Access Control (REST) API - OIDC Clients
This section includes REST APIs for working with Access Control OIDC (OpenID Connect) Client tasks.
Get All OIDC Clients - GET /OIDCClients
Get details of all OIDC (OpenID Connect) clients.
Notice
The ‘Manage Clients’ permission is required to execute this API.
Usage:
GET /OIDCClients and get details of all OIDC clients
PUT /OIDCClients/{id} and update OIDC client details
URL
/cxrestapi/auth/OIDCClients
Method:
GET
Media Type (header):
Authorization: Bearer <access token value>
Accept: application/json;v=1.0
Parameters
None
Success Response:
Code: 200 Success
Error Response:
Code: 401 Unauthorized
Code: 403 Forbidden
Sample Response:
{
"id": 4,
"updateAccessTokenClaimsOnRefresh": false,
"accessTokenType": 0,
"includeJwtId": false,
"alwaysIncludeUserClaimsInIdToken": false,
"clientId": "resource_owner_sast_client",
"clientName": "Cx Sast Resource Owner Client",
"allowOfflineAccess": true,
"clientSecrets": [
"7PXDgKOvDnF+YLUEpZ02brsgAAfeyld6n2D/qd4UunM="
],
"allowedGrantTypes": [
"password"
],
"allowedScopes": [
"sast_api",
"access_control_api",
"offline_access"
],
"enabled": true,
"requireClientSecret": true,
"redirectUris": [],
"postLogoutRedirectUris": [],
"frontChannelLogoutUri": null,
"frontChannelLogoutSessionRequired": true,
"backChannelLogoutUri": null,
"backChannelLogoutSessionRequired": true,
"identityTokenLifetime": 300,
"accessTokenLifetime": 3600,
"authorizationCodeLifetime": 300,
"absoluteRefreshTokenLifetime": 2592000,
"slidingRefreshTokenLifetime": 1296000,
"refreshTokenUsage": 1,
"refreshTokenExpiration": 1,
"allowedCorsOrigins": [],
"allowAccessTokensViaBrowser": false,
"claims": [],
"clientClaimsPrefix": ""
}Notes:
Retrieves details of all OIDC clients. If the request fails, it returns an error response.
Create New OIDC Client - POST /OIDCClients
Create a new OIDC client.
Notice
The ‘Manage Clients’ permission is required to execute this API.
Usage:
POST /OIDCClients and create a new OIDC client
GET /OIDCClients/{id} and get details of an OIDC client
URL
/cxrestapi/auth/OIDCClients
Method:
POST
Media Type (header):
Authorization: Bearer <access token value>
Content-Type: application/json;v=1.0
Parameters
createClientViewModel=[body]: Specifies the OIDC client details
updateAccessTokenClaimsOnRefresh=[boolean] - Whether the access token should be updated on a refresh token request (true/false)
accessTokenType=[integer] - Whether the access token is a reference token or a self-contained JWT token. Default=Jwt
includeJwtId=[boolean] - Whether JWT access tokens should have an embedded unique Id (true/false)
alwaysIncludeUserClaimsInIdToken=[boolean] - When requesting both an Id token and access token, should the user claims always be added to the Id token instead of requiring the client to use the userinfo endpoint (true/false). Default=false
clientId=[string] – Client Id
clientName=[string] – Client display name
allowOfflineAccess=[boolean] - Whether this client can request refresh tokens (true/false)
clientSecrets=[string] - Credentials to access the token endpoint
allowedGrantTypes=[string] - Grant types the client is allowed to use. Grant types are a way to specify how a client wants to interact with IdentityServer. Allowed values: "client_credentials","implicit","authorization_code","hybrid", “password”
allowedScopes=[boolean] - By default a client has no access to any resources. Specify the allowed resources by adding the corresponding scopes names
enabled=[string] – Whether the client is enabled (true/false). Default=true
requireClientSecret=[boolean] - Whether this client needs a secret to request tokens from the token endpoint (true/false). Default=true
redirectUris=[string] - Specifies the allowed URIs to return tokens or authorization codes to. This is a required field for “implict” and “authorization_code” grant types.
postLogoutRedirectUris=[string] - Allowed URIs to redirect to after logout
frontChannelLogoutUri=[string] - Logout URI at client for HTTP based front-channel logout
frontChannelLogoutSessionRequired=[string] - Whether the user’s session Id should be sent to the FrontChannelLogoutUri (true/false). Default=true
backChannelLogoutUri=[string] - Logout URI at client for HTTP based back-channel logout
backChannelLogoutSessionRequired=[string] - Whether the user’s session Id should be sent in the request to the BackChannelLogoutUri (true/false). Default=true
identityTokenLifetime=[integer] – Timeframe to identity token (in seconds). Default: 300 seconds/5 minutes
accessTokenLifetime=[integer] - Timeframe of access token (in seconds). Default: 3600 seconds/1 hour)
authorizationCodeLifetime=[integer] Timeframe of authorization code (in seconds). Default: 300 seconds/5 minutes)
absoluteRefreshTokenLifetime=[integer] - Maximum timeframe of a refresh token (in seconds). Default: 2592000 seconds/30 days
slidingRefreshTokenLifetime=[integer] - Sliding timeframe of a refresh token (in seconds). Default=1296000 seconds/15 days
refreshTokenUsage=[integer] – Refresh token usage: ReUse = 0, the refresh token handle will stay the same when refreshing tokens, OneTime = 1, the refresh token handle will be updated when refreshing tokens
refreshTokenExpiration=[integer] – Refresh token expiration: Absolute = 0, the refresh token will expire on a fixed point in time (specified by the AbsoluteRefreshTokenLifetime), Sliding = 1, when refreshing the token, the lifetime of the refresh token will be renewed(by the amount specified in SlidingRefreshTokenLifetime). The timeframe will not exceed AbsoluteRefreshTokenLifetime
allowedCorsOrigins=[string] - If specified, will be used by the default CORS policy service implementations (In-Memory and EF) to build a CORS policy for JavaScript clients. This is a required field for “implict” grant type
allowAccessTokensViaBrowser=[string] - Whether this client is allowed to receive access tokens via the browser. This is useful to harden flows that allow multiple response types (e.g., by disallowing a hybrid flow client that is supposed to use code id_token to add the token response type and thus leaking the token to the browser (true/false).
claims=[uniqueItems]: type=[string], value=[string] - Allows settings claims for the client (true/false ). This will be included in the access token.
clientClaimsPrefix=[string] - The prefix of client claim types.
Notice
In order to retrieve additional information about the available endpoint-scopes, refer to: ‘http://<server-name/ip>:<port>/cxrestapi/auth/identity/.well-known/openid-configuration’ or click on the discovery document link in your swagger instance.
Success Response:
Code: 201 Success (returns location of the created OIDC client in the response header)
Error Response:
Code: 400 Bad Request
Code: 401 Unauthorized
Code: 403 Forbidden
Sample Response:
no content
Notes:
Returns the location of the created OIDC client in the response header. If the request fails, it returns an error response.
Get OIDC Client by Id - GET /OIDCClients/{id}
Gets details of an OIDC client according to OIDC client Id.
Notice
The ‘Manage Clients’ permission is required to execute this API.
Usage:
POST /OIDCClients and create a new OIDC client
GET /OIDCClients/{id} and get details of an OIDC client
URL
/cxrestapi/auth/OIDCClients/{id}
Method:
GET
Media Type (header):
Authorization: Bearer <access token value>
Accept: application/json;v=1.0
Parameters
Required:
id=[integer] - Unique Id of the OIDC client
Success Response:
Code: 200 Success
Error Response:
Code: 400 Bad Request
Code: 401 Unauthorized
Code: 403 Forbidden
Code: 404 Not Found
Sample Response:
{
"id": 4,
"updateAccessTokenClaimsOnRefresh": false,
"accessTokenType": 0,
"includeJwtId": false,
"alwaysIncludeUserClaimsInIdToken": false,
"clientId": "resource_owner_sast_client",
"clientName": "Cx Sast Resource Owner Client",
"allowOfflineAccess": true,
"clientSecrets": [
"7PXDgKOvDnF+YLUEpZ02brsgAAfeyld6n2D/qd4UunM="
],
"allowedGrantTypes": [
"password"
],
"allowedScopes": [
"sast_api",
"access_control_api",
"offline_access"
],
"enabled": true,
"requireClientSecret": true,
"redirectUris": [],
"postLogoutRedirectUris": [],
"frontChannelLogoutUri": null,
"frontChannelLogoutSessionRequired": true,
"backChannelLogoutUri": null,
"backChannelLogoutSessionRequired": true,
"identityTokenLifetime": 300,
"accessTokenLifetime": 3600,
"authorizationCodeLifetime": 300,
"absoluteRefreshTokenLifetime": 2592000,
"slidingRefreshTokenLifetime": 1296000,
"refreshTokenUsage": 1,
"refreshTokenExpiration": 1,
"allowedCorsOrigins": [],
"allowAccessTokensViaBrowser": false,
"claims": [],
"clientClaimsPrefix": ""
}Notes:
Retrieves details of the OIDC client according to OIDC client Id. If the request fails, it returns an error response.
Update an OIDC Client - PUT /OIDCClients/{id}
Update the OIDC client details according to OIDC Client Id.
Notice
The ‘Manage Clients’ permission is required to execute this API.
Usage:
GET /OIDCClients/{id} and get details of an OIDC client
PUT /OIDCClients/{id} and update the OIDC client details
URL
/cxrestapi/auth/OIDCClients/{id}
Method:
PUT
Media Type (header):
Authorization: Bearer <access token value>
Content-Type: application/json;v=1.0
Parameters
Required:
id=[integer] - Unique Id of the OIDC client
updateClientModel=[body]: Specifies the OIDC client details to update
clientId=[string] – Client Id
clientName=[string] – Client display name
allowOfflineAccess=[boolean] - Whether this client can request refresh tokens (true, false)
clientSecrets=[string] - Credentials to access the token endpoint
allowedGrantTypes=[string] - Grant types the client is allowed to use ("client_credentials","implicit","authorization_code","hybrid", "password")
allowedScopes=[string] - Scopes the client is allowed to use (access_control_api)
enabled=[boolean] - Whether client is enabled (true, false)
requireClientSecret=[boolean] - Whether this client needs a secret to request tokens from the token endpoint (true, false)
redirectUris=[string] - Allowed URIs to return tokens or authorization codes to. This is a required field for “implict” and “authorization_code” grant types
postLogoutRedirectUris=[string] - Allowed URIs to redirect to after logout
frontChannelLogoutUri=[string] - Logout URI at client for HTTP based front-channel logout.
frontChannelLogoutSessionRequired=[boolean] - Whether the user’s session Id should be sent to the FrontChannelLogoutUri (true, false)
backChannelLogoutUri=[string] - Logout URI at client for HTTP based back-channel logout.
backChannelLogoutSessionRequired=[boolean] – Whether the user’s session Id should be sent in the request to the BackChannelLogoutUri (true, false)
identityTokenLifetime=[integer] - Timeframe to identity token (in seconds). Default: 300 seconds/5 minutes
accessTokenLifetime=[integer] – Timeframe of access token (in seconds). Default: 3600 seconds/1 hour
authorizationCodeLifetime=[integer] - Timeframe of authorization code (in seconds). Default: 300 seconds/5 minutes
absoluteRefreshTokenLifetime=[integer] - Maximum timeframe of a refresh token (in seconds). Default: 2592000 seconds/30 days
slidingRefreshTokenLifetime=[integer] - Sliding timeframe of a refresh token (in seconds). Defaults: 1296000 seconds/15 days
refreshTokenUsage=[integer] – Refresh token usage: ReUse = 0, the refresh token handle will stay the same when refreshing tokens, OneTime = 1, the refresh token handle will be updated when refreshing tokens
refreshTokenExpiration=[integer] – Refresh token expiration: Absolute = 0, the refresh token will expire on a fixed point in time (specified by the AbsoluteRefreshTokenLifetime), Sliding = 1, when refreshing the token, the lifetime of the refresh token will be renewed(by the amount specified in SlidingRefreshTokenLifetime). The timeframe will not exceed AbsoluteRefreshTokenLifetime
allowedCorsOrigins=[string] - If specified, will be used by the default CORS policy service implementations (In-Memory and EF) to build a CORS policy for JavaScript clients. This is a required field for “implict” grant type
allowAccessTokensViaBrowser=[string] - Whether this client is allowed to receive access tokens via the browser. This is useful to harden flows that allow multiple response types (e.g., by disallowing a hybrid flow client that is supposed to use code id_token to add the token response type and thus leaking the token to the browser (true/false).
claims=[uniqueItems]: type=[string], value=[string] - Allows settings claims for the client (true/false ). This will be included in the access token.
clientClaimsPrefix=[string] - The prefix of client claim types.
Success Response:
Code: 204 Success
Error Response:
Code: 400 Bad Request
Code: 401 Unauthorized
Code: 403 Forbidden
Code: 404 Not found
Sample Response:
no content
Notes:
Updates the OIDC client details according to OIDC client Id and defined parameters. Once the request is successful, it does not return any content. If the request fails, it returns an error response.
Delete an OIDC Client - DELETE /OIDCClients/{id}
Delete an OIDC client according to OIDC Client Id.
Notice
The ‘Manage Clients’ permission is required to execute this API.
Usage:
GET /OIDCClients and get details of all OIDC clients
DELETE /OIDCClients/{id} and delete the OIDC client
URL
/cxrestapi/auth/OIDCClients/{id}
Method:
DELETE
Media Type (header):
Authorization: Bearer <access token value>
Content-Type: application/json;v=1.0
Parameters
Required:
id=[integer] - Unique Id of the OIDC client
Success Response:
Code: 204 Returns no content
Error Response:
Code: 400 Returns error messages
Code: 401 Unauthorized
Code: 403 Forbidden
Code: 404 Client not found
Sample Response:
no content
Notes:
Deletes the OIDC client details according to OIDC client Id. Once the request is successful, it does not return any content. If the request fails, it returns an error response.