With this resource, you can set up applications that use Auth0 for authentication and configure allowed callback URLs and secrets for these applications.
resource "auth0_client" "my_client" {
name = "Application - Acceptance Test"
description = "Test Applications Long Description"
app_type = "non_interactive"
custom_login_page_on = true
is_first_party = true
is_token_endpoint_ip_header_trusted = true
oidc_conformant = false
callbacks = ["https://example.com/callback"]
allowed_origins = ["https://example.com"]
allowed_logout_urls = ["https://example.com"]
web_origins = ["https://example.com"]
grant_types = [
"authorization_code",
"http://auth0.com/oauth/grant-type/password-realm",
"implicit",
"password",
"refresh_token"
]
client_metadata = {
foo = "zoo"
}
jwt_configuration {
lifetime_in_seconds = 300
secret_encoded = true
alg = "RS256"
scopes = {
foo = "bar"
}
}
refresh_token {
leeway = 0
token_lifetime = 2592000
rotation_type = "rotating"
expiration_type = "expiring"
}
mobile {
ios {
team_id = "9JA89QQLNQ"
app_bundle_identifier = "com.my.bundle.id"
}
}
addons {
samlp {
audience = "https://example.com/saml"
issuer = "https://example.com"
mappings = {
email = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
name = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
}
create_upn_claim = false
passthrough_claims_with_no_mapping = false
map_unknown_claims_as_is = false
map_identities = false
name_identifier_format = "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
name_identifier_probes = [
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
]
signing_cert = "-----BEGIN PUBLIC KEY-----\nMIGf...bpP/t3\n+JGNGIRMj1hF1rnb6QIDAQAB\n-----END PUBLIC KEY-----\n"
}
}
}
name
(String) Name of the client.addons
(Block List, Max: 1) Addons enabled for this client and their associated configurations. (see below for nested schema)allowed_clients
(List of String) List of applications ID's that will be allowed to make delegation request. By default, all applications will be allowed.allowed_logout_urls
(List of String) URLs that Auth0 may redirect to after logout.allowed_origins
(List of String) URLs that represent valid origins for cross-origin resource sharing. By default, all your callback URLs will be allowed.app_type
(String) Type of application the client represents. Possible values are: native
, spa
, regular_web
, non_interactive
, sso_integration
. Specific SSO integrations types accepted as well are: rms
, box
, cloudbees
, concur
, dropbox
, mscrm
, echosign
, egnyte
, newrelic
, office365
, salesforce
, sentry
, sharepoint
, slack
, springcm
, zendesk
, zoom
.callbacks
(List of String) URLs that Auth0 may call back to after a user authenticates for the client. Make sure to specify the protocol (https://) otherwise the callback may fail in some cases. With the exception of custom URI schemes for native clients, all callbacks should use protocol https://.client_aliases
(List of String) List of audiences/realms for SAML protocol. Used by the wsfed addon.client_metadata
(Map of String) Metadata associated with the client, in the form of an object with string values (max 255 chars). Maximum of 10 metadata properties allowed. Field names (max 255 chars) are alphanumeric and may only include the following special characters: :,-+=_*?"/\()<>@ [Tab] [Space]
.cross_origin_auth
(Boolean) Whether this client can be used to make cross-origin authentication requests (true
) or it is not allowed to make such requests (false
).cross_origin_loc
(String) URL of the location in your site where the cross-origin verification takes place for the cross-origin auth flow when performing authentication in your own domain instead of Auth0 Universal Login page.custom_login_page
(String) The content (HTML, CSS, JS) of the custom login page.custom_login_page_on
(Boolean) Indicates whether a custom login page is to be used.description
(String) Description of the purpose of the client.encryption_key
(Map of String) Encryption used for WS-Fed responses with this client.form_template
(String) HTML form template to be used for WS-Federation.grant_types
(List of String) Types of grants that this client is authorized to use.initiate_login_uri
(String) Initiate login URI. Must be HTTPS or an empty string.is_first_party
(Boolean) Indicates whether this client is a first-party client.is_token_endpoint_ip_header_trusted
(Boolean) Indicates whether the token endpoint IP header is trusted. Requires the authentication method to be set to client_secret_post
or client_secret_basic
. Setting this property when creating the resource, will default the authentication method to client_secret_post
. To change the authentication method to client_secret_basic
use the auth0_client_credentials
resource.jwt_configuration
(Block List, Max: 1) Configuration settings for the JWTs issued for this client. (see below for nested schema)logo_uri
(String) URL of the logo for the client. Recommended size is 150px x 150px. If none is set, the default badge for the application type will be shown.mobile
(Block List, Max: 1) Additional configuration for native mobile apps. (see below for nested schema)native_social_login
(Block List, Max: 1) Configuration settings to toggle native social login for mobile native applications. Once this is set it must stay set, with both resources set to false
in order to change the app_type
. (see below for nested schema)oidc_backchannel_logout_urls
(Set of String) Set of URLs that are valid to call back from Auth0 for OIDC backchannel logout. Currently only one URL is allowed.oidc_conformant
(Boolean) Indicates whether this client will conform to strict OIDC specifications.organization_require_behavior
(String) Defines how to proceed during an authentication transaction when organization_usage = "require"
. Can be no_prompt
(default), pre_login_prompt
or post_login_prompt
.organization_usage
(String) Defines how to proceed during an authentication transaction with regards to an organization. Can be deny
(default), allow
or require
.refresh_token
(Block List, Max: 1) Configuration settings for the refresh tokens issued for this client. (see below for nested schema)require_pushed_authorization_requests
(Boolean) Makes the use of Pushed Authorization Requests mandatory for this client. This feature currently needs to be enabled on the tenant in order to make use of it.sso
(Boolean) Applies only to SSO clients and determines whether Auth0 will handle Single Sign-On (true) or whether the identity provider will (false).sso_disabled
(Boolean) Indicates whether or not SSO is disabled.web_origins
(List of String) URLs that represent valid web origins for use with web message response mode.client_id
(String) The ID of the client.id
(String) The ID of this resource.signing_keys
(List of Map of String, Sensitive) List containing a map of the public cert of the signing key and the public cert of the signing key in PKCS7.addons
Optional:
aws
(Block List, Max: 1) AWS Addon configuration. (see below for nested schema)azure_blob
(Block List, Max: 1) Azure Blob Storage Addon configuration. (see below for nested schema)azure_sb
(Block List, Max: 1) Azure Storage Bus Addon configuration. (see below for nested schema)box
(Block List, Max: 1) Box SSO indicator (no configuration settings needed for Box SSO). (see below for nested schema)cloudbees
(Block List, Max: 1) CloudBees SSO indicator (no configuration settings needed for CloudBees SSO). (see below for nested schema)concur
(Block List, Max: 1) Concur SSO indicator (no configuration settings needed for Concur SSO). (see below for nested schema)dropbox
(Block List, Max: 1) Dropbox SSO indicator (no configuration settings needed for Dropbox SSO). (see below for nested schema)echosign
(Block List, Max: 1) Adobe EchoSign SSO configuration. (see below for nested schema)egnyte
(Block List, Max: 1) Egnyte SSO configuration. (see below for nested schema)firebase
(Block List, Max: 1) Google Firebase addon configuration. (see below for nested schema)layer
(Block List, Max: 1) Layer addon configuration. (see below for nested schema)mscrm
(Block List, Max: 1) Microsoft Dynamics CRM SSO configuration. (see below for nested schema)newrelic
(Block List, Max: 1) New Relic SSO configuration. (see below for nested schema)office365
(Block List, Max: 1) Microsoft Office 365 SSO configuration. (see below for nested schema)rms
(Block List, Max: 1) Active Directory Rights Management Service SSO configuration. (see below for nested schema)salesforce
(Block List, Max: 1) Salesforce SSO configuration. (see below for nested schema)salesforce_api
(Block List, Max: 1) Salesforce API addon configuration. (see below for nested schema)salesforce_sandbox_api
(Block List, Max: 1) Salesforce Sandbox addon configuration. (see below for nested schema)samlp
(Block List, Max: 1) Configuration settings for a SAML add-on. (see below for nested schema)sap_api
(Block List, Max: 1) SAP API addon configuration. (see below for nested schema)sentry
(Block List, Max: 1) Sentry SSO configuration. (see below for nested schema)sharepoint
(Block List, Max: 1) SharePoint SSO configuration. (see below for nested schema)slack
(Block List, Max: 1) Slack team or workspace name usually first segment in your Slack URL, for example https://acme-org.slack.com
would be acme-org
. (see below for nested schema)springcm
(Block List, Max: 1) SpringCM SSO configuration. (see below for nested schema)sso_integration
(Block List, Max: 1) Generic SSO configuration. (see below for nested schema)wams
(Block List, Max: 1) Windows Azure Mobile Services addon configuration. (see below for nested schema)wsfed
(Block List, Max: 1) WS-Fed (WIF) addon indicator. Actual configuration is stored in callback
and client_aliases
properties on the client. (see below for nested schema)zendesk
(Block List, Max: 1) Zendesk SSO configuration. (see below for nested schema)zoom
(Block List, Max: 1) Zoom SSO configuration. (see below for nested schema)addons.aws
Optional:
lifetime_in_seconds
(Number) AWS token lifetime in seconds.principal
(String) AWS principal ARN, for example arn:aws:iam::010616021751:saml-provider/idpname
.role
(String) AWS role ARN, for example arn:aws:iam::010616021751:role/foo
.addons.azure_blob
Optional:
account_name
(String) Your Azure storage account name. Usually first segment in your Azure storage URL, for example https://acme-org.blob.core.windows.net
would be the account name acme-org
.blob_delete
(Boolean) Indicates if the issued token has permission to delete the blob.blob_name
(String) Entity to request a token for, such as my-blob
. If blank the computed SAS will apply to the entire storage container.blob_read
(Boolean) Indicates if the issued token has permission to read the content, properties, metadata and block list. Use the blob as the source of a copy operation.blob_write
(Boolean) Indicates if the issued token has permission to create or write content, properties, metadata, or block list. Snapshot or lease the blob. Resize the blob (page blob only). Use the blob as the destination of a copy operation within the same account.container_delete
(Boolean) Indicates if issued token has permission to delete any blob in the container.container_list
(Boolean) Indicates if the issued token has permission to list blobs in the container.container_name
(String) Container to request a token for, such as my-container
.container_read
(Boolean) Indicates if the issued token has permission to read the content, properties, metadata or block list of any blob in the container. Use any blob in the container as the source of a copy operation.container_write
(Boolean) Indicates that for any blob in the container if the issued token has permission to create or write content, properties, metadata, or block list. Snapshot or lease the blob. Resize the blob (page blob only). Use the blob as the destination of a copy operation within the same account.expiration
(Number) Expiration in minutes for the generated token (default of 5 minutes).signed_identifier
(String) Shared access policy identifier defined in your storage account resource.storage_access_key
(String, Sensitive) Access key associated with this storage account.addons.azure_sb
Optional:
entity_path
(String) Entity you want to request a token for, such as my-queue
.expiration
(Number) Optional expiration in minutes for the generated token. Defaults to 5 minutes.namespace
(String) Your Azure Service Bus namespace. Usually the first segment of your Service Bus URL (for example https://acme-org.servicebus.windows.net
would be acme-org
).sas_key
(String, Sensitive) Primary Key associated with your shared access policy.sas_key_name
(String) Your shared access policy name defined in your Service Bus entity.addons.box
addons.cloudbees
addons.concur
addons.dropbox
addons.echosign
Optional:
domain
(String) Your custom domain found in your EchoSign URL, for example https://acme-org.echosign.com
would be acme-org
.addons.egnyte
Optional:
domain
(String) Your custom domain found in your Egnyte URL, for example https://acme-org.echosign.com
would be acme-org
.addons.firebase
Optional:
client_email
(String) ID of the Service Account you have created (shown as client_email
in the generated JSON file, SDK v3+ tokens only).lifetime_in_seconds
(Number) Optional expiration in seconds for the generated token. Defaults to 3600 seconds (SDK v3+ tokens only).private_key
(String, Sensitive) Private Key for signing the token (SDK v3+ tokens only).private_key_id
(String, Sensitive) Optional ID of the private key to obtain the kid
header claim from the issued token (SDK v3+ tokens only).secret
(String, Sensitive) Google Firebase Secret. (SDK v2 only).addons.layer
Required:
key_id
(String, Sensitive) Authentication Key identifier used to sign the Layer token.private_key
(String, Sensitive) Private key for signing the Layer token.provider_id
(String) Provider ID of your Layer account.Optional:
expiration
(Number) Optional expiration in minutes for the generated token. Defaults to 5 minutes.principal
(String) Name of the property used as the unique user ID in Layer. If not specified user_id
is used.addons.mscrm
Optional:
url
(String) Microsoft Dynamics CRM application URL.addons.newrelic
Optional:
account
(String) Your New Relic Account ID found in your New Relic URL after the /accounts/
path, for example https://rpm.newrelic.com/accounts/123456/query
would be 123456
.addons.office365
Optional:
connection
(String) Optional Auth0 database connection for testing an already-configured Office 365 tenant.domain
(String) Your Office 365 domain name, for example acme-org.com
.addons.rms
Optional:
url
(String) URL of your Rights Management Server. It can be internal or external, but users will have to be able to reach it.addons.salesforce
Optional:
entity_id
(String) Arbitrary logical URL that identifies the Saleforce resource, for example https://acme-org.com
.addons.salesforce_api
Optional:
client_id
(String, Sensitive) Consumer Key assigned by Salesforce to the Connected App.community_name
(String) Community name.community_url_section
(String) Community URL section.principal
(String, Sensitive) Name of the property in the user object that maps to a Salesforce username, for example email
.addons.salesforce_sandbox_api
Optional:
client_id
(String, Sensitive) Consumer Key assigned by Salesforce to the Connected App.community_name
(String) Community name.community_url_section
(String) Community URL section.principal
(String, Sensitive) Name of the property in the user object that maps to a Salesforce username, for example email
.addons.samlp
Optional:
audience
(String) Audience of the SAML Assertion. Default will be the Issuer on SAMLRequest.authn_context_class_ref
(String) Class reference of the authentication context.binding
(String) Protocol binding used for SAML logout responses.create_upn_claim
(Boolean) Indicates whether a UPN claim should be created. Defaults to true
.destination
(String) Destination of the SAML Response. If not specified, it will be AssertionConsumerUrl
of SAMLRequest or callback URL if there was no SAMLRequest.digest_algorithm
(String) Algorithm used to calculate the digest of the SAML Assertion or response. Options include sha1
and sha256
. Defaults to sha1
.include_attribute_name_format
(Boolean) Indicates whether or not we should infer the NameFormat based on the attribute name. If set to false
, the attribute NameFormat is not set in the assertion. Defaults to true
.issuer
(String) Issuer of the SAML Assertion.lifetime_in_seconds
(Number) Number of seconds during which the token is valid. Defaults to 3600
seconds.logout
(Block List, Max: 1) Configuration settings for logout. (see below for nested schema)map_identities
(Boolean) Indicates whether or not to add additional identity information in the token, such as the provider used and the access_token
, if available. Defaults to true
.map_unknown_claims_as_is
(Boolean) Indicates whether to add a prefix of http://schema.auth0.com
to any claims that are not mapped to the common profile when passed through in the output assertion. Defaults to false
.mappings
(Map of String) Mappings between the Auth0 user profile property name (name
) and the output attributes on the SAML attribute in the assertion (value
).name_identifier_format
(String) Format of the name identifier. Defaults to urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
.name_identifier_probes
(List of String) Attributes that can be used for Subject/NameID. Auth0 will try each of the attributes of this array in order and use the first value it finds.passthrough_claims_with_no_mapping
(Boolean) Indicates whether or not to passthrough claims that are not mapped to the common profile in the output assertion. Defaults to true
.recipient
(String) Recipient of the SAML Assertion (SubjectConfirmationData). Default is AssertionConsumerUrl
on SAMLRequest or callback URL if no SAMLRequest was sent.sign_response
(Boolean) Indicates whether or not the SAML Response should be signed instead of the SAML Assertion.signature_algorithm
(String) Algorithm used to sign the SAML Assertion or response. Options include rsa-sha1
and rsa-sha256
. Defaults to rsa-sha1
.signing_cert
(String) Optionally indicates the public key certificate used to validate SAML requests. If set, SAML requests will be required to be signed. A sample value would be -----BEGIN PUBLIC KEY-----\nMIGf...bpP/t3\n+JGNGIRMj1hF1rnb6QIDAQAB\n-----END PUBLIC KEY-----\n
.typed_attributes
(Boolean) Indicates whether or not we should infer the xs:type
of the element. Types include xs:string
, xs:boolean
, xs:double
, and xs:anyType
. When set to false
, all xs:type
are xs:anyType
. Defaults to true
.addons.samlp.logout
Optional:
callback
(String) The service provider (client application)'s Single Logout Service URL, where Auth0 will send logout requests and responses.slo_enabled
(Boolean) Controls whether Auth0 should notify service providers of session termination.addons.sap_api
Optional:
client_id
(String) If activated in the OAuth 2.0 client configuration (transaction SOAUTH2) the SAML attribute
client_idmust be set and equal the
client_id` form parameter of the access token request.name_identifier_format
(String) NameID element of the Subject which can be used to express the user's identity. Defaults to urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
.scope
(String) Requested scope for SAP APIs.service_password
(String, Sensitive) Service account password to use to authenticate API calls to the token endpoint.token_endpoint_url
(String) The OAuth2 token endpoint URL of your SAP OData server.username_attribute
(String) Name of the property in the user object that maps to a SAP username, for example email
.addons.sentry
Optional:
base_url
(String) URL prefix only if running Sentry Community Edition, otherwise leave empty.org_slug
(String) Generated slug for your Sentry organization. Found in your Sentry URL, for example https://sentry.acme.com/acme-org/
would be acme-org
.addons.sharepoint
Optional:
external_url
(List of String) External SharePoint application URLs if exposed to the Internet.url
(String) Internal SharePoint application URL.addons.slack
Optional:
team
(String) Slack team name.addons.springcm
Optional:
acs_url
(String) SpringCM ACS URL, for example https://na11.springcm.com/atlas/sso/SSOEndpoint.ashx
.addons.sso_integration
Optional:
name
(String) SSO integration name.version
(String) SSO integration version installed.addons.wams
Optional:
master_key
(String, Sensitive) Your master key for Windows Azure Mobile Services.addons.wsfed
addons.zendesk
Optional:
account_name
(String) Zendesk account name. Usually the first segment in your Zendesk URL, for example https://acme-org.zendesk.com
would be acme-org
.addons.zoom
Optional:
account
(String) Zoom account name. Usually the first segment of your Zoom URL, for example https://acme-org.zoom.us
would be acme-org
.jwt_configuration
Optional:
alg
(String) Algorithm used to sign JWTs.lifetime_in_seconds
(Number) Number of seconds during which the JWT will be valid.scopes
(Map of String) Permissions (scopes) included in JWTs.secret_encoded
(Boolean) Indicates whether the client secret is Base64-encoded.mobile
Optional:
android
(Block List, Max: 1) Configuration settings for Android native apps. (see below for nested schema)ios
(Block List, Max: 1) Configuration settings for i0S native apps. (see below for nested schema)mobile.android
Optional:
app_package_name
(String)sha256_cert_fingerprints
(List of String)mobile.ios
Optional:
app_bundle_identifier
(String)team_id
(String)native_social_login
Optional:
apple
(Block List, Max: 1) (see below for nested schema)facebook
(Block List, Max: 1) (see below for nested schema)native_social_login.apple
Optional:
enabled
(Boolean)native_social_login.facebook
Optional:
enabled
(Boolean)refresh_token
Required:
expiration_type
(String) Options include expiring
, non-expiring
. Whether a refresh token will expire based on an absolute lifetime, after which the token can no longer be used. If rotation is rotating
, this must be set to expiring
.rotation_type
(String) Options include rotating
, non-rotating
. When rotating
, exchanging a refresh token will cause a new refresh token to be issued and the existing token will be invalidated. This allows for automatic detection of token reuse if the token is leaked.Optional:
idle_token_lifetime
(Number) The time in seconds after which inactive refresh tokens will expire.infinite_idle_token_lifetime
(Boolean) Whether inactive refresh tokens should remain valid indefinitely.infinite_token_lifetime
(Boolean) Whether refresh tokens should remain valid indefinitely. If false, token_lifetime
should also be set.leeway
(Number) The amount of time in seconds in which a refresh token may be reused without triggering reuse detection.token_lifetime
(Number) The absolute lifetime of a refresh token in seconds.Import is supported using the following syntax:
# This resource can be imported by specifying the client ID.
#
# Example:
terraform import auth0_client.my_client "AaiyAPdpYdesoKnqjj8HJqRn4T5titww"