Update Organization O Auth Application By Organization Id And Application Id Using PATCH

Update Organization O Auth Application By Organization Id And Application Id Using PATCH

Update Organization Managed OAuth App that was created and is owned by the organization
Important:

  • Changing the client secret via the client management APIs will reset existing secret rotation (meaning, the provided secret in the management APIs will be the only valid secret).
  • If the grant type is client_delegate the refreshTokenTTL is limited to 14 days.
  • Refresh token ttl should higher than access token ttl. Default access token ttl is 10 minutes. Default refresh token ttl is 90 days.

Access Policy

Role User Accounts Service Accounts (Client Credentials Applications)
Organization Admin ✔️ ✔️
Organization Owner ✔️ ✔️
Developer ✔️ ✔️
Request
URI
PATCH
https://{api_host}/csp/gateway/am/api/orgs/{orgId}/oauth-apps/{oauthAppId}
COPY
Path Parameters
string
orgId
Required

Unique identifier (GUID) of the organization.

string
oauthAppId
Required

The unique identifier of the OAuth Application (client).


Request Body
OrgOAuthAppUpdateRequest of type(s) application/json
Required
"OrgOAuthAppUpdateRequest Object"
integer As int32 As int32
secretRotationExpirationInSeconds
Optional

The secret rotation expiration in seconds. The old OAuth Application secret will expire after it. If not specified, the default expiration time is 48 hours.
Optionally override the default number of seconds before a new OAuth Application secret will automatically be rotated when using the OAuth Application secret rotation APIs.

string
displayName
Required

The organization OAuth Application display name.
The value must be alphanumerical and can contain the following symbols -_.`':@&, and space. International characters are allowed.

boolean
crossOrgAccessClaimsSupported
Optional

Indicates whether the oauth client supports cross-org roles.

array of string
redirectUris
Optional

The organization OAuth Application redirect URIs.. Relevant only for authorization_code grant type

string
description
Required

The description of the organization OAuth Application (client).

string As (?=.{8,})(?=.*[a-z])(?=.*[A-Z])(?=.*[0-9])(?=.*[!@#$%^&*()_+=\[\]-{|}',./:;<>?`~]).*
secret
Optional

The organization OAuth Application secret
Important:
Changing the client secret via the client management APIs will reset existing secret rotation (meaning, the provided secret in the management APIs will be the only valid secret).

boolean
isHidden
Optional

When set to true, this OAuth Application will not be displayed on the UI.

string
serviceDefinitionId
Optional

Service definition ID of the service using this authorization code webapp. Required in production for tracking purposes.

integer As int32 As int32
maxGroupsInIdToken
Optional

The maximum number of groups allowed in the ID token. In case the user is a member in more groups than the value specified in the OAuth client, a URL will be attached to the ID token under the 'ovl' claim.

array of string
allowedOrgs
Optional
Constraints: minItems: 1 maxItems: 15

Allowed Organizations.
Can be used to restrict the client to sub-set of organizations.
The value is a list of organizations IDs, in which users may login using this client. If value is not presented in the request (null value) the client will not be restricted.
Important:
1. This option is available only for service organizations. Consumer organizations cannot pass this value since the client is restricted only to it's managed organization, which cannot be changed.
2. It is not possible to update an organization/s restricted client to be a regular client.
3. The 'allowedOrgs' is ignored during client_credentials flow.
4. If an organization is deleted, its references in allowedOrgs are deleted eventually. 'allowedOrgs' may become empty if an organization gets deleted, which means users cannot login to any organization using this client. The 'allowedOrgs' will be ignored during client_credentials flow.

object
allowedScopes
Optional

The allowed general, organization and service scopes of access.

boolean
ownerOnlySecretRotation
Optional

When set to 'true', the client is not allowed to rotate its own secret. Client rotation will be enabled for organization owner/service owner only using client rotation management APIs. By default, client is enabled to self-rotate its secret.

array of string
allowedActorsAudienceExchange
Optional
Constraints: minItems: 0 maxItems: 200

The List of other OAuth App identifiers who can exchange id token from this OAuth App

integer As int32 As int32
refreshTokenTTL
Optional

The organization OAuth Application refresh token time to live in seconds.

integer As int32 As int32
accessTokenTTL
Optional

The organization OAuth Application access token time to live in seconds.

boolean
forcePkce
Optional

When set to true, the flag mandates the use of PKCE when doing an authorization_code flow (i.e., the request will fail if PKCE is not used).

boolean
groupDomainAppendedInIDToken
Optional

Temporary flag used to request de-dup of domain name in ID token by setting value to 'false'.

array of string
postLogoutRedirectUris
Optional

Post logout redirect URIs, can be used by a service as a custom redirect destination after logout. For e.g., the service login/home page. Relevant only for authorization_code grant type. The PATCH operation will override the entire existing list.

boolean
useCspIssuerUrl
Optional

Temporary flag used to request issuer URL to be set to CSP URL so that it is OIDC compliant (Default false, but will be changed to true after deprecation cycle).

array of string
grantTypes
Required

The OAuth grant types. Customer organizations support the following grant types: authorization_code, refresh_token, and client_credentials. Service organizations additionally support the following grant types: audience_exchange, client_delegate, context_switch and client_exchange.

array of string
additionalAttributeMasks
Optional

Additional attribute masks that serve as a filter to indicate what custom user attributes (e.g., employee_id) must be included in the ID token after auth flow.

integer As int32 As int32
maxCharactersInAccessToken
Optional

Limit the number of text characters that will be put in the access token. If the resulting access token would exceed this value, an overflow behavior will be triggered. If overflow is triggered, the returned access token will contain a claim 'ovc' that lists the claims which have overflowed. For example 'ovc' : ['perms', 'authorization_details']. When overflow is triggered, the token will also contain an 'ovl' claim containing a URL which can be can be used to expand the access token and return the claims as JSON. For example 'ovl': 'https://gaz.csp-vidm-prod.com/api/check_access_token' When 'maxCharactersInAccessToken' is not set (the default), a system defined value will be used. Currently this value is 3415 characters, or about 5KB. The purpose of this behavior is to help ensure that the request headers containing the JWT access token do not become arbitrarily large. Your system must be able to handle a token that contains 'ovc' and 'ovl' claims.

array of string
allowedActorsClientDelegate
Optional
Constraints: minItems: 0 maxItems: 200

The List of other OAuth App identifiers who can act on behalf of this OAuth App

Authentication
This operation uses the following authentication methods.
Responses
200

OK

Returns OrgOAuthAppResponse of type(s) application/json
{
    "allowedActorsAudienceExchange": [
        "string"
    ],
    "crossOrgAccessClaimsSupported": false,
    "organizationId": "string",
    "description": "string",
    "maxAdditionalAttributesInIdToken": 0,
    "lastUsedAt": 0,
    "secretAge": 0,
    "grantTypes": [
        "string"
    ],
    "secretRotationExpirationInSeconds": 0,
    "displayName": "string",
    "id": "string",
    "redirectUris": [
        "string"
    ],
    "allowOpenRedirectUris": false,
    "immutable": false,
    "lastUpdatedBy": "string",
    "isHidden": false,
    "allowedScopes": {
        "organizationScopes": {
            "keptInToken": [
                "string"
            ],
            "allRoles": false,
            "permissions": [
                {
                    "resources": [
                        "string"
                    ],
                    "permissionId": "string"
                }
            ],
            "allPermissions": false,
            "roles": [
                {
                    "name": "string",
                    "resource": "string"
                }
            ]
        },
        "servicesScopes": [
            {
                "keptInToken": [
                    "string"
                ],
                "allRoles": false,
                "permissions": [
                    {
                        "resources": [
                            "string"
                        ],
                        "permissionId": "string"
                    }
                ],
                "serviceDefinitionId": "string",
                "roles": [
                    {
                        "name": "string",
                        "resource": "string"
                    }
                ],
                "allPermissions": false
            }
        ],
        "generalScopes": [
            "string"
        ]
    },
    "maxGroupsInIdToken": 0,
    "lastUpdatedAt": 0,
    "createdAt": 0,
    "allowedOrgs": [
        {
            "displayName": "string",
            "id": "string",
            "name": "string"
        }
    ],
    "accessTokenTTL": 0,
    "ownerOnlySecretRotation": false,
    "serviceDefinitionId": "string",
    "publicClient": false,
    "createdBy": "string",
    "forcePkce": false,
    "groupDomainAppendedInIDToken": false,
    "postLogoutRedirectUris": [
        "string"
    ],
    "useCspIssuerUrl": false,
    "maxCharactersInAccessToken": 0,
    "additionalAttributeMasks": [
        "string"
    ],
    "refreshTokenTTL": 0,
    "allowedActorsClientDelegate": [
        "string"
    ]
}
array of string
allowedActorsAudienceExchange
Optional

The List of other OAuth App identifiers who can exchange id token from this OAuth App

boolean
crossOrgAccessClaimsSupported
Optional

Indicates whether the oauth client supports cross-org roles.

string
organizationId
Optional

Unique identifier (GUID) of the organization.

string
description
Optional

The description of the organization OAuth Application (client).

integer As int32 As int32
maxAdditionalAttributesInIdToken
Optional

Maximum number of additional attributes included in ID token.

integer As int32 As int32
lastUsedAt
Optional

The timestamp the OAuth app was last used (measured in number of seconds since 1/1/1970 UTC).

integer As int32 As int32
secretAge
Optional

The time (in seconds) since the last time the OAuth app secret was set or updated.

array of string
grantTypes
Optional

The OAuth grant types. Customer organizations support the following grant types: authorization_code, refresh_token, and client_credentials. Service organizations additionally support the following grant types: audience_exchange, client_delegate, context_switch and client_exchange.

integer As int32 As int32
secretRotationExpirationInSeconds
Optional

The secret rotation expiration in seconds. The old OAuth Application secret will expire after it. If not specified, the default expiration time is 48 hours.

string
displayName
Optional

The organization OAuth Application display name.

string
id
Optional

The unique identifier of the OAuth Application (client).

array of string
redirectUris
Optional

The organization OAuth Application redirect URIs.

boolean
allowOpenRedirectUris
Optional

Allow client to use open redirections in non-production environments.

boolean
immutable
Optional

If the organization OAuth App can be changed

string
lastUpdatedBy
Optional

The username (email) of the user who updated the organization OAuth Application.

boolean
isHidden
Optional

When set to true, this OAuth Application will not be displayed on the UI.

object
allowedScopes
Optional

The allowed general, organization and service scopes of access.

integer As int32 As int32
maxGroupsInIdToken
Optional

The maximum number of groups allowed in the ID token.

integer As int64 As int64
lastUpdatedAt
Optional

Timestamp, measured in number of seconds since 1/1/1970 UTC, indicating when the organization OAuth Application was last updated.

integer As int64 As int64
createdAt
Optional

Timestamp, measured in number of seconds since 1/1/1970 UTC, indicating when the organization OAuth Application was created.

array of object
allowedOrgs
Optional

Allowed Organizations.
Can be used to restrict the client to sub-set of organizations.
The value is a list of organizations IDs, in which users may login using this client. If value is not presented in the request (null value) the client will not be restricted.
Important:
1. This option is available only for service organizations. Consumer organizations cannot pass this value since the client is restricted only to it's managed organization, which cannot be changed.
2. It is not possible to update an organization/s restricted client to be a regular client.
3. The 'allowedOrgs' is ignored during client_credentials flow.
4. If an organization is deleted, its references in allowedOrgs are deleted eventually. 'allowedOrgs' may become empty if an organization gets deleted, which means users cannot login to any organization using this client. The 'allowedOrgs' will be ignored during client_credentials flow.

integer As int32 As int32
accessTokenTTL
Optional

The organization OAuth Application access token time to live in seconds.

boolean
ownerOnlySecretRotation
Optional

When set to 'true', the client is not allowed to rotate its own secret. Client rotation will be enabled for organization owner/service owner only using client rotation management APIs. By default, client is enabled to self-rotate its secret.

string
serviceDefinitionId
Optional

The unique identifier of the Service

boolean
publicClient
Optional

Mark the client as a public client. Can only be specified at creation time (publicClient cannot be updated).
Public clients:
Cannot have a secret specified (the secret will implicitly be set as an empty string).
Cannot use the 'client_credentials' flow.
Cannot update or rotate their secret.
MUST use PKCE when doing an authorization_code flow.

string
createdBy
Optional

The username (email) of the user who created the organization OAuth Application.

boolean
forcePkce
Optional

When set to true, the flag mandates the use of PKCE when doing an authorization_code flow (i.e., the request will fail if PKCE is not used).

boolean
groupDomainAppendedInIDToken
Optional

Temporary flag used to request de-dup of domain name in ID token by setting value to 'false'.

array of string
postLogoutRedirectUris
Optional

Post logout redirect URIs, can be used by a service as a custom redirect destination after logout. For e.g., the service login/home page. Relevant only for the authorization_code grant type.

boolean
useCspIssuerUrl
Optional

Temporary flag used to request issuer URL to be set to CSP URL so that it is OIDC compliant (Default false, but will be changed to true after deprecation cycle).

integer As int32 As int32
maxCharactersInAccessToken
Optional

Limit the number of text characters that will be put in the access token. If the resulting access token would exceed this value, an overflow behavior will be triggered. If overflow is triggered, the returned access token will contain a claim 'ovc' that lists the claims which have overflowed. For example 'ovc' : ['perms', 'authorization_details']. When overflow is triggered, the token will also contain an 'ovl' claim containing a URL which can be can be used to expand the access token and return the claims as JSON. For example 'ovl': 'https://gaz.csp-vidm-prod.com/api/check_access_token' When 'maxCharactersInAccessToken' is not set (the default), a system defined value will be used. Currently this value is 3415 characters, or about 5KB. The purpose of this behavior is to help ensure that the request headers containing the JWT access token do not become arbitrarily large. Your system must be able to handle a token that contains 'ovc' and 'ovl' claims.

array of string
additionalAttributeMasks
Optional

Additional attribute masks that serve as a filter to indicate what custom user attributes (e.g., employee_id) must be included in the ID token after auth flow.

integer As int32 As int32
refreshTokenTTL
Optional

The organization OAuth Application refresh token time to live in seconds.

array of string
allowedActorsClientDelegate
Optional

The List of other OAuth App identifiers who can act on behalf of this OAuth App


400

Invalid request body

Returns CspErrorResponse of type(s) application/json
"CspErrorResponse Object"
string
cspErrorCode
Optional

cspErrorCode

string
message
Optional

message

string
errorCode
Optional

errorCode

string
requestId
Optional

requestId

integer As int32 As int32
moduleCode
Optional

moduleCode

integer As int32 As int32
statusCode
Optional

statusCode


401

The user is not authorized to use the API

Returns CspErrorResponse of type(s) application/json
"CspErrorResponse Object"
string
cspErrorCode
Optional

cspErrorCode

string
message
Optional

message

string
errorCode
Optional

errorCode

string
requestId
Optional

requestId

integer As int32 As int32
moduleCode
Optional

moduleCode

integer As int32 As int32
statusCode
Optional

statusCode


403

The user is forbidden to use the API

Returns CspErrorResponse of type(s) application/json
"CspErrorResponse Object"
string
cspErrorCode
Optional

cspErrorCode

string
message
Optional

message

string
errorCode
Optional

errorCode

string
requestId
Optional

requestId

integer As int32 As int32
moduleCode
Optional

moduleCode

integer As int32 As int32
statusCode
Optional

statusCode


404

The requested resource could not be found

Returns CspErrorResponse of type(s) application/json
"CspErrorResponse Object"
string
cspErrorCode
Optional

cspErrorCode

string
message
Optional

message

string
errorCode
Optional

errorCode

string
requestId
Optional

requestId

integer As int32 As int32
moduleCode
Optional

moduleCode

integer As int32 As int32
statusCode
Optional

statusCode


409

The request could not be processed due to a conflict

Returns CspErrorResponse of type(s) application/json
"CspErrorResponse Object"
string
cspErrorCode
Optional

cspErrorCode

string
message
Optional

message

string
errorCode
Optional

errorCode

string
requestId
Optional

requestId

integer As int32 As int32
moduleCode
Optional

moduleCode

integer As int32 As int32
statusCode
Optional

statusCode


429

The user has sent too many requests

Returns CspErrorResponse of type(s) application/json
"CspErrorResponse Object"
string
cspErrorCode
Optional

cspErrorCode

string
message
Optional

message

string
errorCode
Optional

errorCode

string
requestId
Optional

requestId

integer As int32 As int32
moduleCode
Optional

moduleCode

integer As int32 As int32
statusCode
Optional

statusCode


500

An unexpected error has occurred while processing the request

Returns CspErrorResponse of type(s) application/json
"CspErrorResponse Object"
string
cspErrorCode
Optional

cspErrorCode

string
message
Optional

message

string
errorCode
Optional

errorCode

string
requestId
Optional

requestId

integer As int32 As int32
moduleCode
Optional

moduleCode

integer As int32 As int32
statusCode
Optional

statusCode


Code Samples
COPY
                    curl -X PATCH -H 'Authorization: <value>' -H 'Content-Type: application/json' -d '[{}]'