if a UserRegistration is created for the User automatically or not. If a user doesn’t exist in FusionAuth and logs in through an identity provider, this boolean controls whether or not FusionAuth creates a registration for the User in the Application they are logging into.
*/
createRegistration?: pulumi.Input<boolean>;
/**
* Determines if this identity provider is enabled for the Application specified by the applicationId key.
*/
enabled?: pulumi.Input<boolean>;
/**
* This is an optional Application specific override for the top level client id.
*/
oauth2ClientId?: pulumi.Input<string>;
/**
* This is an optional Application specific override for the top level client secret.
*/
oauth2ClientSecret?: pulumi.Input<string>;
/**
* This is an optional Application specific override for the top level scope.
*/
oauth2Scope?: pulumi.Input<string>;
}
export interface FusionAuthIdpOpenIdConnectTenantConfiguration {
/**
* When enabled, the number of identity provider links a user may create is enforced by maximumLinks
*/
limitUserLinkCountEnabled?: pulumi.Input<boolean>;
/**
* Determines if this provider is enabled. If it is false then it will be disabled globally.
*/
limitUserLinkCountMaximumLinks?: pulumi.Input<number>;
/**
* The unique Id of the tenant that this configuration applies to.
*/
tenantId?: pulumi.Input<string>;
}
export interface FusionAuthIdpPsnApplicationConfiguration {
/**
* ID of the Application to apply this configuration to.
*/
applicationId?: pulumi.Input<string>;
/**
* This is an optional Application specific override for the top level button text.
*/
buttonText?: pulumi.Input<string>;
/**
* This is an optional Application specific override for the top level client_id.
*/
clientId?: pulumi.Input<string>;
/**
* This is an optional Application specific override for the top level client_secret.
*/
clientSecret?: pulumi.Input<string>;
/**
* Determines if a UserRegistration is created for the User automatically or not. If a user doesn’t exist in FusionAuth and logs in through an identity provider, this boolean controls whether or not FusionAuth creates a registration for the User in the Application they are logging into.
*/
createRegistration?: pulumi.Input<boolean>;
/**
* Determines if this identity provider is enabled for the Application specified by the applicationId key.
*/
enabled?: pulumi.Input<boolean>;
/**
* This is an optional Application specific override for the top level scope.
*/
scope?: pulumi.Input<string>;
}
export interface FusionAuthIdpPsnTenantConfiguration {
/**
* When enabled, the number of identity provider links a user may create is enforced by maximumLinks
*/
limitUserLinkCountEnabled?: pulumi.Input<boolean>;
/**
* Determines if this provider is enabled. If it is false then it will be disabled globally.
*/
limitUserLinkCountMaximumLinks?: pulumi.