Create Organization O Auth Application By Organization Id Using POST
Create Organization Managed OAuth App. The created app will be owned by the organization.
Client ID and Client Secret are generated automatically if not provided. Clients can be created with open redirect Urls, using allowOpenRedirectUris = true. In this case, the redirectUris field must not be specified. Such clients will allow redirection to any custom url. This feature can only be used in non-production environments.
Important:
- If the grant type is client_delegate the refreshTokenTTL is limited to 14 days.
- Refresh token ttl should higher than access token ttl. Default access token ttl is 10 minutes. Default refresh token ttl is 90 days.
Access Policy
| Role | User Accounts | Service Accounts (Client Credentials Applications) |
|---|---|---|
| Organization Admin | ✔️ | ✔️ |
| Organization Owner | ✔️ | ✔️ |
| Developer | ✔️ | ✔️ |
Unique identifier (GUID) of the organization.
Show optional properties
{
"allowedScopes": {},
"description": "string",
"displayName": "string",
"grantTypes": [
{}
]
}{
"accessTokenTTL": 0,
"additionalAttributeMasks": [
"string"
],
"allowOpenRedirectUris": false,
"allowedActorsAudienceExchange": [
"string"
],
"allowedActorsClientDelegate": [
"string"
],
"allowedOrgs": [
"string"
],
"allowedScopes": {
"generalScopes": [
"string"
],
"organizationScopes": {
"allPermissions": false,
"allRoles": false,
"keptInToken": [
"string"
],
"permissions": [
{
"permissionId": "string",
"resources": [
"string"
]
}
],
"roles": [
{
"name": "string",
"resource": "string"
}
]
},
"servicesScopes": [
{
"allPermissions": false,
"allRoles": false,
"keptInToken": [
"string"
],
"permissions": [
{
"permissionId": "string",
"resources": [
"string"
]
}
],
"roles": [
{
"name": "string",
"resource": "string"
}
],
"serviceDefinitionId": "string"
}
]
},
"crossOrgAccessClaimsSupported": false,
"description": "string",
"displayName": "string",
"forcePkce": false,
"grantTypes": [
"string"
],
"id": "string",
"isHidden": false,
"maxCharactersInAccessToken": 0,
"maxGroupsInIdToken": 0,
"ownerOnlySecretRotation": false,
"postLogoutRedirectUris": [
"string"
],
"publicClient": false,
"redirectUris": [
"string"
],
"refreshTokenTTL": 0,
"secret": "string",
"secretRotationExpirationInSeconds": 0,
"serviceDefinitionId": "string"
}The organization OAuth Application access token time to live in seconds.
Additional attribute masks. Refer to GAZ docs.
Allow client to use open redirections in non-production environments. If true, the redirectUris field must be null. If a client has been created with open redirect uris disabled, it cannot be updated to open redirect uris enabled.
The List of other OAuth App identifiers who can exchange id token from this OAuth App
The List of other OAuth App identifiers who can act on behalf of this OAuth App
Allowed Organizations.
Can be used to restrict the client to sub-set of organizations.
The value is a list of organizations IDs, in which users may login using this client. If value is not presented in the request (null value) the client will not be restricted.
Important:
1. This option is available only for service organizations. Consumer organizations cannot pass this value since the client is restricted only to it's managed organization, which cannot be changed.
2. It is not possible to update an organization/s restricted client to be a regular client.
3. The 'allowedOrgs' is ignored during client_credentials flow.
4. If an organization is deleted, its references in allowedOrgs are deleted eventually. 'allowedOrgs' may become empty if an organization gets deleted, which means users cannot login to any organization using this client. The 'allowedOrgs' will be ignored during client_credentials flow.
The allowed general, organization and service scopes of access.
Indicates whether the oauth client supports cross-org roles.
The description of the organization OAuth Application (client).
The organization OAuth Application display name..
The value must be alphanumerical and can contain the following symbols -_.`':@&, and space. International characters are allowed.
When set to true, the flag mandates the use of PKCE when doing an authorization_code flow (i.e., the request will fail if PKCE is not used).
The OAuth grant types. Customer organizations support the following grant types: authorization_code, refresh_token, and client_credentials. Service organizations additionally support the following grant types: audience_exchange, client_delegate, and context_switch.
The unique identifier of the OAuth Application (client).. Constraints:
1. Must contain at least 5 and at most 256 characters.
2. Allowed characters: A-Z a-z 0-9 _ -
3. Whitespaces are not allowed.
When set to true, this OAuth Application will not be displayed on the UI.
Limit the number of text characters that will be put in the access token. If the resulting access token would exceed this value, an overflow behavior will be triggered. If overflow is triggered, the returned access token will contain a claim 'ovc' that lists the claims which have overflowed. For example 'ovc' : ['perms', 'authorization_details']. When overflow is triggered, the token will also contain an 'ovl' claim containing a URL which can be can be used to expand the access token and return the claims as JSON. For example 'ovl': 'https://gaz.csp-vidm-prod.com/api/check_access_token' When 'maxCharactersInAccessToken' is not set (the default), a system defined value will be used. Currently this value is 3415 characters, or about 5KB. The purpose of this behavior is to help ensure that the request headers containing the JWT access token do not become arbitrarily large. Your system must be able to handle a token that contains 'ovc' and 'ovl' claims.
The maximum number of groups allowed in the ID token. In case the user is a member in more groups than the value specified in the OAuth client, a URL will be attached to the ID token under the 'ovl' claim.
When set to 'true', the client is not allowed to rotate its own secret. Client rotation will be enabled for organization owner/service owner only using client rotation management APIs. By default, client is enabled to self-rotate its secret.
Post logout redirect URIs, can be used by a service as a custom redirect destination after logout. For e.g., the service login/home page. Relevant only for the authorization_code grant type.
Mark the client as a public client. Can only be specified at creation time (publicClient cannot be updated).
Public clients:
Cannot have a secret specified (the secret will implicitly be set as an empty string).
Cannot use the 'client_credentials' flow.
Cannot update or rotate their secret.
MUST use PKCE when doing an authorization_code flow.
The organization OAuth Application redirect URIs. Relevant only for authorization_code grant type. If allowOpenRedirectUris = true is set, this field must not be specified.
The organization OAuth Application refresh token time to live in seconds.
The organization OAuth Application secret
The secret rotation expiration in seconds. The old OAuth Application secret will expire after it. If not specified, the default expiration time is 48 hours.
Optionally override the default number of seconds before a new OAuth Application secret will automatically be rotated when using the OAuth Application secret rotation APIs.
Service definition ID of the service using this authorization code webapp. Required in production for tracking purposes.
OK
{
"clientId": "string",
"clientSecret": "string"
}The unique identifier of the OAuth Application (client).
The organization OAuth Application secret
Invalid request body
{
"cspErrorCode": "string",
"errorCode": "string",
"message": "string",
"moduleCode": 0,
"requestId": "string",
"statusCode": 0
}cspErrorCode
errorCode
message
moduleCode
requestId
statusCode
The user is not authorized to use the API
{
"cspErrorCode": "string",
"errorCode": "string",
"message": "string",
"moduleCode": 0,
"requestId": "string",
"statusCode": 0
}cspErrorCode
errorCode
message
moduleCode
requestId
statusCode
The user is forbidden to use the API
{
"cspErrorCode": "string",
"errorCode": "string",
"message": "string",
"moduleCode": 0,
"requestId": "string",
"statusCode": 0
}cspErrorCode
errorCode
message
moduleCode
requestId
statusCode
The requested resource could not be found
{
"cspErrorCode": "string",
"errorCode": "string",
"message": "string",
"moduleCode": 0,
"requestId": "string",
"statusCode": 0
}cspErrorCode
errorCode
message
moduleCode
requestId
statusCode
The request could not be processed due to a conflict
{
"cspErrorCode": "string",
"errorCode": "string",
"message": "string",
"moduleCode": 0,
"requestId": "string",
"statusCode": 0
}cspErrorCode
errorCode
message
moduleCode
requestId
statusCode
The user has sent too many requests
{
"cspErrorCode": "string",
"errorCode": "string",
"message": "string",
"moduleCode": 0,
"requestId": "string",
"statusCode": 0
}cspErrorCode
errorCode
message
moduleCode
requestId
statusCode
An unexpected error has occurred while processing the request
{
"cspErrorCode": "string",
"errorCode": "string",
"message": "string",
"moduleCode": 0,
"requestId": "string",
"statusCode": 0
}cspErrorCode
errorCode
message
moduleCode
requestId
statusCode