Version 4.0.24.18 (latest)
Get the OIDC configuration.
Looker can be optionally configured to authenticate users against an OpenID Connect (OIDC)
authentication server. OIDC setup requires coordination with an administrator of that server.
Only Looker administrators can read and update the OIDC configuration.
Configuring OIDC impacts authentication for all users. This configuration should be done carefully.
Looker maintains a single OIDC configuration. It can be read and updated. Updates only succeed if the new state will be valid (in the sense that all required fields are populated); it is up to you to ensure that the configuration is appropriate and correct).
OIDC is enabled or disabled for Looker using the enabled field.
Calls to this endpoint may be denied by Looker (Google Cloud core).
Request
GET
/oidc_config
Response
200: OIDC Configuration.
can
lock
object
Operations the current user is able to perform on this object
alternate_email_login_allowed
boolean
Allow alternate email-based login via '/login/email' for admins and for specified users with the 'login_special_email' permission. This option is useful as a fallback during ldap setup, if ldap config problems occur later, or if you need to support some users who are not in your ldap directory. Looker email/password logins are always disabled for regular users when ldap is enabled.
audience
string
OpenID Provider Audience
auth_requires_role
boolean
Users will not be allowed to login at all unless a role for them is found in OIDC if set to true
authorization_endpoint
string
OpenID Provider Authorization Url
default_new_user_group_ids
string[]
Expand Group definition...
can
lock
object
Operations the current user is able to perform on this object
can_add_to_content_metadata
boolean
Group can be used in content access controls
contains_current_user
lock
boolean
Currently logged in user is group member
external_group_id
lock
string
External Id group if embed group
externally_managed
lock
boolean
Group membership controlled outside of Looker
include_by_default
lock
boolean
New users are added to this group by default
name
string
Name of group
user_count
lock
integer
Number of users included in this group
default_new_user_role_ids
string[]
Expand Role definition...
can
lock
object
Operations the current user is able to perform on this object
permission_set
lock
(Read only) Permission set
Expand PermissionSet definition...
can
lock
object
Operations the current user is able to perform on this object
name
string
Name of PermissionSet
url
lock
string
Link to get this item
permission_set_id
string
(Write-Only) Id of permission set
model_set
lock
(Read only) Model set
Expand ModelSet definition...
can
lock
object
Operations the current user is able to perform on this object
name
string
Name of ModelSet
url
lock
string
Link to get this item
model_set_id
string
(Write-Only) Id of model set
url
lock
string
Link to get this item
users_url
lock
string
Link to get list of users with this role
enabled
boolean
Enable/Disable OIDC authentication for the server
Expand OIDCGroupRead definition...
looker_group_id
lock
string
Unique Id of group in Looker
looker_group_name
lock
string
Name of group in Looker
name
lock
string
Name of group in OIDC
Expand Role definition...
can
lock
object
Operations the current user is able to perform on this object
permission_set
lock
(Read only) Permission set
permission_set_id
string
(Write-Only) Id of permission set
model_set
lock
(Read only) Model set
model_set_id
string
(Write-Only) Id of model set
url
lock
string
Link to get this item
users_url
lock
string
Link to get list of users with this role
groups_attribute
string
Name of user record attributes used to indicate groups. Used when 'groups_finder_type' is set to 'grouped_attribute_values'
Expand OIDCGroupWrite definition...
looker_group_id
lock
string
Unique Id of group in Looker
looker_group_name
string
Name of group in Looker
name
string
Name of group in OIDC
identifier
string
Relying Party Identifier (provided by OpenID Provider)
issuer
string
OpenID Provider Issuer
modified_at
lock
string
When this config was last modified
modified_by
lock
string
User id of user who last modified this config
new_user_migration_types
string
Merge first-time oidc login to existing user account by email addresses. When a user logs in for the first time via oidc this option will connect this user into their existing account by finding the account with a matching email address by testing the given types of credentials for existing users. Otherwise a new user account will be created for the user. This list (if provided) must be a comma separated list of string like 'email,ldap,google'
secret
string
(Write-Only) Relying Party Secret (provided by OpenID Provider)
set_roles_from_groups
boolean
Set user roles in Looker based on groups from OIDC
test_slug
lock
string
Slug to identify configurations that are created in order to run a OIDC config test
token_endpoint
string
OpenID Provider Token Url
user_attribute_map_email
string
Name of user record attributes used to indicate email address field
user_attribute_map_first_name
string
Name of user record attributes used to indicate first name
user_attribute_map_last_name
string
Name of user record attributes used to indicate last name
Expand OIDCUserAttributeRead definition...
name
lock
string
Name of User Attribute in OIDC
required
lock
boolean
Required to be in OIDC assertion for login to be allowed to succeed
Expand UserAttribute definition...
can
lock
object
Operations the current user is able to perform on this object
name
string
Name of user attribute
label
string
Human-friendly label for user attribute
type
string
Type of user attribute ("string", "number", "datetime", "yesno", "zipcode", "advanced_filter_string", "advanced_filter_number")
default_value
string
Default value for when no value is set on the user
is_system
lock
boolean
Attribute is a system default
is_permanent
lock
boolean
Attribute is permanent and cannot be deleted
value_is_hidden
boolean
If true, users will not be able to view values of this attribute
user_can_view
boolean
Non-admin users can see the values of their attributes and use them in filters
user_can_edit
boolean
Users can change the value of this attribute for themselves
hidden_value_domain_whitelist
string
Destinations to which a hidden attribute may be sent. Once set, cannot be edited.
Expand OIDCUserAttributeWrite definition...
name
string
Name of User Attribute in OIDC
required
boolean
Required to be in OIDC assertion for login to be allowed to succeed
user_attribute_ids
string[]
userinfo_endpoint
string
OpenID Provider User Information Url
allow_normal_group_membership
boolean
Allow OIDC auth'd users to be members of non-reflected Looker groups. If 'false', user will be removed from non-reflected groups on login.
allow_roles_from_normal_groups
boolean
OIDC auth'd users will inherit roles from non-reflected Looker groups.
allow_direct_roles
boolean
Allows roles to be directly assigned to OIDC auth'd users.
url
lock
string
Link to get this item
403: Permission Denied
message
lock
string
Error details
documentation_url
lock
string
Documentation link
404: Not Found
message
lock
string
Error details
documentation_url
lock
string
Documentation link
429: Too Many Requests
message
lock
string
Error details
documentation_url
lock
string
Documentation link