Open ID Connect

The role specifies which privileges (ie policies) should be associated which tokens generated through successful authentication using the OpenID Connect server. It can impose constraints on which users are admitted by enforcing limitations on claims.

It is optionally possible to use custom claims for mapping to policies.

Create a new oidc service

SecurityaccessToken
Request
query Parameters
validate
string <enumeration>

Validate the request but do not actually perform the requested operation

Value: "true"
Request Body schema:
name
required
string <name> ^[a-z0-9]([a-z0-9\-]*[a-z0-9])?$
display-name
string
discovery-url
required
string

This should be the URI from witch the .well-known/openid-configuration can be fetched. For example, https://accounts.google.com/, when using the Google OIDC server, or https://xx.yy.com/oauth/v2/oauth-anonymous when using Curity IO. The base URL or the full URL including the .well-known/openid-configuration part.

discovery-ca-cert
string <ca-cert>

One or more root certificates in PEM format.

CA certificates, in PEM format, to use when validating TLS connection to discovery-url. Multiple certs may be added as one string.

use-root-ca-certs
boolean
Default: true

Use root CA certificate bundle when validating certificate of discovery url.

server-name-indication
string

If the discovery-url is a https URL, then this field can be used to configure which name must be present in the cert presented by the server. By default the host name from the discovery-url will be used.

tls-verify
boolean
Default: true

This field can be used to disable server cert validation when talking to the discovery-url. It should only be set to false in test setups and never in production.

client-id
required
string

The Client ID is provided by the OIDC server. Usually some non-guessable value such as 6779ef20e75817b79602 or 292085223830.apps.googleusercontent.com

client-secret
required
string

The Secret ID is a non-public that is only known by the client and the OIDC server. Usually some 256-bit hex value.

response-mode
string <enumeration>
Default: "query"
  • query
  • form-post
response-type
string <enumeration>
  • code
  • id-token

Only code is supported at this point.

default-role
string <name>

If no role is specified when invoking a oidc-login, then this role is used.

verbose-logging
boolean
Default: false
object

An alternative way of letting the OIDC server control which policies and token properties are given to different users is to select oidc service role based on a claim provided by the OIDC server. In order to do this certain role specific parameters needs to be provided here. They will be ignored in the selected role.

to (object) or sites (object) or deployments (object)
Responses
201

Created

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

409

Conflict (instance exists)

503

Service Unavailable (strongbox sealed)

post/v1/config/strongbox/authentication/oidc-services
Request samples
name: qlik
display-name: qlik
discovery-url: http://192.168.100.50:9000/
discovery-ca-cert: |
  -----BEGIN CERTIFICATE-----
  MIIDUDCCAvagAwIBAgITAKYom2ar3MFwt//DipR5NywBdjAKBggqhkjOPQQDAjBa
  MQ8wDQYDVQQDEwZBdmFzc2ExEjAQBgNVBAcTCVN0b2NraG9sbTELMAkGA1UEBhMC
  U0UxDzANBgNVBAoTBkF2YXNzYTEVMBMGA1UECxMMZGlzdHJpYnV0aW9uMCIYDzIw
  MjIwMTEyMDYyMTQ4WhgPMjAyMjAxMjcwOTU3NDhaMGIxFzAVBgNVBAMTDnRpby5h
  dmFzc2EubmV0MRIwEAYDVQQHEwlTdG9ja2hvbG0xCzAJBgNVBAYTAlNFMQ8wDQYD
  VQQKEwZBdmFzc2ExFTATBgNVBAsTDGRpc3RyaWJ1dGlvbjCCASIwDQYJKoZIhvcN
  AQEBBQADggEPADCCAQoCggEBAKa7LYXK0P1IOpXkEAI52kJizdUA74z7NsAegV38
  LFvipzCggEJr9niqRNmZqR6B8cs+CWIRZub0Qm5eQIzPtZtzLzwBD+i5AyitW5Tq
  Top79tVlta4wupAtkxBCOeIAzFtFwWaiGCVA+4D9Ns6TXo7GUxC0aw/MOeRyAHt/
  HaBIPk6hIGKOAiCjP4r4fEl4tWpSNzexovCvKCl4fGs4WLvRR1YoNdx0spvROc63
  hd9gikokDEuHMsh9Q1wEIP7/V+rgbYGtRw990mHl0zWoGtS+hp/QHAngcJnJiJk3
  gOPTXnQKqCzBWUmZUdwt27LKTdK7Vsq6DtNEKchaqRzGMRkCAwEAAaOBwzCBwDB+
  BgNVHSMEdzB1oV6kXDBaMQ8wDQYDVQQDEwZBdmFzc2ExEjAQBgNVBAcTCVN0b2Nr
  aG9sbTELMAkGA1UEBhMCU0UxDzANBgNVBAoTBkF2YXNzYTEVMBMGA1UECxMMZGlz
  dHJpYnV0aW9ughMAp0MSfyaImp0XtPO3uqCnMRITMCMGA1UdEQQcMBqCDnRpby5h
  dmFzc2EubmV0ggNmb2+CA2JhcjALBgNVHQ8EBAMCA4gwDAYDVR0TAQH/BAIwADAK
  BggqhkjOPQQDAgNIADBFAiAssZp0WV7ejre85Zh4LJZQiTVWEObLXRwifAHQoiqi
  iwIhAOga9thMhWISM1FFgSTeNUtUe9jziVdPfSYQpInAcg3V
  -----END CERTIFICATE-----
use-root-ca-certs: true
server-name-indication: oauth
tls-verify: true
client-id: JVX9fZTK9fvsRZxuZ3uuGUuh1zPps1Ng
client-secret: JIRhxGpPQ99ZyEBlaEFafJP3HTfw3w5npD9Rc4kodJSQpWrr6odIoTdKmsHcMvvw
response-mode: query
response-type: code
default-role: reader
verbose-logging: true
role-select:
  role-claim: group
  allowed-redirect-uris:
    - https://192.168.100.101:4646/v1/oidc-callback
  allowed-post-logout-redirect-uris:
    - http://foo.com/logout
  state-addition: foo.acme.com
  oidc-scopes:
    - profile
    - email
    - avassa
  use-nonce: true
  state-ttl: 10m
distribute:
  to: inherit

Retrieve the configuration of all oidc services

SecurityaccessToken
Request
query Parameters
fields
string

Retrieve only requested fields from the resource

See section fields

validate
string <enumeration>

Validate the request but do not actually perform the requested operation

Value: "true"
keys
string <enumeration>

Retrieve only the keys for the list

Value: "true"
count
string <enumeration>

Retrieve only the number of elements in the list

Value: "true"
Responses
200

OK

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

412

Precondition Failed

503

Service Unavailable (strongbox sealed)

get/v1/config/strongbox/authentication/oidc-services
Response samples
- name: qlik
  display-name: qlik
  discovery-url: http://192.168.100.50:9000/
  discovery-ca-cert: |
    -----BEGIN CERTIFICATE-----
    MIIDUDCCAvagAwIBAgITAKYom2ar3MFwt//DipR5NywBdjAKBggqhkjOPQQDAjBa
    MQ8wDQYDVQQDEwZBdmFzc2ExEjAQBgNVBAcTCVN0b2NraG9sbTELMAkGA1UEBhMC
    U0UxDzANBgNVBAoTBkF2YXNzYTEVMBMGA1UECxMMZGlzdHJpYnV0aW9uMCIYDzIw
    MjIwMTEyMDYyMTQ4WhgPMjAyMjAxMjcwOTU3NDhaMGIxFzAVBgNVBAMTDnRpby5h
    dmFzc2EubmV0MRIwEAYDVQQHEwlTdG9ja2hvbG0xCzAJBgNVBAYTAlNFMQ8wDQYD
    VQQKEwZBdmFzc2ExFTATBgNVBAsTDGRpc3RyaWJ1dGlvbjCCASIwDQYJKoZIhvcN
    AQEBBQADggEPADCCAQoCggEBAKa7LYXK0P1IOpXkEAI52kJizdUA74z7NsAegV38
    LFvipzCggEJr9niqRNmZqR6B8cs+CWIRZub0Qm5eQIzPtZtzLzwBD+i5AyitW5Tq
    Top79tVlta4wupAtkxBCOeIAzFtFwWaiGCVA+4D9Ns6TXo7GUxC0aw/MOeRyAHt/
    HaBIPk6hIGKOAiCjP4r4fEl4tWpSNzexovCvKCl4fGs4WLvRR1YoNdx0spvROc63
    hd9gikokDEuHMsh9Q1wEIP7/V+rgbYGtRw990mHl0zWoGtS+hp/QHAngcJnJiJk3
    gOPTXnQKqCzBWUmZUdwt27LKTdK7Vsq6DtNEKchaqRzGMRkCAwEAAaOBwzCBwDB+
    BgNVHSMEdzB1oV6kXDBaMQ8wDQYDVQQDEwZBdmFzc2ExEjAQBgNVBAcTCVN0b2Nr
    aG9sbTELMAkGA1UEBhMCU0UxDzANBgNVBAoTBkF2YXNzYTEVMBMGA1UECxMMZGlz
    dHJpYnV0aW9ughMAp0MSfyaImp0XtPO3uqCnMRITMCMGA1UdEQQcMBqCDnRpby5h
    dmFzc2EubmV0ggNmb2+CA2JhcjALBgNVHQ8EBAMCA4gwDAYDVR0TAQH/BAIwADAK
    BggqhkjOPQQDAgNIADBFAiAssZp0WV7ejre85Zh4LJZQiTVWEObLXRwifAHQoiqi
    iwIhAOga9thMhWISM1FFgSTeNUtUe9jziVdPfSYQpInAcg3V
    -----END CERTIFICATE-----
  use-root-ca-certs: true
  server-name-indication: oauth
  tls-verify: true
  client-id: JVX9fZTK9fvsRZxuZ3uuGUuh1zPps1Ng
  client-secret: JIRhxGpPQ99ZyEBlaEFafJP3HTfw3w5npD9Rc4kodJSQpWrr6odIoTdKmsHcMvvw
  response-mode: query
  response-type: code
  default-role: reader
  verbose-logging: true
  role-select:
    role-claim: group
    allowed-redirect-uris:
      - https://192.168.100.101:4646/v1/oidc-callback
    allowed-post-logout-redirect-uris:
      - http://foo.com/logout
    state-addition: foo.acme.com
    oidc-scopes:
      - profile
      - email
      - avassa
    use-nonce: true
    state-ttl: 10m
  distribute:
    to: inherit
  

Update an oidc service

SecurityaccessToken
Request
path Parameters
oidc-service-name
required
string <name> ^[a-z0-9]([a-z0-9\-]*[a-z0-9])?$

name of oidc-service

query Parameters
validate
string <enumeration>

Validate the request but do not actually perform the requested operation

Value: "true"
Request Body schema:
name
required
string <name> ^[a-z0-9]([a-z0-9\-]*[a-z0-9])?$
display-name
string
discovery-url
required
string

This should be the URI from witch the .well-known/openid-configuration can be fetched. For example, https://accounts.google.com/, when using the Google OIDC server, or https://xx.yy.com/oauth/v2/oauth-anonymous when using Curity IO. The base URL or the full URL including the .well-known/openid-configuration part.

discovery-ca-cert
string <ca-cert>

One or more root certificates in PEM format.

CA certificates, in PEM format, to use when validating TLS connection to discovery-url. Multiple certs may be added as one string.

use-root-ca-certs
boolean
Default: true

Use root CA certificate bundle when validating certificate of discovery url.

server-name-indication
string

If the discovery-url is a https URL, then this field can be used to configure which name must be present in the cert presented by the server. By default the host name from the discovery-url will be used.

tls-verify
boolean
Default: true

This field can be used to disable server cert validation when talking to the discovery-url. It should only be set to false in test setups and never in production.

client-id
required
string

The Client ID is provided by the OIDC server. Usually some non-guessable value such as 6779ef20e75817b79602 or 292085223830.apps.googleusercontent.com

client-secret
required
string

The Secret ID is a non-public that is only known by the client and the OIDC server. Usually some 256-bit hex value.

response-mode
string <enumeration>
Default: "query"
  • query
  • form-post
response-type
string <enumeration>
  • code
  • id-token

Only code is supported at this point.

default-role
string <name>

If no role is specified when invoking a oidc-login, then this role is used.

verbose-logging
boolean
Default: false
object

An alternative way of letting the OIDC server control which policies and token properties are given to different users is to select oidc service role based on a claim provided by the OIDC server. In order to do this certain role specific parameters needs to be provided here. They will be ignored in the selected role.

to (object) or sites (object) or deployments (object)
Responses
204

No Content

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

412

Precondition Failed

503

Service Unavailable (strongbox sealed)

patch/v1/config/strongbox/authentication/oidc-services/{oidc-service-name}
Request samples
name: qlik
display-name: qlik
discovery-url: http://192.168.100.50:9000/
discovery-ca-cert: |
  -----BEGIN CERTIFICATE-----
  MIIDUDCCAvagAwIBAgITAKYom2ar3MFwt//DipR5NywBdjAKBggqhkjOPQQDAjBa
  MQ8wDQYDVQQDEwZBdmFzc2ExEjAQBgNVBAcTCVN0b2NraG9sbTELMAkGA1UEBhMC
  U0UxDzANBgNVBAoTBkF2YXNzYTEVMBMGA1UECxMMZGlzdHJpYnV0aW9uMCIYDzIw
  MjIwMTEyMDYyMTQ4WhgPMjAyMjAxMjcwOTU3NDhaMGIxFzAVBgNVBAMTDnRpby5h
  dmFzc2EubmV0MRIwEAYDVQQHEwlTdG9ja2hvbG0xCzAJBgNVBAYTAlNFMQ8wDQYD
  VQQKEwZBdmFzc2ExFTATBgNVBAsTDGRpc3RyaWJ1dGlvbjCCASIwDQYJKoZIhvcN
  AQEBBQADggEPADCCAQoCggEBAKa7LYXK0P1IOpXkEAI52kJizdUA74z7NsAegV38
  LFvipzCggEJr9niqRNmZqR6B8cs+CWIRZub0Qm5eQIzPtZtzLzwBD+i5AyitW5Tq
  Top79tVlta4wupAtkxBCOeIAzFtFwWaiGCVA+4D9Ns6TXo7GUxC0aw/MOeRyAHt/
  HaBIPk6hIGKOAiCjP4r4fEl4tWpSNzexovCvKCl4fGs4WLvRR1YoNdx0spvROc63
  hd9gikokDEuHMsh9Q1wEIP7/V+rgbYGtRw990mHl0zWoGtS+hp/QHAngcJnJiJk3
  gOPTXnQKqCzBWUmZUdwt27LKTdK7Vsq6DtNEKchaqRzGMRkCAwEAAaOBwzCBwDB+
  BgNVHSMEdzB1oV6kXDBaMQ8wDQYDVQQDEwZBdmFzc2ExEjAQBgNVBAcTCVN0b2Nr
  aG9sbTELMAkGA1UEBhMCU0UxDzANBgNVBAoTBkF2YXNzYTEVMBMGA1UECxMMZGlz
  dHJpYnV0aW9ughMAp0MSfyaImp0XtPO3uqCnMRITMCMGA1UdEQQcMBqCDnRpby5h
  dmFzc2EubmV0ggNmb2+CA2JhcjALBgNVHQ8EBAMCA4gwDAYDVR0TAQH/BAIwADAK
  BggqhkjOPQQDAgNIADBFAiAssZp0WV7ejre85Zh4LJZQiTVWEObLXRwifAHQoiqi
  iwIhAOga9thMhWISM1FFgSTeNUtUe9jziVdPfSYQpInAcg3V
  -----END CERTIFICATE-----
use-root-ca-certs: true
server-name-indication: oauth
tls-verify: true
client-id: JVX9fZTK9fvsRZxuZ3uuGUuh1zPps1Ng
client-secret: JIRhxGpPQ99ZyEBlaEFafJP3HTfw3w5npD9Rc4kodJSQpWrr6odIoTdKmsHcMvvw
response-mode: query
response-type: code
default-role: reader
verbose-logging: true
role-select:
  role-claim: group
  allowed-redirect-uris:
    - https://192.168.100.101:4646/v1/oidc-callback
  allowed-post-logout-redirect-uris:
    - http://foo.com/logout
  state-addition: foo.acme.com
  oidc-scopes:
    - profile
    - email
    - avassa
  use-nonce: true
  state-ttl: 10m
distribute:
  to: inherit

Delete an oidc service

SecurityaccessToken
Request
path Parameters
oidc-service-name
required
string <name> ^[a-z0-9]([a-z0-9\-]*[a-z0-9])?$

name of oidc-service

query Parameters
validate
string <enumeration>

Validate the request but do not actually perform the requested operation

Value: "true"
Responses
204

No Content

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

412

Precondition Failed

503

Service Unavailable (strongbox sealed)

delete/v1/config/strongbox/authentication/oidc-services/{oidc-service-name}

Replace or create a new oidc service

SecurityaccessToken
Request
path Parameters
oidc-service-name
required
string <name> ^[a-z0-9]([a-z0-9\-]*[a-z0-9])?$

name of oidc-service

query Parameters
validate
string <enumeration>

Validate the request but do not actually perform the requested operation

Value: "true"
Request Body schema:
name
required
string <name> ^[a-z0-9]([a-z0-9\-]*[a-z0-9])?$
display-name
string
discovery-url
required
string

This should be the URI from witch the .well-known/openid-configuration can be fetched. For example, https://accounts.google.com/, when using the Google OIDC server, or https://xx.yy.com/oauth/v2/oauth-anonymous when using Curity IO. The base URL or the full URL including the .well-known/openid-configuration part.

discovery-ca-cert
string <ca-cert>

One or more root certificates in PEM format.

CA certificates, in PEM format, to use when validating TLS connection to discovery-url. Multiple certs may be added as one string.

use-root-ca-certs
boolean
Default: true

Use root CA certificate bundle when validating certificate of discovery url.

server-name-indication
string

If the discovery-url is a https URL, then this field can be used to configure which name must be present in the cert presented by the server. By default the host name from the discovery-url will be used.

tls-verify
boolean
Default: true

This field can be used to disable server cert validation when talking to the discovery-url. It should only be set to false in test setups and never in production.

client-id
required
string

The Client ID is provided by the OIDC server. Usually some non-guessable value such as 6779ef20e75817b79602 or 292085223830.apps.googleusercontent.com

client-secret
required
string

The Secret ID is a non-public that is only known by the client and the OIDC server. Usually some 256-bit hex value.

response-mode
string <enumeration>
Default: "query"
  • query
  • form-post
response-type
string <enumeration>
  • code
  • id-token

Only code is supported at this point.

default-role
string <name>

If no role is specified when invoking a oidc-login, then this role is used.

verbose-logging
boolean
Default: false
object

An alternative way of letting the OIDC server control which policies and token properties are given to different users is to select oidc service role based on a claim provided by the OIDC server. In order to do this certain role specific parameters needs to be provided here. They will be ignored in the selected role.

to (object) or sites (object) or deployments (object)
Responses
201

Created

204

No Content

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

412

Precondition Failed

503

Service Unavailable (strongbox sealed)

put/v1/config/strongbox/authentication/oidc-services/{oidc-service-name}
Request samples
name: qlik
display-name: qlik
discovery-url: http://192.168.100.50:9000/
discovery-ca-cert: |
  -----BEGIN CERTIFICATE-----
  MIIDUDCCAvagAwIBAgITAKYom2ar3MFwt//DipR5NywBdjAKBggqhkjOPQQDAjBa
  MQ8wDQYDVQQDEwZBdmFzc2ExEjAQBgNVBAcTCVN0b2NraG9sbTELMAkGA1UEBhMC
  U0UxDzANBgNVBAoTBkF2YXNzYTEVMBMGA1UECxMMZGlzdHJpYnV0aW9uMCIYDzIw
  MjIwMTEyMDYyMTQ4WhgPMjAyMjAxMjcwOTU3NDhaMGIxFzAVBgNVBAMTDnRpby5h
  dmFzc2EubmV0MRIwEAYDVQQHEwlTdG9ja2hvbG0xCzAJBgNVBAYTAlNFMQ8wDQYD
  VQQKEwZBdmFzc2ExFTATBgNVBAsTDGRpc3RyaWJ1dGlvbjCCASIwDQYJKoZIhvcN
  AQEBBQADggEPADCCAQoCggEBAKa7LYXK0P1IOpXkEAI52kJizdUA74z7NsAegV38
  LFvipzCggEJr9niqRNmZqR6B8cs+CWIRZub0Qm5eQIzPtZtzLzwBD+i5AyitW5Tq
  Top79tVlta4wupAtkxBCOeIAzFtFwWaiGCVA+4D9Ns6TXo7GUxC0aw/MOeRyAHt/
  HaBIPk6hIGKOAiCjP4r4fEl4tWpSNzexovCvKCl4fGs4WLvRR1YoNdx0spvROc63
  hd9gikokDEuHMsh9Q1wEIP7/V+rgbYGtRw990mHl0zWoGtS+hp/QHAngcJnJiJk3
  gOPTXnQKqCzBWUmZUdwt27LKTdK7Vsq6DtNEKchaqRzGMRkCAwEAAaOBwzCBwDB+
  BgNVHSMEdzB1oV6kXDBaMQ8wDQYDVQQDEwZBdmFzc2ExEjAQBgNVBAcTCVN0b2Nr
  aG9sbTELMAkGA1UEBhMCU0UxDzANBgNVBAoTBkF2YXNzYTEVMBMGA1UECxMMZGlz
  dHJpYnV0aW9ughMAp0MSfyaImp0XtPO3uqCnMRITMCMGA1UdEQQcMBqCDnRpby5h
  dmFzc2EubmV0ggNmb2+CA2JhcjALBgNVHQ8EBAMCA4gwDAYDVR0TAQH/BAIwADAK
  BggqhkjOPQQDAgNIADBFAiAssZp0WV7ejre85Zh4LJZQiTVWEObLXRwifAHQoiqi
  iwIhAOga9thMhWISM1FFgSTeNUtUe9jziVdPfSYQpInAcg3V
  -----END CERTIFICATE-----
use-root-ca-certs: true
server-name-indication: oauth
tls-verify: true
client-id: JVX9fZTK9fvsRZxuZ3uuGUuh1zPps1Ng
client-secret: JIRhxGpPQ99ZyEBlaEFafJP3HTfw3w5npD9Rc4kodJSQpWrr6odIoTdKmsHcMvvw
response-mode: query
response-type: code
default-role: reader
verbose-logging: true
role-select:
  role-claim: group
  allowed-redirect-uris:
    - https://192.168.100.101:4646/v1/oidc-callback
  allowed-post-logout-redirect-uris:
    - http://foo.com/logout
  state-addition: foo.acme.com
  oidc-scopes:
    - profile
    - email
    - avassa
  use-nonce: true
  state-ttl: 10m
distribute:
  to: inherit

Retrieve the configuration of an oidc service

SecurityaccessToken
Request
path Parameters
oidc-service-name
required
string <name> ^[a-z0-9]([a-z0-9\-]*[a-z0-9])?$

name of oidc-service

query Parameters
fields
string

Retrieve only requested fields from the resource

See section fields

validate
string <enumeration>

Validate the request but do not actually perform the requested operation

Value: "true"
Responses
200

OK

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

412

Precondition Failed

503

Service Unavailable (strongbox sealed)

get/v1/config/strongbox/authentication/oidc-services/{oidc-service-name}
Response samples
name: qlik
display-name: qlik
discovery-url: http://192.168.100.50:9000/
discovery-ca-cert: |
  -----BEGIN CERTIFICATE-----
  MIIDUDCCAvagAwIBAgITAKYom2ar3MFwt//DipR5NywBdjAKBggqhkjOPQQDAjBa
  MQ8wDQYDVQQDEwZBdmFzc2ExEjAQBgNVBAcTCVN0b2NraG9sbTELMAkGA1UEBhMC
  U0UxDzANBgNVBAoTBkF2YXNzYTEVMBMGA1UECxMMZGlzdHJpYnV0aW9uMCIYDzIw
  MjIwMTEyMDYyMTQ4WhgPMjAyMjAxMjcwOTU3NDhaMGIxFzAVBgNVBAMTDnRpby5h
  dmFzc2EubmV0MRIwEAYDVQQHEwlTdG9ja2hvbG0xCzAJBgNVBAYTAlNFMQ8wDQYD
  VQQKEwZBdmFzc2ExFTATBgNVBAsTDGRpc3RyaWJ1dGlvbjCCASIwDQYJKoZIhvcN
  AQEBBQADggEPADCCAQoCggEBAKa7LYXK0P1IOpXkEAI52kJizdUA74z7NsAegV38
  LFvipzCggEJr9niqRNmZqR6B8cs+CWIRZub0Qm5eQIzPtZtzLzwBD+i5AyitW5Tq
  Top79tVlta4wupAtkxBCOeIAzFtFwWaiGCVA+4D9Ns6TXo7GUxC0aw/MOeRyAHt/
  HaBIPk6hIGKOAiCjP4r4fEl4tWpSNzexovCvKCl4fGs4WLvRR1YoNdx0spvROc63
  hd9gikokDEuHMsh9Q1wEIP7/V+rgbYGtRw990mHl0zWoGtS+hp/QHAngcJnJiJk3
  gOPTXnQKqCzBWUmZUdwt27LKTdK7Vsq6DtNEKchaqRzGMRkCAwEAAaOBwzCBwDB+
  BgNVHSMEdzB1oV6kXDBaMQ8wDQYDVQQDEwZBdmFzc2ExEjAQBgNVBAcTCVN0b2Nr
  aG9sbTELMAkGA1UEBhMCU0UxDzANBgNVBAoTBkF2YXNzYTEVMBMGA1UECxMMZGlz
  dHJpYnV0aW9ughMAp0MSfyaImp0XtPO3uqCnMRITMCMGA1UdEQQcMBqCDnRpby5h
  dmFzc2EubmV0ggNmb2+CA2JhcjALBgNVHQ8EBAMCA4gwDAYDVR0TAQH/BAIwADAK
  BggqhkjOPQQDAgNIADBFAiAssZp0WV7ejre85Zh4LJZQiTVWEObLXRwifAHQoiqi
  iwIhAOga9thMhWISM1FFgSTeNUtUe9jziVdPfSYQpInAcg3V
  -----END CERTIFICATE-----
use-root-ca-certs: true
server-name-indication: oauth
tls-verify: true
client-id: JVX9fZTK9fvsRZxuZ3uuGUuh1zPps1Ng
client-secret: JIRhxGpPQ99ZyEBlaEFafJP3HTfw3w5npD9Rc4kodJSQpWrr6odIoTdKmsHcMvvw
response-mode: query
response-type: code
default-role: reader
verbose-logging: true
role-select:
  role-claim: group
  allowed-redirect-uris:
    - https://192.168.100.101:4646/v1/oidc-callback
  allowed-post-logout-redirect-uris:
    - http://foo.com/logout
  state-addition: foo.acme.com
  oidc-scopes:
    - profile
    - email
    - avassa
  use-nonce: true
  state-ttl: 10m
distribute:
  to: inherit

Create a new oidc service role

SecurityaccessToken
Request
path Parameters
oidc-service-name
required
string <name> ^[a-z0-9]([a-z0-9\-]*[a-z0-9])?$

name of oidc-service

query Parameters
validate
string <enumeration>

Validate the request but do not actually perform the requested operation

Value: "true"
Request Body schema:
name
required
string <name> ^[a-z0-9]([a-z0-9\-]*[a-z0-9])?$
bound-audiences
Array of strings

Optionally configured list of aud claims. If configured, at least one entry must match.

user-claim
string
Default: "sub"

Claim to use as unique user identifier.

bound-subject
string

If configured the sub claim must match this value.

object

All entries must be present in the claim and their values must match.

object

Map that describes how claims are mapped into meta attributes in the token.

Name of claim as returned by OIDC server.

policies-claim
string

Name of custom claim to use for assigning policies. The claim is expected to contain an array of policies.

tenant-claim
string

Name of custom claim to tenant mapping. Only available for system level authentication configured by the sys tenant.

use-nonce
boolean
Default: true

Nonce can be used to ensure that replay attacks cannot be used. However, not all OIDC backend servers support nonce.

state-addition
string

Add this string to the state parameter. It can be read from the state by base64 decoding the state and splitting the string at the colon. The second half will be this string.

oidc-scopes
Array of strings

Scopes to request from OIDC server. The openid scope is always added.

allowed-redirect-uris
Array of strings

List of allowed redirect URIs during login. The list may contain wildcards in the host part of the URIs. For example, http://*.example.com would allow all redirect uris where the star matches a host, e.g., http://foo.example.com but not http://foo.bar.example.com. Wildcards are allowed in all parts of the FQDN. For example to allow redirect uris to FQDN above the list could contain http://*.*.example.com. Prefixes and suffixes are also matched, ie http://foo-*-bar.example.com is allowed.

Note that wildcards are not recommended for production use.

allowed-post-logout-redirect-uris
Array of strings

List of allowed redirect URIs after logout. The list may contain wildcards in the host part of the URIs. For example, http://*.example.com would allow all redirect uris where the star matches a host, e.g., http://foo.example.com but not http://foo.bar.example.com. Wildcards are allowed in all parts of the FQDN. For example to allow redirect uris to FQDN above the list could contain http://*.*.example.com. Prefixes and suffixes are also matched, ie http://foo-*-bar.example.com is allowed.

Note that wildcards are not recommended for production use.

logout-uri
string

If the backend Openid Connect service does not have the end_session_endpont capability, then an explicit logout uri can be configured. It will be used when the oidc-logout RPC is invoked.

verbose-logging
boolean
Default: false
state-ttl
string <duration>
Default: "10m"

A duration in years, days, hours, minutes and seconds.

Format is [<digits>y][<digits>d][<digits>m][<digits>s].

Examples: 1y2d5h, 5h or 10m30s

TTL for outstanding login requests.

token-ttl
string <duration>

A duration in years, days, hours, minutes and seconds.

Format is [<digits>y][<digits>d][<digits>m][<digits>s].

Examples: 1y2d5h, 5h or 10m30s

TTL of token. The lifetime can be extended using the renew operation.

token-max-ttl
string <duration>

A duration in years, days, hours, minutes and seconds.

Format is [<digits>y][<digits>d][<digits>m][<digits>s].

Examples: 1y2d5h, 5h or 10m30s

Max TTL a token can have before renewal is required.

token-policies
Array of strings <name>

These policies are associated with the token that results from successful login, in addition to any policies specified in the entity-alias and the entity.

token-bound-cidrs
Array of strings <ip-address-and-prefix-length>
  • ipv4-address-and-prefix-length: The ipv4-address-and-prefix-length type represents a combination of an IPv4 address and a prefix length. The prefix length is given by the number following the slash character and must be less than or equal to 32. For example 192.168.131.0/24.
  • ipv6-address-and-prefix-length: The ipv6-address-and-prefix-length type represents a combination of an IPv6 address and a prefix length. The prefix length is given by the number following the slash character and must be less than or equal to 128. For example fe80::42:b6ff:feff:2f3/64. The ip-address-and-prefix-length type represents a combination of an IP address and a prefix length and is IP version neutral. The format of the textual representations implies the IP version.

Limit the use of the token to specific subnets. The token will be invalid if the src ip address originates from a subnet not listed in the token-bound-cidrs. All subnets are accepted if the list is empty.

token-explicit-max-ttl
string <duration>
Default: "0s"

A duration in years, days, hours, minutes and seconds.

Format is [<digits>y][<digits>d][<digits>m][<digits>s].

Examples: 1y2d5h, 5h or 10m30s

Limits the possible lifetime of a token and will override ttl and max-ttl, as well as the lifetime of a periodic token.

token-no-default-policy
boolean
Default: false

Do not add the default policy to the token if this is set to true.

token-num-uses
integer <uint32>

Limit the number of times the token can be used.

token-period
string <duration>
Default: "0s"

A duration in years, days, hours, minutes and seconds.

Format is [<digits>y][<digits>d][<digits>m][<digits>s].

Examples: 1y2d5h, 5h or 10m30s

It allows a token to have an unlimited lifetime if renewed within the period. The default renewal TTL will be the period. A periodic token can still have a maximum life time if explicit-max-ttl is set. The renewable property needs to be true as well.

token-type
string <token-type>
Default: "default"
  • service
  • default
token-renewable
boolean
Default: true

Should the refresh operation be allowed for this token or not.

to (object) or sites (object) or deployments (object)
Responses
201

Created

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

409

Conflict (instance exists)

503

Service Unavailable (strongbox sealed)

post/v1/config/strongbox/authentication/oidc-services/{oidc-service-name}/roles
Request samples
name: reader
bound-audiences: []
user-claim: sub
bound-subject: "34772"
bound-claims:
  supd: allow
claim-mappings:
  nickname: nickname
  email: email
  name: username
policies-claim: policies
tenant-claim: tenant
use-nonce: true
state-addition: foo.acme.com
oidc-scopes:
  - profile
  - email
  - avassa
allowed-redirect-uris:
  - https://192.168.100.101:4646/v1/oidc-callback
allowed-post-logout-redirect-uris:
  - http://foo.com/logout
logout-uri: https://c2id.com/logout
verbose-logging: true
state-ttl: 10m
token-ttl: 32d
token-max-ttl: 32d
token-policies:
  - user
token-bound-cidrs:
  - 192.168.1.0/24
token-explicit-max-ttl: 0s
token-no-default-policy: false
token-num-uses: 0
token-period: 0s
token-type: default
token-renewable: true
distribute:
  to: inherit

Retrieve the configuration of all oidc service roles

SecurityaccessToken
Request
path Parameters
oidc-service-name
required
string <name> ^[a-z0-9]([a-z0-9\-]*[a-z0-9])?$

name of oidc-service

query Parameters
fields
string

Retrieve only requested fields from the resource

See section fields

validate
string <enumeration>

Validate the request but do not actually perform the requested operation

Value: "true"
keys
string <enumeration>

Retrieve only the keys for the list

Value: "true"
count
string <enumeration>

Retrieve only the number of elements in the list

Value: "true"
Responses
200

OK

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

412

Precondition Failed

503

Service Unavailable (strongbox sealed)

get/v1/config/strongbox/authentication/oidc-services/{oidc-service-name}/roles
Response samples
- name: reader
  bound-audiences: []
  user-claim: sub
  bound-subject: "34772"
  bound-claims:
    supd: allow
  claim-mappings:
    nickname: nickname
    email: email
    name: username
  policies-claim: policies
  tenant-claim: tenant
  use-nonce: true
  state-addition: foo.acme.com
  oidc-scopes:
    - profile
    - email
    - avassa
  allowed-redirect-uris:
    - https://192.168.100.101:4646/v1/oidc-callback
  allowed-post-logout-redirect-uris:
    - http://foo.com/logout
  logout-uri: https://c2id.com/logout
  verbose-logging: true
  state-ttl: 10m
  token-ttl: 32d
  token-max-ttl: 32d
  token-policies:
    - user
  token-bound-cidrs:
    - 192.168.1.0/24
  token-explicit-max-ttl: 0s
  token-no-default-policy: false
  token-num-uses: 0
  token-period: 0s
  token-type: default
  token-renewable: true
  distribute:
    to: inherit
  

Update an oidc service role

SecurityaccessToken
Request
path Parameters
oidc-service-name
required
string <name> ^[a-z0-9]([a-z0-9\-]*[a-z0-9])?$

name of oidc-service

oidc-service-role-name
required
string <name> ^[a-z0-9]([a-z0-9\-]*[a-z0-9])?$

name of oidc-service-role

query Parameters
validate
string <enumeration>

Validate the request but do not actually perform the requested operation

Value: "true"
Request Body schema:
name
required
string <name> ^[a-z0-9]([a-z0-9\-]*[a-z0-9])?$
bound-audiences
Array of strings

Optionally configured list of aud claims. If configured, at least one entry must match.

user-claim
string
Default: "sub"

Claim to use as unique user identifier.

bound-subject
string

If configured the sub claim must match this value.

object

All entries must be present in the claim and their values must match.

object

Map that describes how claims are mapped into meta attributes in the token.

Name of claim as returned by OIDC server.

policies-claim
string

Name of custom claim to use for assigning policies. The claim is expected to contain an array of policies.

tenant-claim
string

Name of custom claim to tenant mapping. Only available for system level authentication configured by the sys tenant.

use-nonce
boolean
Default: true

Nonce can be used to ensure that replay attacks cannot be used. However, not all OIDC backend servers support nonce.

state-addition
string

Add this string to the state parameter. It can be read from the state by base64 decoding the state and splitting the string at the colon. The second half will be this string.

oidc-scopes
Array of strings

Scopes to request from OIDC server. The openid scope is always added.

allowed-redirect-uris
Array of strings

List of allowed redirect URIs during login. The list may contain wildcards in the host part of the URIs. For example, http://*.example.com would allow all redirect uris where the star matches a host, e.g., http://foo.example.com but not http://foo.bar.example.com. Wildcards are allowed in all parts of the FQDN. For example to allow redirect uris to FQDN above the list could contain http://*.*.example.com. Prefixes and suffixes are also matched, ie http://foo-*-bar.example.com is allowed.

Note that wildcards are not recommended for production use.

allowed-post-logout-redirect-uris
Array of strings

List of allowed redirect URIs after logout. The list may contain wildcards in the host part of the URIs. For example, http://*.example.com would allow all redirect uris where the star matches a host, e.g., http://foo.example.com but not http://foo.bar.example.com. Wildcards are allowed in all parts of the FQDN. For example to allow redirect uris to FQDN above the list could contain http://*.*.example.com. Prefixes and suffixes are also matched, ie http://foo-*-bar.example.com is allowed.

Note that wildcards are not recommended for production use.

logout-uri
string

If the backend Openid Connect service does not have the end_session_endpont capability, then an explicit logout uri can be configured. It will be used when the oidc-logout RPC is invoked.

verbose-logging
boolean
Default: false
state-ttl
string <duration>
Default: "10m"

A duration in years, days, hours, minutes and seconds.

Format is [<digits>y][<digits>d][<digits>m][<digits>s].

Examples: 1y2d5h, 5h or 10m30s

TTL for outstanding login requests.

token-ttl
string <duration>

A duration in years, days, hours, minutes and seconds.

Format is [<digits>y][<digits>d][<digits>m][<digits>s].

Examples: 1y2d5h, 5h or 10m30s

TTL of token. The lifetime can be extended using the renew operation.

token-max-ttl
string <duration>

A duration in years, days, hours, minutes and seconds.

Format is [<digits>y][<digits>d][<digits>m][<digits>s].

Examples: 1y2d5h, 5h or 10m30s

Max TTL a token can have before renewal is required.

token-policies
Array of strings <name>

These policies are associated with the token that results from successful login, in addition to any policies specified in the entity-alias and the entity.

token-bound-cidrs
Array of strings <ip-address-and-prefix-length>
  • ipv4-address-and-prefix-length: The ipv4-address-and-prefix-length type represents a combination of an IPv4 address and a prefix length. The prefix length is given by the number following the slash character and must be less than or equal to 32. For example 192.168.131.0/24.
  • ipv6-address-and-prefix-length: The ipv6-address-and-prefix-length type represents a combination of an IPv6 address and a prefix length. The prefix length is given by the number following the slash character and must be less than or equal to 128. For example fe80::42:b6ff:feff:2f3/64. The ip-address-and-prefix-length type represents a combination of an IP address and a prefix length and is IP version neutral. The format of the textual representations implies the IP version.

Limit the use of the token to specific subnets. The token will be invalid if the src ip address originates from a subnet not listed in the token-bound-cidrs. All subnets are accepted if the list is empty.

token-explicit-max-ttl
string <duration>
Default: "0s"

A duration in years, days, hours, minutes and seconds.

Format is [<digits>y][<digits>d][<digits>m][<digits>s].

Examples: 1y2d5h, 5h or 10m30s

Limits the possible lifetime of a token and will override ttl and max-ttl, as well as the lifetime of a periodic token.

token-no-default-policy
boolean
Default: false

Do not add the default policy to the token if this is set to true.

token-num-uses
integer <uint32>

Limit the number of times the token can be used.

token-period
string <duration>
Default: "0s"

A duration in years, days, hours, minutes and seconds.

Format is [<digits>y][<digits>d][<digits>m][<digits>s].

Examples: 1y2d5h, 5h or 10m30s

It allows a token to have an unlimited lifetime if renewed within the period. The default renewal TTL will be the period. A periodic token can still have a maximum life time if explicit-max-ttl is set. The renewable property needs to be true as well.

token-type
string <token-type>
Default: "default"
  • service
  • default
token-renewable
boolean
Default: true

Should the refresh operation be allowed for this token or not.

to (object) or sites (object) or deployments (object)
Responses
204

No Content

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

412

Precondition Failed

503

Service Unavailable (strongbox sealed)

patch/v1/config/strongbox/authentication/oidc-services/{oidc-service-name}/roles/{oidc-service-role-name}
Request samples
name: reader
bound-audiences: []
user-claim: sub
bound-subject: "34772"
bound-claims:
  supd: allow
claim-mappings:
  nickname: nickname
  email: email
  name: username
policies-claim: policies
tenant-claim: tenant
use-nonce: true
state-addition: foo.acme.com
oidc-scopes:
  - profile
  - email
  - avassa
allowed-redirect-uris:
  - https://192.168.100.101:4646/v1/oidc-callback
allowed-post-logout-redirect-uris:
  - http://foo.com/logout
logout-uri: https://c2id.com/logout
verbose-logging: true
state-ttl: 10m
token-ttl: 32d
token-max-ttl: 32d
token-policies:
  - user
token-bound-cidrs:
  - 192.168.1.0/24
token-explicit-max-ttl: 0s
token-no-default-policy: false
token-num-uses: 0
token-period: 0s
token-type: default
token-renewable: true
distribute:
  to: inherit

Delete an oidc service role

SecurityaccessToken
Request
path Parameters
oidc-service-name
required
string <name> ^[a-z0-9]([a-z0-9\-]*[a-z0-9])?$

name of oidc-service

oidc-service-role-name
required
string <name> ^[a-z0-9]([a-z0-9\-]*[a-z0-9])?$

name of oidc-service-role

query Parameters
validate
string <enumeration>

Validate the request but do not actually perform the requested operation

Value: "true"
Responses
204

No Content

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

412

Precondition Failed

503

Service Unavailable (strongbox sealed)

delete/v1/config/strongbox/authentication/oidc-services/{oidc-service-name}/roles/{oidc-service-role-name}

Replace or create a new oidc service role

SecurityaccessToken
Request
path Parameters
oidc-service-name
required
string <name> ^[a-z0-9]([a-z0-9\-]*[a-z0-9])?$

name of oidc-service

oidc-service-role-name
required
string <name> ^[a-z0-9]([a-z0-9\-]*[a-z0-9])?$

name of oidc-service-role

query Parameters
validate
string <enumeration>

Validate the request but do not actually perform the requested operation

Value: "true"
Request Body schema:
name
required
string <name> ^[a-z0-9]([a-z0-9\-]*[a-z0-9])?$
bound-audiences
Array of strings

Optionally configured list of aud claims. If configured, at least one entry must match.

user-claim
string
Default: "sub"

Claim to use as unique user identifier.

bound-subject
string

If configured the sub claim must match this value.

object

All entries must be present in the claim and their values must match.

object

Map that describes how claims are mapped into meta attributes in the token.

Name of claim as returned by OIDC server.

policies-claim
string

Name of custom claim to use for assigning policies. The claim is expected to contain an array of policies.

tenant-claim
string

Name of custom claim to tenant mapping. Only available for system level authentication configured by the sys tenant.

use-nonce
boolean
Default: true

Nonce can be used to ensure that replay attacks cannot be used. However, not all OIDC backend servers support nonce.

state-addition
string

Add this string to the state parameter. It can be read from the state by base64 decoding the state and splitting the string at the colon. The second half will be this string.

oidc-scopes
Array of strings

Scopes to request from OIDC server. The openid scope is always added.

allowed-redirect-uris
Array of strings

List of allowed redirect URIs during login. The list may contain wildcards in the host part of the URIs. For example, http://*.example.com would allow all redirect uris where the star matches a host, e.g., http://foo.example.com but not http://foo.bar.example.com. Wildcards are allowed in all parts of the FQDN. For example to allow redirect uris to FQDN above the list could contain http://*.*.example.com. Prefixes and suffixes are also matched, ie http://foo-*-bar.example.com is allowed.

Note that wildcards are not recommended for production use.

allowed-post-logout-redirect-uris
Array of strings

List of allowed redirect URIs after logout. The list may contain wildcards in the host part of the URIs. For example, http://*.example.com would allow all redirect uris where the star matches a host, e.g., http://foo.example.com but not http://foo.bar.example.com. Wildcards are allowed in all parts of the FQDN. For example to allow redirect uris to FQDN above the list could contain http://*.*.example.com. Prefixes and suffixes are also matched, ie http://foo-*-bar.example.com is allowed.

Note that wildcards are not recommended for production use.

logout-uri
string

If the backend Openid Connect service does not have the end_session_endpont capability, then an explicit logout uri can be configured. It will be used when the oidc-logout RPC is invoked.

verbose-logging
boolean
Default: false
state-ttl
string <duration>
Default: "10m"

A duration in years, days, hours, minutes and seconds.

Format is [<digits>y][<digits>d][<digits>m][<digits>s].

Examples: 1y2d5h, 5h or 10m30s

TTL for outstanding login requests.

token-ttl
string <duration>

A duration in years, days, hours, minutes and seconds.

Format is [<digits>y][<digits>d][<digits>m][<digits>s].

Examples: 1y2d5h, 5h or 10m30s

TTL of token. The lifetime can be extended using the renew operation.

token-max-ttl
string <duration>

A duration in years, days, hours, minutes and seconds.

Format is [<digits>y][<digits>d][<digits>m][<digits>s].

Examples: 1y2d5h, 5h or 10m30s

Max TTL a token can have before renewal is required.

token-policies
Array of strings <name>

These policies are associated with the token that results from successful login, in addition to any policies specified in the entity-alias and the entity.

token-bound-cidrs
Array of strings <ip-address-and-prefix-length>
  • ipv4-address-and-prefix-length: The ipv4-address-and-prefix-length type represents a combination of an IPv4 address and a prefix length. The prefix length is given by the number following the slash character and must be less than or equal to 32. For example 192.168.131.0/24.
  • ipv6-address-and-prefix-length: The ipv6-address-and-prefix-length type represents a combination of an IPv6 address and a prefix length. The prefix length is given by the number following the slash character and must be less than or equal to 128. For example fe80::42:b6ff:feff:2f3/64. The ip-address-and-prefix-length type represents a combination of an IP address and a prefix length and is IP version neutral. The format of the textual representations implies the IP version.

Limit the use of the token to specific subnets. The token will be invalid if the src ip address originates from a subnet not listed in the token-bound-cidrs. All subnets are accepted if the list is empty.

token-explicit-max-ttl
string <duration>
Default: "0s"

A duration in years, days, hours, minutes and seconds.

Format is [<digits>y][<digits>d][<digits>m][<digits>s].

Examples: 1y2d5h, 5h or 10m30s

Limits the possible lifetime of a token and will override ttl and max-ttl, as well as the lifetime of a periodic token.

token-no-default-policy
boolean
Default: false

Do not add the default policy to the token if this is set to true.

token-num-uses
integer <uint32>

Limit the number of times the token can be used.

token-period
string <duration>
Default: "0s"

A duration in years, days, hours, minutes and seconds.

Format is [<digits>y][<digits>d][<digits>m][<digits>s].

Examples: 1y2d5h, 5h or 10m30s

It allows a token to have an unlimited lifetime if renewed within the period. The default renewal TTL will be the period. A periodic token can still have a maximum life time if explicit-max-ttl is set. The renewable property needs to be true as well.

token-type
string <token-type>
Default: "default"
  • service
  • default
token-renewable
boolean
Default: true

Should the refresh operation be allowed for this token or not.

to (object) or sites (object) or deployments (object)
Responses
201

Created

204

No Content

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

412

Precondition Failed

503

Service Unavailable (strongbox sealed)

put/v1/config/strongbox/authentication/oidc-services/{oidc-service-name}/roles/{oidc-service-role-name}
Request samples
name: reader
bound-audiences: []
user-claim: sub
bound-subject: "34772"
bound-claims:
  supd: allow
claim-mappings:
  nickname: nickname
  email: email
  name: username
policies-claim: policies
tenant-claim: tenant
use-nonce: true
state-addition: foo.acme.com
oidc-scopes:
  - profile
  - email
  - avassa
allowed-redirect-uris:
  - https://192.168.100.101:4646/v1/oidc-callback
allowed-post-logout-redirect-uris:
  - http://foo.com/logout
logout-uri: https://c2id.com/logout
verbose-logging: true
state-ttl: 10m
token-ttl: 32d
token-max-ttl: 32d
token-policies:
  - user
token-bound-cidrs:
  - 192.168.1.0/24
token-explicit-max-ttl: 0s
token-no-default-policy: false
token-num-uses: 0
token-period: 0s
token-type: default
token-renewable: true
distribute:
  to: inherit

Retrieve the configuration of an oidc service role

SecurityaccessToken
Request
path Parameters
oidc-service-name
required
string <name> ^[a-z0-9]([a-z0-9\-]*[a-z0-9])?$

name of oidc-service

oidc-service-role-name
required
string <name> ^[a-z0-9]([a-z0-9\-]*[a-z0-9])?$

name of oidc-service-role

query Parameters
fields
string

Retrieve only requested fields from the resource

See section fields

validate
string <enumeration>

Validate the request but do not actually perform the requested operation

Value: "true"
Responses
200

OK

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

412

Precondition Failed

503

Service Unavailable (strongbox sealed)

get/v1/config/strongbox/authentication/oidc-services/{oidc-service-name}/roles/{oidc-service-role-name}
Response samples
name: reader
bound-audiences: []
user-claim: sub
bound-subject: "34772"
bound-claims:
  supd: allow
claim-mappings:
  nickname: nickname
  email: email
  name: username
policies-claim: policies
tenant-claim: tenant
use-nonce: true
state-addition: foo.acme.com
oidc-scopes:
  - profile
  - email
  - avassa
allowed-redirect-uris:
  - https://192.168.100.101:4646/v1/oidc-callback
allowed-post-logout-redirect-uris:
  - http://foo.com/logout
logout-uri: https://c2id.com/logout
verbose-logging: true
state-ttl: 10m
token-ttl: 32d
token-max-ttl: 32d
token-policies:
  - user
token-bound-cidrs:
  - 192.168.1.0/24
token-explicit-max-ttl: 0s
token-no-default-policy: false
token-num-uses: 0
token-period: 0s
token-type: default
token-renewable: true
distribute:
  to: inherit

Update the oidc settings

SecurityaccessToken
Request
query Parameters
validate
string <enumeration>

Validate the request but do not actually perform the requested operation

Value: "true"
Request Body schema:
default-service
string <name>
Default: "default"

Name of oidc service to use if no service is provided to the oidc-login action.

to (object) or sites (object) or deployments (object)
Responses
204

No Content

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

412

Precondition Failed

503

Service Unavailable (strongbox sealed)

patch/v1/config/strongbox/authentication/oidc-settings
Request samples
default-service: auth0
distribute:
  to: all

Delete the oidc settings

SecurityaccessToken
Request
query Parameters
validate
string <enumeration>

Validate the request but do not actually perform the requested operation

Value: "true"
Responses
204

No Content

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

412

Precondition Failed

503

Service Unavailable (strongbox sealed)

delete/v1/config/strongbox/authentication/oidc-settings

Replace or create the oidc settings

SecurityaccessToken
Request
query Parameters
validate
string <enumeration>

Validate the request but do not actually perform the requested operation

Value: "true"
Request Body schema:
default-service
string <name>
Default: "default"

Name of oidc service to use if no service is provided to the oidc-login action.

to (object) or sites (object) or deployments (object)
Responses
201

Created

204

No Content

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

412

Precondition Failed

503

Service Unavailable (strongbox sealed)

put/v1/config/strongbox/authentication/oidc-settings
Request samples
default-service: auth0
distribute:
  to: all

Retrieve the configuration of oidc settings

SecurityaccessToken
Request
query Parameters
fields
string

Retrieve only requested fields from the resource

See section fields

validate
string <enumeration>

Validate the request but do not actually perform the requested operation

Value: "true"
Responses
200

OK

304

Not Modified

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

412

Precondition Failed

503

Service Unavailable (strongbox sealed)

get/v1/config/strongbox/authentication/oidc-settings
Response samples
default-service: auth0
distribute:
  to: all

Invoke the list-oidc-services operation

Lists OIDC services and roles for a given tenant, allowing an API to list all available roles.

Request
Request Body schema:
tenant
string <name> ^[a-z0-9]([a-z0-9\-]*[a-z0-9])?$

If no tenant is specified, and there is only one tenant configured, then the service list is returned for that tenant.

Responses
200

OK

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

503

Service Unavailable (strongbox sealed)

post/v1/state/strongbox/authentication/list-oidc-services
Request samples
tenant: acme
Response samples
tenant: acme
oidcs:
  - name: auth0
    display-name: Auth0
    roles:
      - default
      - admin

Retrieve the state of all oidc services

SecurityaccessToken
Request
query Parameters
fields
string

Retrieve only requested fields from the resource

See section fields

site
string

Send the request to the specfifed site

content
string <enumeration>

Filter descendant nodes in the response

Enum: "config" "nonconfig"
keys
string <enumeration>

Retrieve only the keys for the list

Value: "true"
count
string <enumeration>

Retrieve only the number of elements in the list

Value: "true"
Responses
200

OK

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

503

Service Unavailable (strongbox sealed)

get/v1/state/strongbox/authentication/oidc-services
Response samples
- name: qlik
  display-name: qlik
  discovery-url: http://192.168.100.50:9000/
  discovery-ca-cert: |
    -----BEGIN CERTIFICATE-----
    MIIDUDCCAvagAwIBAgITAKYom2ar3MFwt//DipR5NywBdjAKBggqhkjOPQQDAjBa
    MQ8wDQYDVQQDEwZBdmFzc2ExEjAQBgNVBAcTCVN0b2NraG9sbTELMAkGA1UEBhMC
    U0UxDzANBgNVBAoTBkF2YXNzYTEVMBMGA1UECxMMZGlzdHJpYnV0aW9uMCIYDzIw
    MjIwMTEyMDYyMTQ4WhgPMjAyMjAxMjcwOTU3NDhaMGIxFzAVBgNVBAMTDnRpby5h
    dmFzc2EubmV0MRIwEAYDVQQHEwlTdG9ja2hvbG0xCzAJBgNVBAYTAlNFMQ8wDQYD
    VQQKEwZBdmFzc2ExFTATBgNVBAsTDGRpc3RyaWJ1dGlvbjCCASIwDQYJKoZIhvcN
    AQEBBQADggEPADCCAQoCggEBAKa7LYXK0P1IOpXkEAI52kJizdUA74z7NsAegV38
    LFvipzCggEJr9niqRNmZqR6B8cs+CWIRZub0Qm5eQIzPtZtzLzwBD+i5AyitW5Tq
    Top79tVlta4wupAtkxBCOeIAzFtFwWaiGCVA+4D9Ns6TXo7GUxC0aw/MOeRyAHt/
    HaBIPk6hIGKOAiCjP4r4fEl4tWpSNzexovCvKCl4fGs4WLvRR1YoNdx0spvROc63
    hd9gikokDEuHMsh9Q1wEIP7/V+rgbYGtRw990mHl0zWoGtS+hp/QHAngcJnJiJk3
    gOPTXnQKqCzBWUmZUdwt27LKTdK7Vsq6DtNEKchaqRzGMRkCAwEAAaOBwzCBwDB+
    BgNVHSMEdzB1oV6kXDBaMQ8wDQYDVQQDEwZBdmFzc2ExEjAQBgNVBAcTCVN0b2Nr
    aG9sbTELMAkGA1UEBhMCU0UxDzANBgNVBAoTBkF2YXNzYTEVMBMGA1UECxMMZGlz
    dHJpYnV0aW9ughMAp0MSfyaImp0XtPO3uqCnMRITMCMGA1UdEQQcMBqCDnRpby5h
    dmFzc2EubmV0ggNmb2+CA2JhcjALBgNVHQ8EBAMCA4gwDAYDVR0TAQH/BAIwADAK
    BggqhkjOPQQDAgNIADBFAiAssZp0WV7ejre85Zh4LJZQiTVWEObLXRwifAHQoiqi
    iwIhAOga9thMhWISM1FFgSTeNUtUe9jziVdPfSYQpInAcg3V
    -----END CERTIFICATE-----
  use-root-ca-certs: true
  server-name-indication: oauth
  tls-verify: true
  client-id: JVX9fZTK9fvsRZxuZ3uuGUuh1zPps1Ng
  client-secret: JIRhxGpPQ99ZyEBlaEFafJP3HTfw3w5npD9Rc4kodJSQpWrr6odIoTdKmsHcMvvw
  response-mode: query
  response-type: code
  default-role: reader
  verbose-logging: true
  role-select:
    role-claim: group
    allowed-redirect-uris:
      - https://192.168.100.101:4646/v1/oidc-callback
    allowed-post-logout-redirect-uris:
      - http://foo.com/logout
    state-addition: foo.acme.com
    oidc-scopes:
      - profile
      - email
      - avassa
    use-nonce: true
    state-ttl: 10m
  creation-time: 2022-01-13T08:09:52.605729Z
  distribute:
    to: inherit
  distribution-status:
    to: none
  

Retrieve the state of an oidc service

SecurityaccessToken
Request
path Parameters
oidc-service-name
required
string <name> ^[a-z0-9]([a-z0-9\-]*[a-z0-9])?$

name of oidc-service

query Parameters
fields
string

Retrieve only requested fields from the resource

See section fields

site
string

Send the request to the specfifed site

content
string <enumeration>

Filter descendant nodes in the response

Enum: "config" "nonconfig"
Responses
200

OK

400

Bad Request