Identity Service API Operations Index
All available Identity Service API Operations
Use this API instead:
- /oidc/oauth2/token
This end-point exchanges one of the following grants: authorization_code, refresh_token, client_credentials for an access token.
- Include the parameters using application/x-www-form-urlencoded format in the HTTP request body.
- Include Basic Base64_Encode(client_id:client_secret) value in the HTTP authorization header. Organization ID parameter notes: when organization id is missing from the request the default organization will be used.
- Upon password grant type, user default organization will be set if available.
Upon client_credentials grant type, the organization who own the client will be set if available.
Access Policy
| Role | Access |
|---|---|
| Anonymous | ✔️ |
Use this API instead:
- /cloudapi/1.0.0/sessions/current
Performs a logout by invalidating the supplied token (if supplied) and returning an URL to navigate to. The token to invalidate is taken from the ex-identity-auth-token header.
Access Policy
| Role | Access |
|---|---|
| Anonymous | ✔️ |
Use this API instead:
- /oidc/oauth2/token
Exchange authorization code, refresh token or client_credentials to user access token.
Access Policy
| Role | Access |
|---|---|
| Anonymous | ✔️ |
Use this API instead:
- /oidc/oauth2/token
To obtain the access token please follow the steps described in the official product documentation. Using the token generated by the Identity Service API alone will not work due to a missing internal state.
DEPRECATED: Passing the refresh_token param name, need to use api_token.
Access Policy
| Role | Access |
|---|---|
| Anonymous | ✔️ |
Use this API instead:
- /oidc/oauth2/jwks
Defines the public keys used to verify the authenticity of the JWT token.
Access Policy
| Role | Access |
|---|---|
| Anonymous | ✔️ |
This API has no analogue in Tenant Manager
Display the content of the given ID token with expanded claims if the token is valid.
If the token is invalid or expired, an error will be returned.
This endpoint should be used to expand the overflow claims in the ID token, if any (like the 'group_names' and 'group_ids' claim).
Even though this endpoint can also be used to validate an ID token, it is expected that the client validates an ID token locally instead.
Access Policy
| Role | Access |
|---|---|
| Anonymous | ✔️ |
Use this API instead:
- /scim/v2/Groups
In this case the PagedResponse.results field will contain Group object. See the Group model for reference.
Access Policy
| Role | Access |
|---|---|
| Platform operator | ✔️ |
| Organization Owner | ✔️ |
| Organization Member | ✔️ |
| Service Account (Whitelisted Client) | ✔️ |
Use this API instead:
- /oauth/tenant/{{tenant name}}/token
Performs login.
Access Policy
| Role | Access |
|---|---|
| Anonymous | ✔️ |
Use this API instead:
- /oidc/oauth2/token
An alias of the AuthenticationController's get access token method.
Access Policy
| Role | Access |
|---|---|
| Anonymous | ✔️ |
Use this API instead:
- /oidc/.well-known/openid-configuration
Get discovery endpoint meta data as described in https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata. OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol. It enables Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner.
Access Policy
| Role | Access |
|---|---|
| Anonymous | ✔️ |
Use this API instead:
- /cloudapi/1.0.0/orgs
Access Policy
| Role | Access |
|---|---|
| Platform operator | ✔️ |
| Organization Owner | ✔️ |
| Organization Member | ✔️ |
| Service Account (Whitelisted Client) | ✔️ |
Use this API instead:
- /cloudapi/1.0.0/orgs
NOTE: At the moment we only allow for displayName change.
Access Policy
| Role | Access |
|---|---|
| Platform operator | ✔️ |
| Organization Owner | ✔️ |
| Organization Member | ❌ |
| Service Account (Whitelisted Client) | ❌ |
Use this API instead:
- /cloudapi/1.0.0/roles
Get list of organization roles.
Access Policy
| Role | Access |
|---|---|
| Platform operator | ✔️ |
| Organization Owner | ✔️ |
| Organization Member | ❌ |
| Service Account (Whitelisted Client) | ✔️ |
Use this API instead:
- /cloudapi/1.0.0/users
Access Policy
| Role | Access |
|---|---|
| Platform operator | ✔️ |
| Organization Owner | ✔️ |
| Organization Member | ❌ |
| Service Account (Whitelisted Client) | ❌ |
Use this API instead:
- /cloudapi/1.0.0/orgs
Returns all sub organizations for the passed Org ID. The user needs to be either organization owner or a platform operator in order to get a result.
Access Policy
| Role | Access |
|---|---|
| Platform operator | ✔️ |
| Organization Owner | ✔️ |
| Organization Member | ❌ |
| Service Account (Whitelisted Client) | ❌ |
Use this API instead:
- /cloudapi/1.0.0/roles
Access Policy
| Role | Access |
|---|---|
| Platform operator | ✔️ |
| Organization Owner | ✔️ |
| Organization Member | ✔️ |
| Service Account (Whitelisted Client) | ❌ |
Use this API instead:
- /scim/v2/Groups
Performs a search for groups in the organization.
Access Policy
| Role | Access |
|---|---|
| Platform operator | ✔️ |
| Organization Owner | ✔️ |
| Organization Member | ✔️ |
| Service Account (Whitelisted Client) | ✔️ |
Use this API instead:
- /cloudapi/1.0.0/groups/{{groupUrn}}
Get roles of a group within organization.
Access Policy
| Role | Access |
|---|---|
| Platform operator | ✔️ |
| Organization Owner | ✔️ |
| Organization Member | ❌ |
| Service Account (Whitelisted Client) | ❌ |
Use this API instead:
- /cloudapi/1.0.0/groups/{{groupUrn}}
Update roles of a group within organization.
Note: Email notification for updating group roles of group is disabled by the Identity Service.
Access Policy
| Role | Access |
|---|---|
| Platform operator | ✔️ |
| Organization Owner | ✔️ |
| Organization Member | ❌ |
| Service Account (Whitelisted Client) | ❌ |
Use this API instead:
- /cloudapi/1.0.0/groups
Get groups of a specific organization.
Access Policy
| Role | Access |
|---|---|
| Platform operator | ✔️ |
| Organization Owner | ✔️ |
| Organization Member | ❌ |
| Service Account (Whitelisted Client) | ❌ |
Use this API instead:
- /cloudapi/1.0.0/groups
Remove groups from organization.
Note:
DEPRECATED: Response field failed will be deprecated. You can use the field failures instead.
Access Policy
| Role | Access |
|---|---|
| Platform operator | ✔️ |
| Organization Owner | ✔️ |
| Organization Member | ❌ |
| Service Account (Whitelisted Client) | ❌ |
Use this API instead:
- /scim/v2/Users
Get users in group within organization. Optionally filtered by given firstName, lastName or email with 'contains' match. Optionally filter the users by using onlyDirectUsers with true to return only direct users and not return the users from nested groups.
Access Policy
| Role | Access |
|---|---|
| Platform operator | ✔️ |
| Organization Owner | ✔️ |
| Organization Member | ❌ |
| Service Account (Whitelisted Client) | ✔️ |
Use these APIs instead:
- /cloudapi/1.0.0/users
- /cloudapi/1.0.0/users/{{userUrn}}/preferences
- /scim/v2/Groups
Get response encapsulating organization users.
Fetched page is according to the page start and page limit passed as optional parameters. Defaults to page size of 20 and start from the first page. Note that pageStart is 1-based index.
We are currently not supporting the optional serviceDefinitionId which is to filter users having access to a service in CSP.
Access Policy
| Role | Access |
|---|---|
| Platform operator | ✔️ |
| Organization Owner | ✔️ |
| Organization Member | ✔️ |
| Service Account (Whitelisted Client) | ❌ |
Use these APIs instead:
- /cloudapi/1.0.0/users
- /cloudapi/1.0.0/users/{{userUrn}}/preferences
- /scim/v2/Groups
Get response encapsulating organization users.
Fetched page is according to the page start and page limit passed as optional parameters. Defaults to page size of 20 and start from the first page. Note that pageStart is 1-based index.
We are currently not supporting the optional serviceDefinitionId which is to filter users having access to a service in CSP.
Access Policy
| Role | Access |
|---|---|
| Platform operator | ✔️ |
| Organization Owner | ✔️ |
| Organization Member | ✔️ |
| Service Account (Whitelisted Client) | ❌ |
Use this API instead:
- /cloudapi/1.0.0/users
Search users in organization having username, firstName, lastName or email which "contains" search term e.g. search for "test" will return [email protected] if [email protected] is part of the organization.
Search results limited to first 20 results. Please refine the search term for accurate results. Organization members will receive basic user information. Organization owners will additionally receive role details of the users.
Access Policy
| Role | Access |
|---|---|
| Platform operator | ✔️ |
| Organization Owner | ✔️ |
| Organization Member | ✔️ |
| Service Account (Whitelisted Client) | ✔️ |
Use this API instead:
- /cloudapi/1.0.0/preferences/internal:localLanguage
Access Policy
| Role | Access |
|---|---|
| Platform operator | ✔️ |
| Organization Owner | ✔️ |
| Organization Member | ✔️ |
| Service Account (Whitelisted Client) | ✔️ |
Use this API instead:
- /cloudapi/vcf/preferences
Access Policy
| Role | Access |
|---|---|
| Platform operator | ✔️ |
| Organization Owner | ✔️ |
| Organization Member | ✔️ |
| Service Account (Whitelisted Client) | ✔️ |
Use this API instead:
- /cloudapi/1.0.0/preferences/internal:localLanguage
Access Policy
| Role | Access |
|---|---|
| Platform operator | ✔️ |
| Organization Owner | ✔️ |
| Organization Member | ✔️ |
| Service Account (Whitelisted Client) | ✔️ |
Use this API instead:
- /oidc/userinfo
Currently one user can belong to exactly one organization. Result contains detailed information for the organization.
Access Policy
| Role | Access |
|---|---|
| Platform operator | ✔️ |
| Organization Owner | ✔️ |
| Organization Member | ✔️ |
| Service Account (Whitelisted Client) | ✔️ |
Use this API instead:
- /oidc/userinfo
Access Policy
| Role | Access |
|---|---|
| Platform operator | ✔️ |
| Organization Owner | ✔️ |
| Organization Member | ✔️ |
| Service Account (Whitelisted Client) | ✔️ |
Use this API instead:
- /oidc/userinfo
Access Policy
| Role | Access |
|---|---|
| Platform operator | ✔️ |
| Organization Owner | ✔️ |
| Organization Member | ✔️ |
| Service Account (Whitelisted Client) | ✔️ |
Use these APIs instead:
- /oidc/userinfo
- /cloudapi/1.0.0/roles
Access Policy
| Role | Access |
|---|---|
| Platform operator | ✔️ |
| Organization Owner | ✔️ |
| Organization Member | ✔️ |
| Service Account (Whitelisted Client) | ✔️ |
Use these APIs instead:
- /scim/v2/Users
- /scim/v2/Groups
- /cloudapi/1.0.0/orgs
Currently one user can belong to exactly one organization.
Access Policy
| Role | Access |
|---|---|
| Platform operator | ✔️ |
| Organization Owner | ✔️ |
| Organization Member | ✔️ |
| Service Account (Whitelisted Client) | ✔️ |
Use this API instead:
- /scim/v2/Users
Access Policy
| Role | Access |
|---|---|
| Platform operator | ✔️ |
| Organization Owner | ✔️ |
| Organization Member | ✔️ |
| Service Account (Whitelisted Client) | ✔️ |
Use this API instead:
- /oidc/userinfo
Access Policy
| Role | Access |
|---|---|
| Platform operator | ✔️ |
| Organization Owner | ✔️ |
| Organization Member | ✔️ |
| Service Account (Whitelisted Client) | ✔️ |
Use this API instead:
- /oidc/userinfo
Currently one user can belong to exactly one organization.
Access Policy
| Role | Access |
|---|---|
| Platform operator | ✔️ |
| Organization Owner | ✔️ |
| Organization Member | ✔️ |
| Service Account (Whitelisted Client) | ✔️ |
This API has no analogue in Tenant Manager
Access Policy
| Role | Access |
|---|---|
| Platform operator | ✔️ |
| Organization Owner | ✔️ |
| Organization Member | ✔️ |
| Service Account (Whitelisted Client) | ✔️ |
This API has no analogue in Tenant Manager
Access Policy
| Role | Access |
|---|---|
| Platform operator | ✔️ |
| Organization Owner | ✔️ |
| Organization Member | ✔️ |
| Service Account (Whitelisted Client) | ❌ |
This API has no analogue in Tenant Manager
Currently all organizations have access to all of the service definitions.
Access Policy
| Role | Access |
|---|---|
| Platform operator | ✔️ |
| Organization Owner | ❌ |
| Organization Member | ❌ |
| Service Account (Whitelisted Client) | ✔️ |
Use this API instead:
- /cloudapi/1.0.0/users/{{userUrn}}
Currently one user can belong to exactly one organization.
Access Policy
| Role | Access |
|---|---|
| Platform operator | ✔️ |
| Organization Owner | ✔️ |
| Organization Member | ✔️ |
| Service Account (Whitelisted Client) | ❌ |
Use this API instead:
- /cloudapi/1.0.0/users/{{userUrn}}
Currently one user can belong to exactly one organization.
Access Policy
| Role | Access |
|---|---|
| Platform operator | ✔️ |
| Organization Owner | ✔️ |
| Organization Member | ❌ |
| Service Account (Whitelisted Client) | ❌ |
Use this API instead:
- /scim/v2/Users/{{userUrn}}
Currently one user can belong to exactly one organization.
Access Policy
| Role | Access |
|---|---|
| Platform operator | ✔️ |
| Organization Owner | ✔️ |
| Organization Member | ✔️ |
| Service Account (Whitelisted Client) | ❌ |
Use this API instead:
- /cloudapi/1.0.0/users/{{userUrn}}
Currently one user can belong to exactly one organization.
Access Policy
| Role | Access |
|---|---|
| Platform operator | ✔️ |
| Organization Owner | ✔️ |
| Organization Member | ❌ |
| Service Account (Whitelisted Client) | ❌ |
Use these APIs instead:
- /cloudapi/1.0.0/users
- /scim/v2/Groups
The user roles with groups inheritance information is not a CSP API call.
Access Policy
| Role | Access |
|---|---|
| Platform operator | ✔️ |
| Organization Owner | ✔️ |
| Organization Member | ❌ |
| Service Account (Whitelisted Client) | ❌ |
Use this API instead:
- /scim/v2/Users
Currently one user can belong to exactly one organization.
Access Policy
| Role | Access |
|---|---|
| Platform operator | ✔️ |
| Organization Owner | ❌ |
| Organization Member | ❌ |
| Service Account (Whitelisted Client) | ✔️ |
Use these APIs instead:
- /scim/v2/Users
- /scim/v2/Groups
- /cloudapi/1.0.0/orgs
Currently one user can belong to exactly one organization.
Access Policy
| Role | Access |
|---|---|
| Platform operator | ✔️ |
| Organization Owner | ✔️ |
| Organization Member | ❌ |
| Service Account (Whitelisted Client) | ❌ |
Use this API instead:
- /scim/v2/Users
The user information includes all user related fields (which are also part of the associated user ID token). Group ids and names are included.The API diverges from the CSP API on 1) 'email_verified' field which is currently not provided by this API and 2) the 'sub' field which contains user ID only in contrast with CSP thatcontains '
Access Policy
| Role | Access |
|---|---|
| Anonymous | ✔️ |
Use this API instead:
- /scim/v2/Users
Search users in the corresponding organization in idp by names and email.
Access Policy
| Role | Access |
|---|---|
| Platform operator | ✔️ |
| Organization Owner | ✔️ |
| Organization Member | ✔️ |
| Service Account (Whitelisted Client) | ✔️ |
Use this API instead:
- /scim/v2/Users
Access Policy
| Role | Access |
|---|---|
| Platform operator | ✔️ |
| Organization Owner | ❌ |
| Organization Member | ❌ |
| Service Account (Whitelisted Client) | ✔️ |
Use this API instead:
- /cloudapi/1.0.0/users
Currently one user can belong to exactly one organization.
Access Policy
| Role | Access |
|---|---|
| Platform operator | ✔️ |
| Organization Owner | ✔️ |
| Organization Member | ❌ |
| Service Account (Whitelisted Client) | ❌ |
Use this API instead:
- /scim/v2/Users
Currently one user can belong to exactly one organization.
Access Policy
| Role | Access |
|---|---|
| Platform operator | ✔️ |
| Organization Owner | ✔️ |
| Organization Member | ❌ |
| Service Account (Whitelisted Client) | ❌ |
Use these APIs instead:
- /scim/v2/Users
- /scim/v2/Groups
- /cloudapi/1.0.0/orgs
Currently one user can belong to exactly one organization.
Access Policy
| Role | Access |
|---|---|
| Platform operator | ✔️ |
| Organization Owner | ✔️ |
| Organization Member | ❌ |
| Service Account (Whitelisted Client) | ❌ |
Use this API instead:
- /cloudapi/1.0.0/users/{{userUrn}}
Update service and organization roles of a user in the organization.
Access Policy
| Role | Access |
|---|---|
| Platform operator | ✔️ |
| Organization Owner | ✔️ |
| Organization Member | ❌ |
| Service Account (Whitelisted Client) | ❌ |