identity_provider_client

Download Spec

post /auth/api/v1/idp/clients

Creates a new identity provider client configuration. client_id and client_secret are automatically generated by server.

id

string

ID of the identity provider client config

name

string

Name of the identity provider client config

idp_type

string

Identity provider client type, "oidc" or "saml"

Default
"oidc"
Example
"oidc"

oidc_issuer

string

The authorization server's issuer identifier. Read-only.

Default
"Provided by server"
Example
"https://your.privx.server.endpoint/oidc/e00a8f60-9051-48d7-a755-cef45801a7cc/"

oidc_audience

array[string]

Custom audience(s) for the IdP config. By default, the audience is your client_id. Use this to add more audiences.

Default
[ "testdomain.local" ]
Example
[ "testdomain.local" ]

oidc_client_id

string

OAuth 2.0 Client Identifier valid at the Authorization Server.

Default
"Provided by server"
Example
"f81c1189-76b6-46e8-ba1e-54b2d3221534"

oidc_client_secret

string

OAuth 2.0 Client secret valid at the Authorization Server.

Default
"Provided by server"
Example
"83bcd1d3-cded-4BeB-903e-938359a87053"

oidc_scopes_enabled

array[string]

Array containing a list of the enabled OAuth 2.0 [RFC6749] "scope" values. "openid" scope is implicitly enabled.

Default
"Provided by server"
Example
[ "profile", "email", "phone", "address", "offline_access", "privx_roles" ]

oidc_response_types_supported

array[string]

Array containing a list of the OAuth 2.0 [RFC6749] "response_type" values. Read only.

Default
"Provided by server"
Example
[ "code", "id_token token", "id_token" ]

oidc_grant_types_supported

array[string]

Array containing a list of the OAuth 2.0 [RFC6749] grant type values. Read only.

Default
"Provided by server"
Example
[ "authorization_code", "refresh_token", "implicit" ]

oidc_code_challenge_method_enabled

boolean

Enable PKCE with S256 code_challenge_method

Default
true

oidc_auth_method_enabled

string

Selected client authentication method used by the Token Endpoint. Allowed values "none","client_secret_basic","client_secret_post" or "private_key_jwt".

Default
"client_secret_basic"

oidc_auth_method_post

boolean

Enable POST method for client_id/client_secret authentication in addition to HTTP Basic Auth.

Default
true

oidc_grant_type_refresh_token

boolean

Enable refresh_token grant use.

Default
true

oidc_default_logout_redirect_uri

string

Default post logout redirect uri, if end_session is called without redirect uri.

oidc_allowed_redirect_uris

array[string]

Array containing a list of allowed redirect URIs for Code and Implicit flow.

Example
[ "https://thirdpartysite/authorize/callback" ]

oidc_attribute_mapping

object (oidc_attribute_mapping)

An object containing attribute:token mappings for mapping user attributes to idToken attributes. Allowed token attribute values are sub, name, preferred_username, family_name, given_name, locale, email, and phone_number.

Example
{ "email": "sub" }

oidc_signature_algorithm

string

Token signature algorithm [RFC7518]. Allowed values are RS256,RS384,RS512,ES256,ES384,ES512,PS256,PS384,PS512

Default
"RS256"

oidc_access_token_valid_in_minutes

int

Access token validity in minutes.

Default
5

oidc_refresh_token_valid_in_minutes

int

Refresh token validity in minutes.

Default
480

saml_identifier

string

The authorization server's entity ID. Global setting, read-only.

Default
"Provided by server"
Example
"https://privx_endpoint/saml/IdForServiceProvider1"

saml_sso_service_url

string

SAML SSO Service address. Global setting, read-only. TBD

Default
"Provided by server"

saml_metadata_url

string

SAML metadata address. Global setting, read-only. TBD

Default
"Provided by server"

saml_acs_url

string

SAML Assorted Consumer Service url for authentication response. TBD

Default
""
Example
"https://thirdpartysite/login/callback"

saml_attribute_mapping

object (saml_attribute_mapping)

An object containing mappings for SAML attributes.

saml_public_x509_certificate

string

SAML public X509 certificate. Read-only.

Default
"Provider by server"

user_filter

string

User filter. Only users matching this filter are allowed to log in. Leave empty to allow all users.

Default
""
Example
"(dn=johndoe*)"

enabled

boolean

Enable/disable IDP client config

Default
true

Response

ExamplesSchema

Successful response, identity provider created.

{
  "id": "string",
  "name": "string",
  "idp_type": "oidc",
  "oidc_issuer": "https://your.privx.server.endpoint/oidc/e00a8f60-9051-48d7-a755-cef45801a7cc/",
  "oidc_audience": [
    "testdomain.local"
  ],
  "oidc_client_id": "f81c1189-76b6-46e8-ba1e-54b2d3221534",
  "oidc_client_secret": "83bcd1d3-cded-4BeB-903e-938359a87053",
  "oidc_scopes_enabled": [
    "profile",
    "email",
    "phone",
    "address",
    "offline_access",
    "privx_roles"
  ],
  "oidc_response_types_supported": [
    "code",
    "id_token token",
    "id_token"
  ],
  "oidc_grant_types_supported": [
    "authorization_code",
    "refresh_token",
    "implicit"
  ],
  "oidc_code_challenge_method_enabled": true,
  "oidc_auth_method_enabled": "string",
  "oidc_auth_method_post": true,
  "oidc_grant_type_refresh_token": true,
  "oidc_default_logout_redirect_uri": "string",
  "oidc_allowed_redirect_uris": [
    "https://thirdpartysite/authorize/callback"
  ],
  "oidc_attribute_mapping": {
    "email": "sub"
  },
  "oidc_signature_algorithm": "string",
  "oidc_access_token_valid_in_minutes": 123,
  "oidc_refresh_token_valid_in_minutes": 123,
  "saml_identifier": "https://privx_endpoint/saml/IdForServiceProvider1",
  "saml_sso_service_url": "string",
  "saml_metadata_url": "string",
  "saml_acs_url": "https://thirdpartysite/login/callback",
  "saml_attribute_mapping": {},
  "saml_public_x509_certificate": "string",
  "user_filter": "(dn=johndoe*)",
  "enabled": true
}

get /auth/api/v1/idp/clients/{idp_id}

Fetches existing identity provider client configuration.

idp_id

string

uuid

required

Identity provider ID

Response

ExamplesSchema

Successful response, returns existing identity_provider.

{
  "id": "string",
  "name": "string",
  "idp_type": "oidc",
  "oidc_issuer": "https://your.privx.server.endpoint/oidc/e00a8f60-9051-48d7-a755-cef45801a7cc/",
  "oidc_audience": [
    "testdomain.local"
  ],
  "oidc_client_id": "f81c1189-76b6-46e8-ba1e-54b2d3221534",
  "oidc_client_secret": "83bcd1d3-cded-4BeB-903e-938359a87053",
  "oidc_scopes_enabled": [
    "profile",
    "email",
    "phone",
    "address",
    "offline_access",
    "privx_roles"
  ],
  "oidc_response_types_supported": [
    "code",
    "id_token token",
    "id_token"
  ],
  "oidc_grant_types_supported": [
    "authorization_code",
    "refresh_token",
    "implicit"
  ],
  "oidc_code_challenge_method_enabled": true,
  "oidc_auth_method_enabled": "string",
  "oidc_auth_method_post": true,
  "oidc_grant_type_refresh_token": true,
  "oidc_default_logout_redirect_uri": "string",
  "oidc_allowed_redirect_uris": [
    "https://thirdpartysite/authorize/callback"
  ],
  "oidc_attribute_mapping": {
    "email": "sub"
  },
  "oidc_signature_algorithm": "string",
  "oidc_access_token_valid_in_minutes": 123,
  "oidc_refresh_token_valid_in_minutes": 123,
  "saml_identifier": "https://privx_endpoint/saml/IdForServiceProvider1",
  "saml_sso_service_url": "string",
  "saml_metadata_url": "string",
  "saml_acs_url": "https://thirdpartysite/login/callback",
  "saml_attribute_mapping": {},
  "saml_public_x509_certificate": "string",
  "user_filter": "(dn=johndoe*)",
  "enabled": true
}

put /auth/api/v1/idp/clients/{idp_id}

Updates existing identity provider client configuration definition.

idp_id

string

uuid

required

AWS role ID

Response

ExamplesSchema

Identity provider client configuration successfully updated

{
  "id": "5bf77342-221c-11ee-be56-0242ac120002"
}

delete /auth/api/v1/idp/clients/{idp_id}

Delete identity provider client configuration by ID.

idp_id

string

uuid

required

Identity provider client configuration id

Response

ExamplesSchema

Identity provider client configuration Successfully deleted

Empty response

post /auth/api/v1/idp/clients/{idp_id}/regenerate

Regenerates client_id and client_secret for OIDC identity provider client configuration.

idp_id

string

uuid

required

Identity provider ID

Response

ExamplesSchema

client_id and client_secret successfully regenerated. Returns the new values.

{
  "client_id": "5bf77342-221c-11ee-be56-0242ac120002",
  "client_secret": "5bf77342-221c-11ee-be56-0242ac120002"
}

Was this page helpful?