Stay organized with collections
Save and categorize content based on your preferences.
Version 4.0.25.14 (latest)
Datatype
Description
(object)
object
can
lock
object
Operations the current user is able to perform on this object
alternate_email_login_allowed
boolean
Allow alternate email-based login via '/login/email' for admins and for specified users with the 'login_special_email' permission. This option is useful as a fallback during ldap setup, if ldap config problems occur later, or if you need to support some users who are not in your ldap directory. Looker email/password logins are always disabled for regular users when ldap is enabled.
audience
string
OpenID Provider Audience
auth_requires_role
boolean
Users will not be allowed to login at all unless a role for them is found in OIDC if set to true
Relying Party Identifier (provided by OpenID Provider)
issuer
string
OpenID Provider Issuer
modified_at
lock
string
When this config was last modified
modified_by
lock
string
User id of user who last modified this config
new_user_migration_types
string
Merge first-time oidc login to existing user account by email addresses. When a user logs in for the first time via oidc this option will connect this user into their existing account by finding the account with a matching email address by testing the given types of credentials for existing users. Otherwise a new user account will be created for the user. This list (if provided) must be a comma separated list of string like 'email,ldap,google'
scopes
string[]
secret
string
(Write-Only) Relying Party Secret (provided by OpenID Provider)
set_roles_from_groups
boolean
Set user roles in Looker based on groups from OIDC
test_slug
lock
string
Slug to identify configurations that are created in order to run a OIDC config test
token_endpoint
string
OpenID Provider Token Url
user_attribute_map_email
string
Name of user record attributes used to indicate email address field
user_attribute_map_first_name
string
Name of user record attributes used to indicate first name
user_attribute_map_last_name
string
Name of user record attributes used to indicate last name
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-20 UTC."],[],[],null,["# OIDCConfig\n\nVersion 4.0.25.14 (latest) \nDatatype \nDescription \n(object) \nobject \ncan \n*lock* \nobject \nOperations the current user is able to perform on this object \nalternate_email_login_allowed \nboolean \nAllow alternate email-based login via '/login/email' for admins and for specified users with the 'login_special_email' permission. This option is useful as a fallback during ldap setup, if ldap config problems occur later, or if you need to support some users who are not in your ldap directory. Looker email/password logins are always disabled for regular users when ldap is enabled. \naudience \nstring \nOpenID Provider Audience \nauth_requires_role \nboolean \nUsers will not be allowed to login at all unless a role for them is found in OIDC if set to true \nauthorization_endpoint \nstring \nOpenID Provider Authorization Url \ndefault_new_user_group_ids \nstring\\[\\] \ndefault_new_user_groups \n[Group](/looker/docs/reference/looker-api/latest/types/Group)\\[\\] \nExpand Group definition... \ncan \n*lock* \nobject \nOperations the current user is able to perform on this object \ncan_add_to_content_metadata \nboolean \nGroup can be used in content access controls \ncontains_current_user \n*lock* \nboolean \nCurrently logged in user is group member \nexternal_group_id \n*lock* \nstring \nExternal Id group if embed group \nexternally_managed \n*lock* \nboolean \nGroup membership controlled outside of Looker \nid \n*lock* \nstring \nUnique Id \ninclude_by_default \n*lock* \nboolean \nNew users are added to this group by default \nname \nstring \nName of group \nuser_count \n*lock* \ninteger \nNumber of users included in this group \ndefault_new_user_role_ids \nstring\\[\\] \ndefault_new_user_roles \n[Role](/looker/docs/reference/looker-api/latest/types/Role)\\[\\] \nExpand Role definition... \ncan \n*lock* \nobject \nOperations the current user is able to perform on this object \nid \n*lock* \nstring \nUnique Id \nname \nstring \nName of Role \npermission_set \n*lock* \n[PermissionSet](/looker/docs/reference/looker-api/latest/types/PermissionSet) \n(Read only) Permission set\nExpand PermissionSet definition... \ncan \n*lock* \nobject \nOperations the current user is able to perform on this object \nall_access \n*lock* \nboolean \nbuilt_in \n*lock* \nboolean \nid \n*lock* \nstring \nUnique Id \nname \nstring \nName of PermissionSet \npermissions \nstring\\[\\] \nurl \n*lock* \nstring \nLink to get this item \npermission_set_id \nstring \n(Write-Only) Id of permission set \nmodel_set \n*lock* \n[ModelSet](/looker/docs/reference/looker-api/latest/types/ModelSet) \n(Read only) Model set\nExpand ModelSet definition... \ncan \n*lock* \nobject \nOperations the current user is able to perform on this object \nall_access \n*lock* \nboolean \nbuilt_in \n*lock* \nboolean \nid \n*lock* \nstring \nUnique Id \nmodels \nstring\\[\\] \nname \nstring \nName of ModelSet \nurl \n*lock* \nstring \nLink to get this item \nmodel_set_id \nstring \n(Write-Only) Id of model set \nurl \n*lock* \nstring \nLink to get this item \nusers_url \n*lock* \nstring \nLink to get list of users with this role \nenabled \nboolean \nEnable/Disable OIDC authentication for the server \ngroups \n[OIDCGroupRead](/looker/docs/reference/looker-api/latest/types/OIDCGroupRead)\\[\\] \nExpand OIDCGroupRead definition... \nid \n*lock* \nstring \nUnique Id \nlooker_group_id \n*lock* \nstring \nUnique Id of group in Looker \nlooker_group_name \n*lock* \nstring \nName of group in Looker \nname \n*lock* \nstring \nName of group in OIDC \nroles \n[Role](/looker/docs/reference/looker-api/latest/types/Role)\\[\\] \nExpand Role definition... \ncan \n*lock* \nobject \nOperations the current user is able to perform on this object \nid \n*lock* \nstring \nUnique Id \nname \nstring \nName of Role \npermission_set \n*lock* \n[PermissionSet](/looker/docs/reference/looker-api/latest/types/PermissionSet) \n(Read only) Permission set \npermission_set_id \nstring \n(Write-Only) Id of permission set \nmodel_set \n*lock* \n[ModelSet](/looker/docs/reference/looker-api/latest/types/ModelSet) \n(Read only) Model set \nmodel_set_id \nstring \n(Write-Only) Id of model set \nurl \n*lock* \nstring \nLink to get this item \nusers_url \n*lock* \nstring \nLink to get list of users with this role \ngroups_attribute \nstring \nName of user record attributes used to indicate groups. Used when 'groups_finder_type' is set to 'grouped_attribute_values' \ngroups_with_role_ids \n[OIDCGroupWrite](/looker/docs/reference/looker-api/latest/types/OIDCGroupWrite)\\[\\] \nExpand OIDCGroupWrite definition... \nid \nstring \nUnique Id \nlooker_group_id \n*lock* \nstring \nUnique Id of group in Looker \nlooker_group_name \nstring \nName of group in Looker \nname \nstring \nName of group in OIDC \nrole_ids \nstring\\[\\] \nidentifier \nstring \nRelying Party Identifier (provided by OpenID Provider) \nissuer \nstring \nOpenID Provider Issuer \nmodified_at \n*lock* \nstring \nWhen this config was last modified \nmodified_by \n*lock* \nstring \nUser id of user who last modified this config \nnew_user_migration_types \nstring \nMerge first-time oidc login to existing user account by email addresses. When a user logs in for the first time via oidc this option will connect this user into their existing account by finding the account with a matching email address by testing the given types of credentials for existing users. Otherwise a new user account will be created for the user. This list (if provided) must be a comma separated list of string like 'email,ldap,google' \nscopes \nstring\\[\\] \nsecret \nstring \n(Write-Only) Relying Party Secret (provided by OpenID Provider) \nset_roles_from_groups \nboolean \nSet user roles in Looker based on groups from OIDC \ntest_slug \n*lock* \nstring \nSlug to identify configurations that are created in order to run a OIDC config test \ntoken_endpoint \nstring \nOpenID Provider Token Url \nuser_attribute_map_email \nstring \nName of user record attributes used to indicate email address field \nuser_attribute_map_first_name \nstring \nName of user record attributes used to indicate first name \nuser_attribute_map_last_name \nstring \nName of user record attributes used to indicate last name \nuser_attributes \n[OIDCUserAttributeRead](/looker/docs/reference/looker-api/latest/types/OIDCUserAttributeRead)\\[\\] \nExpand OIDCUserAttributeRead definition... \nname \n*lock* \nstring \nName of User Attribute in OIDC \nrequired \n*lock* \nboolean \nRequired to be in OIDC assertion for login to be allowed to succeed \nuser_attributes \n[UserAttribute](/looker/docs/reference/looker-api/latest/types/UserAttribute)\\[\\] \nExpand UserAttribute definition... \ncan \n*lock* \nobject \nOperations the current user is able to perform on this object \nid \n*lock* \nstring \nUnique Id \nname \nstring \nName of user attribute \nlabel \nstring \nHuman-friendly label for user attribute \ntype \nstring \nType of user attribute (\"string\", \"number\", \"datetime\", \"yesno\", \"zipcode\", \"advanced_filter_string\", \"advanced_filter_number\") \ndefault_value \nstring \nDefault value for when no value is set on the user \nis_system \n*lock* \nboolean \nAttribute is a system default \nis_permanent \n*lock* \nboolean \nAttribute is permanent and cannot be deleted \nvalue_is_hidden \nboolean \nIf true, users will not be able to view values of this attribute \nuser_can_view \nboolean \nNon-admin users can see the values of their attributes and use them in filters \nuser_can_edit \nboolean \nUsers can change the value of this attribute for themselves \nhidden_value_domain_whitelist \nstring \nDestinations to which a hidden attribute may be sent. Once set, cannot be edited. \nuser_attributes_with_ids \n[OIDCUserAttributeWrite](/looker/docs/reference/looker-api/latest/types/OIDCUserAttributeWrite)\\[\\] \nExpand OIDCUserAttributeWrite definition... \nname \nstring \nName of User Attribute in OIDC \nrequired \nboolean \nRequired to be in OIDC assertion for login to be allowed to succeed \nuser_attribute_ids \nstring\\[\\] \nuserinfo_endpoint \nstring \nOpenID Provider User Information Url \nallow_normal_group_membership \nboolean \nAllow OIDC auth'd users to be members of non-reflected Looker groups. If 'false', user will be removed from non-reflected groups on login. \nallow_roles_from_normal_groups \nboolean \nOIDC auth'd users will inherit roles from non-reflected Looker groups. \nallow_direct_roles \nboolean \nAllows roles to be directly assigned to OIDC auth'd users. \nurl \n*lock* \nstring \nLink to get this item\n\nRelated Methods\n---------------\n\n- [Auth/oidc_config](../methods/Auth/oidc_config \"Auth/oidc_config\")\n- [Auth/update_oidc_config](../methods/Auth/update_oidc_config \"Auth/update_oidc_config\")\n- [Auth/oidc_test_config](../methods/Auth/oidc_test_config \"Auth/oidc_test_config\")\n- [Auth/create_oidc_test_config](../methods/Auth/create_oidc_test_config \"Auth/create_oidc_test_config\")"]]
