[{"label":"Latest (v1.0)","version":"latest"}]
csp

Get Organization OAuth Application By Organization ID And Application ID

Description

Get Organization Managed OAuth App that was created and is owned by the organization

Access Policy

Role User Accounts Service Accounts (Client Credentials Applications)
Organization Owner ✔️ ✔️
Developer ✔️ ✔️

Request

Request

URL

URL


get
https://{api_host}/csp/gateway/am/api/orgs/{orgId}/oauth-apps/{oauthAppId}
Copy

Path Parameters

Path Parameters

string
orgId Required

Unique identifier (GUID) of the organization.

Parameter Serialization Style: simple Explode:false

string
oauthAppId Required

The unique identifier of the OAuth Application (client).

Parameter Serialization Style: simple Explode:false

Authentication

Authentication

This operation uses the following authentication methods.

Response

Response

Response Body

Response Body

200 OK

Returns OrgOAuthAppResponse of type application/json
{
	"accessTokenTTL": 0,
	"additionalAttributeMasks": [
		"string"
	],
	"allowOpenRedirectUris": false,
	"allowedActorsAudienceExchange": [
		"string"
	],
	"allowedActorsClientDelegate": [
		"string"
	],
	"allowedOrgs": [
		{
			"displayName": "string",
			"id": "string",
			"name": "string"
		}
	],
	"allowedScopes": {
		"generalScopes": [
			"string"
		],
		"organizationScopes": {
			"allPermissions": false,
			"allRoles": false,
			"keptInToken": [
				"ROLES"
			],
			"permissions": [
				{
					"permissionId": "string",
					"resources": [
						"string"
					]
				}
			],
			"roles": [
				{
					"name": "string",
					"resource": "string"
				}
			]
		},
		"servicesScopes": [
			{
				"allPermissions": false,
				"allRoles": false,
				"keptInToken": [
					"ROLES"
				],
				"permissions": [
					{
						"permissionId": "string",
						"resources": [
							"string"
						]
					}
				],
				"roles": [
					{
						"name": "string",
						"resource": "string"
					}
				],
				"serviceDefinitionId": "string"
			}
		]
	},
	"createdAt": 0,
	"createdBy": "string",
	"description": "string",
	"displayName": "string",
	"forcePkce": false,
	"grantTypes": [
		"string"
	],
	"groupDomainAppendedInIDToken": false,
	"id": "string",
	"immutable": false,
	"lastUpdatedAt": 0,
	"lastUpdatedBy": "string",
	"maxAdditionalAttributesInIdToken": 0,
	"maxCharactersInAccessToken": 0,
	"maxGroupsInIdToken": 0,
	"organizationId": "string",
	"ownerOnlySecretRotation": false,
	"postLogoutRedirectUris": [
		"string"
	],
	"publicClient": false,
	"redirectUris": [
		"string"
	],
	"refreshTokenTTL": 0,
	"secretRotationExpirationInSeconds": 0,
	"serviceDefinitionId": "string",
	"useCspIssuerUrl": false
}
integer as int32
accessTokenTTL Optional

The organization OAuth Application access token time to live in seconds.


array of string
additionalAttributeMasks Optional

Additional attribute masks. Refer to GAZ docs.


boolean
allowOpenRedirectUris Optional

Allow client to use open redirections in non-production environments.


array of string
allowedActorsAudienceExchange Optional

The List of other OAuth App identifiers who can exchange id token from this OAuth App


array of string
allowedActorsClientDelegate Optional

The List of other OAuth App identifiers who can act on behalf of this OAuth App


allowedOrgs Optional

Allowed Organizations.
Can be used to restrict the client to sub-set of organizations.
The value is a list of organizations IDs, in which users may login using this client. If value is not presented in the request (null value) the client will not be restricted.
Important:
1. This option is available only for service organizations. Consumer organizations cannot pass this value since the client is restricted only to it’s managed organization, which cannot be changed.
2. It is not possible to update an organization/s restricted client to be a regular client.
3. The ‘allowedOrgs’ is ignored during client_credentials flow.
4. If an organization is deleted, its references in allowedOrgs are deleted eventually. ‘allowedOrgs’ may become empty if an organization gets deleted, which means users cannot login to any organization using this client. The ‘allowedOrgs’ will be ignored during client_credentials flow.


allowedScopes Optional

The allowed general, organization and service scopes of access.


integer as int64
createdAt Optional

Timestamp, measured in number of seconds since 1/1/1970 UTC, indicating when the organization OAuth Application was created.


string
createdBy Optional

The username (email) of the user who created the organization OAuth Application.


string
description Optional

The description of the organization OAuth Application (client).


string
displayName Optional

The organization OAuth Application display name.


boolean
forcePkce Optional

When set to true, the flag mandates the use of PKCE when doing an authorization_code flow (i.e., the request will fail if PKCE is not used).


array of string
grantTypes Optional

The OAuth grant types. Customer organizations support the following grant types: authorization_code, refresh_token, and client_credentials. Service organizations additionally support the following grant types: audience_exchange, client_delegate, and context_switch.


boolean
groupDomainAppendedInIDToken Optional

Temporary flag used to request de-dup of domain name in ID token by setting value to ‘false’.


string
id Optional

The unique identifier of the OAuth Application (client).


boolean
immutable Optional

If the organization OAuth App can be changed


integer as int64
lastUpdatedAt Optional

Timestamp, measured in number of seconds since 1/1/1970 UTC, indicating when the organization OAuth Application was last updated.


string
lastUpdatedBy Optional

The username (email) of the user who updated the organization OAuth Application.


integer as int32
maxAdditionalAttributesInIdToken Optional

Maximum number of Additional attribute masks in ID token. Refer to GAZ docs.


integer as int32
maxCharactersInAccessToken Optional

Limit the number of text characters that will be put in the access token. If the resulting access token would exceed this value, an overflow behavior will be triggered. If overflow is triggered, the returned access token will contain a claim ‘ovc’ that lists the claims which have overflowed. For example ‘ovc’ : [‘perms’, ‘authorization_details’]. When overflow is triggered, the token will also contain an ‘ovl’ claim containing a URL which can be can be used to expand the access token and return the claims as JSON. For example ‘ovl’: ‘https://gaz.csp-vidm-prod.com/api/check_access_token' When ‘maxCharactersInAccessToken’ is not set (the default), a system defined value will be used. Currently this value is 3415 characters, or about 5KB. The purpose of this behavior is to help ensure that the request headers containing the JWT access token do not become arbitrarily large. Your system must be able to handle a token that contains ‘ovc’ and ‘ovl’ claims.


integer as int32
maxGroupsInIdToken Optional

The maximum number of groups allowed in the ID token.


string
organizationId Optional

Unique identifier (GUID) of the organization.


boolean
ownerOnlySecretRotation Optional

When set to ’true’, the client is not allowed to rotate its own secret. Client rotation will be enabled for organization owner/service owner only using client rotation management APIs. By default, client is enabled to self-rotate its secret.


array of string
postLogoutRedirectUris Optional

Post logout redirect URIs, can be used by a service as a custom redirect destination after logout. For e.g., the service login/home page. Relevant only for the authorization_code grant type.


boolean
publicClient Optional

Mark the client as a public client. Can only be specified at creation time (publicClient cannot be updated).
Public clients:
Cannot have a secret specified (the secret will implicitly be set as an empty string).
Cannot use the ‘client_credentials’ flow.
Cannot update or rotate their secret.
MUST use PKCE when doing an authorization_code flow.


array of string
redirectUris Optional

The organization OAuth Application redirect URIs.


integer as int32
refreshTokenTTL Optional

The organization OAuth Application refresh token time to live in seconds.


integer as int32
secretRotationExpirationInSeconds Optional

The secret rotation expiration in seconds. The old OAuth Application secret will expire after it. If not specified, the default expiration time is 48 hours.


string
serviceDefinitionId Optional

The unique identifier of the Service


boolean
useCspIssuerUrl Optional

Temporary flag used to request issuer URL to be set to CSP URL so that it is OIDC compliant (Default true).

Errors

Errors

401

The user is not authorized to use the API


403

The user is forbidden to use the API


404

The requested resource could not be found


429

The user has sent too many requests


500

An unexpected error has occurred while processing the request

Code Samples

Code Samples

cURL Command

curl https://{api_host}/csp/gateway/am/api/orgs/{orgId}/oauth-apps/{oauthAppId}
Vendor Extensions

Vendor Extensions

This operation contains the following vendor extensions defined in the spec:
x-required-roles: org_owner,developer
x-slo-tier: TIER2


Feedback

Was this page helpful?