NAME
    gcloud alpha iam workforce-pools providers update-oidc - update an OIDC
        workforce pool provider

SYNOPSIS
    gcloud alpha iam workforce-pools providers update-oidc
        (PROVIDER : --location=LOCATION --workforce-pool=WORKFORCE_POOL)
        [--async] [--attribute-condition=ATTRIBUTE_CONDITION]
        [--attribute-mapping=[KEY=VALUE,...]] [--client-id=CLIENT_ID]
        [--description=DESCRIPTION] [--detailed-audit-logging] [--disabled]
        [--display-name=DISPLAY_NAME] [--issuer-uri=ISSUER_URI]
        [--jwk-json-path=PATH_TO_FILE]
        [--web-sso-additional-scopes=[WEB_SSO_ADDITIONAL_SCOPES,...]]
        [--web-sso-assertion-claims-behavior=WEB_SSO_ASSERTION_CLAIMS_BEHAVIOR]
        [--web-sso-response-type=WEB_SSO_RESPONSE_TYPE]
        [--clear-client-secret | --client-secret-value=CLIENT_SECRET_VALUE]
        [--clear-extended-attributes-config
          | --extended-attributes-client-id=EXTENDED_ATTRIBUTES_CLIENT_ID
          --extended-attributes-client-secret-value=EXTENDED_ATTRIBUTES_CLIENT_SECRET_VALUE --extended-attributes-filter=EXTENDED_ATTRIBUTES_FILTER --extended-attributes-issuer-uri=EXTENDED_ATTRIBUTES_ISSUER_URI --extended-attributes-type=EXTENDED_ATTRIBUTES_TYPE]
        [--clear-extra-attributes-config
          | --extra-attributes-client-id=EXTRA_ATTRIBUTES_CLIENT_ID
          --extra-attributes-client-secret-value=EXTRA_ATTRIBUTES_CLIENT_SECRET_VALUE --extra-attributes-filter=EXTRA_ATTRIBUTES_FILTER --extra-attributes-issuer-uri=EXTRA_ATTRIBUTES_ISSUER_URI --extra-attributes-type=EXTRA_ATTRIBUTES_TYPE]
        [--clear-scim-usage | --scim-usage=SCIM_USAGE] [GCLOUD_WIDE_FLAG ...]

DESCRIPTION
    (ALPHA) Update an OIDC workforce pool provider.

EXAMPLES
    The following command updates the OIDC workforce pool provider with the ID
    my-workforce-pool-provider in the workforce pool my-workforce-pool.
    Explicit values for all required and optional parameters are provided:

        $ gcloud alpha iam workforce-pools providers update-oidc \
            my-workforce-pool-provider \
            --workforce-pool="my-workforce-pool" --location="global" \
            --display-name="My Workforce Pool Provider" \
            --description="My workforce pool provider description." \
            --disabled --detailed-audit-logging \
            --attribute-mapping="google.subject=assertion.sub" \
            --attribute-condition="true" --client-id="client-id" \
            --client-secret-value="client-secret" \
            --issuer-uri="https://test-idp.com" \
            --web-sso-response-type="code" \
            --web-sso-assertion-claims-behavior="merge-user-info-over-id-tok\
        en-claims" --web-sso-additional-scopes="groups,photos" \
            --jwk-json-path="path/to/jwk.json"

POSITIONAL ARGUMENTS
     Workforce pool provider resource - The workforce pool provider to update.
     The arguments in this group can be used to specify the attributes of this
     resource.

     This must be specified.

       PROVIDER
          ID of the workforce pool provider or fully qualified identifier for
          the workforce pool provider.

          To set the provider attribute:
          ▸ provide the argument provider on the command line.

          This positional argument must be specified if any of the other
          arguments in this group are specified.

       --location=LOCATION
          The location for the workforce pool.

          To set the location attribute:
          ▸ provide the argument provider on the command line with a fully
            specified name;
          ▸ provide the argument --location on the command line.

       --workforce-pool=WORKFORCE_POOL
          The ID to use for the workforce pool, which becomes the final
          component of the resource name. This value must be a globally unique
          string of 6 to 63 lowercase letters, digits, or hyphens. It must
          start with a letter, and cannot have a trailing hyphen. The prefix
          gcp- is reserved for use by Google, and may not be specified.

          To set the workforce-pool attribute:
          ▸ provide the argument provider on the command line with a fully
            specified name;
          ▸ provide the argument --workforce-pool on the command line.

FLAGS
     --async
        Return immediately, without waiting for the operation in progress to
        complete.

     --attribute-condition=ATTRIBUTE_CONDITION
        A Common Expression Language (https://opensource.google/projects/cel)
        expression, in plain text, to restrict which otherwise valid
        authentication credentials issued by the provider should be accepted.

        The expression must output a boolean representing whether to allow the
        federation.

        The following keywords may be referenced in the expressions:

        ◆ assertion: JSON representing the authentication credential issued
          by the Provider.
        ◆ google: The Google attributes mapped from the assertion in the
          attribute_mappings. google.profile_photo and google.display_name are
          not supported.
        ◆ attribute: The custom attributes mapped from the assertion in the
          attribute_mappings.

        The maximum length of the attribute condition expression is 4096
        characters. If unspecified, all valid authentication credential will be
        accepted.

        Example: Only allow credentials with a mapped google.groups value of
        admins.

            "'admins' in google.groups"

     --attribute-mapping=[KEY=VALUE,...]
        Maps claims from the authentication credentials issued by the Identity
        Provider into Google Cloud IAM attributes, e.g. subject, segment.

        Each key must be a string specifying the Google Cloud IAM attribute to
        be produced.

        The following predefined keys are currently supported:

        ◆ google.subject: required field that indicates the principal that is
          being authenticated to IAM, and will be logged in all API accesses
          for which Cloud Audit Logging is configured.

        ◆ google.groups: optional field that indicates asserted groups that
          the user should be considered to belong to. You can create IAM
          bindings using the groups attribute and access to a resource will be
          granted if any of the groups asserted here match a group in the
          respective binding.

        ◆ google.display_name: optional field that overrides the name of the
          user. If not set, google.subject will be displayed instead. This
          attribute cannot be used in IAM policies. The maximum length of this
          field is 100 characters.

        ◆ google.profile_photo: optional fields that may be set to a valid
          URL specifying the user's thumbnail photo. When set, the image will
          be visible as the user's profile picture. If not set, a generic user
          icon will be displayed instead. This attribute cannot be used in IAM
          policies.

        Custom attributes can also be mapped by specifying
        attribute.{custom_attribute}, replacing {custom_attribute} with the
        name of the custom attribute to be mapped. A maximum of 50 custom
        attribute mappings can be defined. The maximum length of a mapped
        attribute key is 2048 characters and can only contain the characters
        [a-z0-9_].

        These attributes can then be referenced in IAM policies to define
        fine-grained access for the workforce pool to Google Cloud resources by
        specifying:

        ◆ google.subject:
          principal://iam.googleapis.com/locations/global/workforcePools/{pool}/subject/{value}

        ◆ google.groups:
          principalSet://iam.googleapis.com/locations/global/workforcePools/{pool}/group/{value}

        ◆ attribute.{custom_attribute}:
          principalSet://iam.googleapis.com/locations/global/workforcePools/{pool}/attribute.{custom_attribute}/{value}

        Each value must be a Common Expression Language
        (https://opensource.google/projects/cel) function that maps an Identity
        Provider credential to the normalized attribute specified by the
        corresponding map key.

        The following keywords may be referenced in the expressions:

        ◆ assertion: JSON representing the authentication credential issued
          by the Identity Provider.

        The maximum length of an attribute mapping expression is 2048
        characters. When evaluated, the total size of all mapped attributes
        must not exceed 8KB.

        Example: Map the sub claim of the incoming credential to the subject
        Google Cloud IAM attribute.

            {"google.subject": "assertion.sub"}

     --client-id=CLIENT_ID
        The OIDC client ID. This must match the audience claim of the JWT
        issued by the identity provider.

     --description=DESCRIPTION
        A description for the workforce pool provider. Cannot exceed 256
        characters in length.

     --detailed-audit-logging
        Enables detailed audit logging for this provider, which populates
        additional debug information in STS Cloud Audit Logs. Specify
        --no-detailed-audit-logging to disable it.

     --disabled
        Disables the workforce pool provider. You cannot use a disabled
        provider to perform new token exchanges or sign-ins. However, existing
        tokens still grant access. Specify --no-disabled to enable a disabled
        pool.

     --display-name=DISPLAY_NAME
        A display name for the workforce pool provider. Cannot exceed 32
        characters in length.

     --issuer-uri=ISSUER_URI
        The OIDC issuer URI. Must be a valid URI using the 'https' scheme.

     --jwk-json-path=PATH_TO_FILE
        Optional file containing JSON Web Key (JWK) public keys. The file
        format must follow JWK specifications
        (https://www.rfc-editor.org/rfc/rfc7517#section-4). Example file
        format:            {
              "keys": [
                 {
                      "kty": "RSA/EC",
                      "alg": "<algorithm>",
                      "use": "sig",
                      "kid": "<key-id>",
                      "n": "",
                      "e": "",
                      "x": "",
                      "y": "",
                      "crv": ""
                 }
              ]
            }
        . Use a full or relative path to a local file containing the value of
        jwk_json_path.

     --web-sso-additional-scopes=[WEB_SSO_ADDITIONAL_SCOPES,...]
        Additional scopes to request for the OIDC authentication on top of
        scopes requested by default. By default, the openid, profile and email
        scopes that are supported by the identity provider are requested.

        Each additional scope may be at most 256 characters. A maximum of 10
        additional scopes may be configured.

        Updating this field replaces any existing values. Include the full list
        of additional scopes to avoid losing existing values.

     --web-sso-assertion-claims-behavior=WEB_SSO_ASSERTION_CLAIMS_BEHAVIOR
        The behavior for how OIDC Claims are included in the assertion object
        used for attribute mapping and attribute condition. Use
        merge-user-info-over-id-token-claims to merge the UserInfo Endpoint
        Claims with ID Token Claims, preferring UserInfo Claim Values for the
        same Claim Name. Currently this option is only available for
        Authorization Code flow. Use only-id-token-claims to include only ID
        token claims. WEB_SSO_ASSERTION_CLAIMS_BEHAVIOR must be one of:
        assertion-claims-behavior-unspecified,
        merge-user-info-over-id-token-claims, only-id-token-claims.

     --web-sso-response-type=WEB_SSO_RESPONSE_TYPE
        Response Type to request for in the OIDC Authorization Request for web
        sign-in. Use code to select the authorization code flow
        (https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth)
        Use id-token to select the implicit flow
        (https://openid.net/specs/openid-connect-core-1_0.html#ImplicitFlowAuth).
        WEB_SSO_RESPONSE_TYPE must be one of: code, id-token,
        response-type-unspecified.

     At most one of these can be specified:

       --clear-client-secret
          Clear the OIDC client secret.

       --client-secret-value=CLIENT_SECRET_VALUE
          The OIDC client secret. Required to enable Authorization Code flow
          for web sign-in.

     At most one of these can be specified:

       --clear-extended-attributes-config
          Clear the extended attributes configuration.

       Or at least one of these can be specified:

         --extended-attributes-client-id=EXTENDED_ATTRIBUTES_CLIENT_ID
            (DEPRECATED) The OAuth 2.0 client ID for retrieving extended
            attributes from the identity provider. Required to get extended
            group memberships for a subset of Google Cloud products.

            The --extended-attributes-client-id flag is restricted. We suggest
            you use SCIM instead.

         --extended-attributes-client-secret-value=EXTENDED_ATTRIBUTES_CLIENT_SECRET_VALUE
            (DEPRECATED) The OAuth 2.0 client secret for retrieving extended
            attributes from the identity provider. Required to get extended
            group memberships for a subset of Google Cloud products.

            The --extended-attributes-client-secret-value flag is restricted.
            We suggest you use SCIM instead.

         --extended-attributes-filter=EXTENDED_ATTRIBUTES_FILTER
            (DEPRECATED) The filter used to request specific records from the
            IdP. By default, all of the groups that are associated with a user
            are fetched. For Microsoft Entra ID, you can add $search query
            parameters using [Keyword Query Language]
            (https://learn.microsoft.com/en-us/sharepoint/dev/general-development/keyword-query-language-kql-syntax-reference).
            To learn more about $search querying in Microsoft Entra ID, see
            [Use the $search query parameter]
            (https://learn.microsoft.com/en-us/graph/search-query-parameter).

            Additionally, Workforce Identity Federation automatically adds the
            following [$filter query parameters]
            (https://learn.microsoft.com/en-us/graph/filter-query-parameter),
            based on the value of attributes_type. Values passed to filter are
            converted to $search query parameters. Additional $filter query
            parameters cannot be added using this field.

            ▫ AZURE_AD_GROUPS_ID: securityEnabled filter is applied.

            The --extended-attributes-filter flag is restricted. We suggest you
            use SCIM instead.

         --extended-attributes-issuer-uri=EXTENDED_ATTRIBUTES_ISSUER_URI
            (DEPRECATED) OIDC identity provider's issuer URI. Must be a valid
            URI using the https scheme. Required to get the OIDC discovery
            document.

            The --extended-attributes-issuer-uri flag is restricted. We suggest
            you use SCIM instead.

         --extended-attributes-type=EXTENDED_ATTRIBUTES_TYPE
            (DEPRECATED) Represents the identity provider and type of claims
            that should be fetched.

            The --extended-attributes-type flag is restricted. We suggest you
            use SCIM instead. EXTENDED_ATTRIBUTES_TYPE must be (only one value
            is supported): azure-ad-groups-id.

     At most one of these can be specified:

       --clear-extra-attributes-config
          Clear the extra attributes configuration.

       Or at least one of these can be specified:

         --extra-attributes-client-id=EXTRA_ATTRIBUTES_CLIENT_ID
            The OAuth 2.0 client ID for retrieving extra attributes from the
            identity provider. Required to get the access token using client
            credentials grant flow.

         --extra-attributes-client-secret-value=EXTRA_ATTRIBUTES_CLIENT_SECRET_VALUE
            The OAuth 2.0 client secret for retrieving extra attributes from
            the identity provider. Required to get the access token using
            client credentials grant flow.

         --extra-attributes-filter=EXTRA_ATTRIBUTES_FILTER
            The filter used to request specific records from the IdP. By
            default, all of the groups that are associated with a user are
            fetched. For Microsoft Entra ID, you can add $search query
            parameters using [Keyword Query Language]
            (https://learn.microsoft.com/en-us/sharepoint/dev/general-development/keyword-query-language-kql-syntax-reference).
            To learn more about $search querying in Microsoft Entra ID, see
            [Use the $search query parameter]
            (https://learn.microsoft.com/en-us/graph/search-query-parameter).

            Additionally, Workforce Identity Federation automatically adds the
            following [$filter query parameters]
            (https://learn.microsoft.com/en-us/graph/filter-query-parameter),
            based on the value of attributes_type. Values passed to filter are
            converted to $search query parameters. Additional $filter query
            parameters cannot be added using this field.

            ▫ AZURE_AD_GROUPS_MAIL: mailEnabled and securityEnabled filters
              are applied.
            ▫ AZURE_AD_GROUPS_ID: securityEnabled filter is applied.
            ▫ AZURE_AD_GROUPS_DISPLAY_NAME: securityEnabled filter is
              applied.

         --extra-attributes-issuer-uri=EXTRA_ATTRIBUTES_ISSUER_URI
            OIDC identity provider's issuer URI. Must be a valid URI using the
            https scheme. Required to get the OIDC discovery document.

         --extra-attributes-type=EXTRA_ATTRIBUTES_TYPE
            Represents the identity provider and type of claims that should be
            fetched. EXTRA_ATTRIBUTES_TYPE must be one of:
            attributes-type-unspecified, azure-ad-groups-display-name,
            azure-ad-groups-id, azure-ad-groups-mail.

     At most one of these can be specified:

       --clear-scim-usage
          Clear the SCIM usage configuration, resetting it to unspecified.

       --scim-usage=SCIM_USAGE
          Specifies whether the workforce identity pool provider uses
          SCIM-managed groups instead of the google.groups attribute mapping
          for authorization checks.

          The scim_usage and extended_attributes_oauth2_client fields are
          mutually exclusive. A request that enables both fields on the same
          workforce identity pool provider will produce an error.

          Use enabled-for-groups to enable SCIM-managed groups. Use
          enabled-for-users-groups to enable SCIM-managed user claims and
          groups. Use scim-usage-unspecified to disable SCIM-managed groups.

          SCIM_USAGE must be one of: enabled-for-groups,
          enabled-for-users-groups, scim-usage-unspecified.

GCLOUD WIDE FLAGS
    These flags are available to all commands: --access-token-file, --account,
    --billing-project, --configuration, --flags-file, --flatten, --format,
    --help, --impersonate-service-account, --log-http, --project, --quiet,
    --trace-token, --user-output-enabled, --verbosity.

    Run $ gcloud help for details.

API REFERENCE
    This command uses the iam/v1 API. The full documentation for this API can
    be found at: https://cloud.google.com/iam/

NOTES
    This command is currently in alpha and might change without notice. If this
    command fails with API permission errors despite specifying the correct
    project, you might be trying to access an API with an invitation-only early
    access allowlist. These variants are also available:

        $ gcloud iam workforce-pools providers update-oidc

        $ gcloud beta iam workforce-pools providers update-oidc

