Update Organization OAuth Application By Organization ID And Application ID
Update Organization Managed OAuth App that was created and is owned by the organization
Important:
Changing the client secret via the client management APIs will reset existing secret rotation (meaning, the provided secret in the management APIs will be the only valid secret).
Access Policy
| Role | User Accounts | Service Accounts (Client Credentials Applications) |
|---|---|---|
| Organization Owner | ✔️ | ✔️ |
| Developer | ✔️ | ✔️ |
Request
URLURL
https://{api_host}/csp/gateway/am/api/orgs/{orgId}/oauth-apps/{oauthAppId}
Path Parameters
Path Parameters
string
orgId
Required
Unique identifier (GUID) of the organization.
Parameter Serialization Style:simple Explode:false
string
oauthAppId
Required
The unique identifier of the OAuth Application (client).
Parameter Serialization Style:simple Explode:false
Request Body
Request Body
OrgOAuthAppUpdateRequest of mimetype application/json
Required
The request body to update organization OAuth Application.
(The request body parameter is missing description)
{
"description": "string",
"displayName": "string",
"grantTypes": [
"string"
]
}
string
description
Required
The description of the organization OAuth Application (client).
array of
string
grantTypes
Required
The OAuth grant types. Available grant types are: authorization_code, refresh_token, client_credentials and client_delegate.
string
displayName
Required
The organization OAuth Application display name.
The value must be alphanumerical and can contain the following symbols -_.`‘:@&, and space. International characters are allowed.
integer
accessTokenTTL
Optional
The organization OAuth Application access token time to live in seconds.
allowedScopes
Optional
The allowed general, organization and service scopes of access.
array of
string
allowedOrgs
Optional
Allowed Organizations.
Can be used to restrict the client to sub-set of organizations.
The value is a list of organizations IDs, in which users may login using this client. If value is not presented in the request (null value) the client will not be restricted.
Important:
1. This option is available only for service organizations. Consumer organizations cannot pass this value since the client is restricted only to it’s managed organization, which cannot be changed.
2. It is not possible to update an organization/s restricted client to be a regular client.
3. The ‘allowedOrgs’ is ignored during client_credentials flow.
4. If an organization is deleted, its references in allowedOrgs are deleted eventually. ‘allowedOrgs’ may become empty if an organization gets deleted, which means users cannot login to any organization using this client. The ‘allowedOrgs’ will be ignored during client_credentials flow.
boolean
forcePkce
Optional
When set to true, the flag mandates the use of PKCE when doing an authorization_code flow (i.e., the request will fail if PKCE is not used).
array of
string
additionalAttributeMasks
Optional
Additional attribute masks. Refer to GAZ docs.
boolean
groupDomainAppendedInIDToken
Optional
Temporary flag used to request de-dup of domain name in ID token by setting value to ‘false’.
integer
maxCharactersInAccessToken
Optional
Limit the number of text characters that would be put in the access token. If the access token has more characters than the max number provided, an overflow link will be provided in the access token. A value of zero will be considered as unlimited. A value of less than zero will be treated the same as not setting any value. If overflow happens the access token will have a claim ‘ovc’ that lists the claims which have overflowed. For example ‘ovc’ : [‘perms’, ‘authorization_details’]. It will also have a ‘ovl’ claim which is the link that can be used to get the full access token as json. For example ‘ovl’: ‘https://gaz.csp-vidm-prod.com/api/check_access_token’ When ‘maxCharactersInAccessToken’ is not set (the default), the maxCharactersInAccessToken parameter will be in effect if it is set. If it is not set, there will be no limit on the number of permissions.
integer
maxGroupsInIdToken
Optional
The maximum number of groups allowed in the ID token. In case the user is a member in more groups than the value specified in the OAuth client, a URL will be attached to the ID token under the ‘ovl’ claim.
boolean
ownerOnlySecretRotation
Optional
When set to ‘true’, the client is not allowed to rotate its own secret. Client rotation will be enabled for organization owner/service owner only using client rotation management APIs. By default, client is enabled to self-rotate its secret.
array of
string
postLogoutRedirectUris
Optional
Post logout redirect URIs, can be used by a service as a custom redirect destination after logout. For e.g., the service login/home page. Relevant only for authorization_code grant type. The PATCH operation will override the entire existing list.
array of
string
redirectUris
Optional
The organization OAuth Application redirect URIs.. Relevant only for authorization_code grant type
integer
refreshTokenTTL
Optional
The organization OAuth Application refresh token time to live in seconds.
string
secret
Optional
The organization OAuth Application secret
Important:
Changing the client secret via the client management APIs will reset existing secret rotation (meaning, the provided secret in the management APIs will be the only valid secret).
integer
secretRotationExpirationInSeconds
Optional
The secret rotation expiration in seconds. The old OAuth Application secret will expire after it. If not specified, the default expiration time is 48 hours.
Optionally override the default number of seconds before a new OAuth Application secret will automatically be rotated when using the OAuth Application secret rotation APIs.
string
serviceDefinitionId
Optional
Service definition ID of the service using this authorization code webapp. Required in production for tracking purposes.
Authentication
This operation uses the following authentication methods.
Response
Response
Response BodyResponse Body
200 OK returns
OrgOAuthAppResponse of type application/json
{
"accessTokenTTL": 0,
"additionalAttributeMasks": [
"string"
],
"allowOpenRedirectUris": false,
"allowedOrgs": [
{
"displayName": "string",
"id": "string",
"name": "string"
}
],
"allowedScopes": {
"generalScopes": [
"string"
],
"organizationScopes": {
"allPermissions": false,
"allRoles": false,
"keptInToken": [
"ROLES"
],
"permissions": [
{
"permissionId": "string",
"resources": [
"string"
]
}
],
"roles": [
{
"name": "string",
"resource": "string"
}
]
},
"servicesScopes": [
{
"allPermissions": false,
"allRoles": false,
"keptInToken": [
"ROLES"
],
"permissions": [
{
"permissionId": "string",
"resources": [
"string"
]
}
],
"roles": [
{
"name": "string",
"resource": "string"
}
],
"serviceDefinitionId": "string"
}
]
},
"createdAt": 0,
"createdBy": "string",
"description": "string",
"displayName": "string",
"forcePkce": false,
"grantTypes": [
"string"
],
"groupDomainAppendedInIDToken": false,
"id": "string",
"immutable": false,
"lastUpdatedAt": 0,
"lastUpdatedBy": "string",
"maxAdditionalAttributesInIdToken": 0,
"maxCharactersInAccessToken": 0,
"maxGroupsInIdToken": 0,
"organizationId": "string",
"ownerOnlySecretRotation": false,
"postLogoutRedirectUris": [
"string"
],
"publicClient": false,
"redirectUris": [
"string"
],
"refreshTokenTTL": 0,
"secretRotationExpirationInSeconds": 0,
"serviceDefinitionId": "string"
}
integer
accessTokenTTL
Optional
The organization OAuth Application access token time to live in seconds.
array of
string
additionalAttributeMasks
Optional
Additional attribute masks. Refer to GAZ docs.
boolean
allowOpenRedirectUris
Optional
Allow client to use open redirections in non-production environments.
array of
OrganizationDetailsDto
allowedOrgs
Optional
Allowed Organizations.
Can be used to restrict the client to sub-set of organizations.
The value is a list of organizations IDs, in which users may login using this client. If value is not presented in the request (null value) the client will not be restricted.
Important:
1. This option is available only for service organizations. Consumer organizations cannot pass this value since the client is restricted only to it’s managed organization, which cannot be changed.
2. It is not possible to update an organization/s restricted client to be a regular client.
3. The ‘allowedOrgs’ is ignored during client_credentials flow.
4. If an organization is deleted, its references in allowedOrgs are deleted eventually. ‘allowedOrgs’ may become empty if an organization gets deleted, which means users cannot login to any organization using this client. The ‘allowedOrgs’ will be ignored during client_credentials flow.
allowedScopes
Optional
The allowed general, organization and service scopes of access.
integer
createdAt
Optional
Timestamp, measured in number of seconds since 1/1/1970 UTC, indicating when the organization OAuth Application was created.
string
createdBy
Optional
The username (email) of the user who created the organization OAuth Application.
string
description
Optional
The description of the organization OAuth Application (client).
string
displayName
Optional
The organization OAuth Application display name.
boolean
forcePkce
Optional
When set to true, the flag mandates the use of PKCE when doing an authorization_code flow (i.e., the request will fail if PKCE is not used).
array of
string
grantTypes
Optional
The OAuth grant types. Available grant types are: authorization_code, refresh_token, client_credentials and client_delegate.
boolean
groupDomainAppendedInIDToken
Optional
Temporary flag used to request de-dup of domain name in ID token by setting value to ‘false’.
string
id
Optional
The unique identifier of the OAuth Application (client).
boolean
immutable
Optional
This property has no documentation
integer
lastUpdatedAt
Optional
Timestamp, measured in number of seconds since 1/1/1970 UTC, indicating when the organization OAuth Application was last updated.
string
lastUpdatedBy
Optional
The username (email) of the user who updated the organization OAuth Application.
integer
maxAdditionalAttributesInIdToken
Optional
Maximum number of Additional attribute masks in ID token. Refer to GAZ docs.
integer
maxCharactersInAccessToken
Optional
Limit the number of text characters that would be put in the access token. If the access token has more characters than the max number provided, an overflow link will be provided in the access token. A value of zero will be considered as unlimited. A value of less than zero will be treated the same as not setting any value. If overflow happens the access token will have a claim ‘ovc’ that lists the claims which have overflowed. For example ‘ovc’ : [‘perms’, ‘authorization_details’]. It will also have a ‘ovl’ claim which is the link that can be used to get the full access token as json. For example ‘ovl’: ‘https://gaz.csp-vidm-prod.com/api/check_access_token’ When ‘maxCharactersInAccessToken’ is not set (the default), the maxCharactersInAccessToken parameter will be in effect if it is set. If it is not set, there will be no limit on the number of permissions.
integer
maxGroupsInIdToken
Optional
The maximum number of groups allowed in the ID token.
string
organizationId
Optional
Unique identifier (GUID) of the organization.
boolean
ownerOnlySecretRotation
Optional
When set to ‘true’, the client is not allowed to rotate its own secret. Client rotation will be enabled for organization owner/service owner only using client rotation management APIs. By default, client is enabled to self-rotate its secret.
array of
string
postLogoutRedirectUris
Optional
Post logout redirect URIs, can be used by a service as a custom redirect destination after logout. For e.g., the service login/home page. Relevant only for the authorization_code grant type.
boolean
publicClient
Optional
Mark the client as a public client. Can only be specified at creation time (publicClient cannot be updated).
Public clients:
Cannot have a secret specified (the secret will implicitly be set as an empty string).
Cannot use the ‘client_credentials’ flow.
Cannot update or rotate their secret.
MUST use PKCE when doing an authorization_code flow.
array of
string
redirectUris
Optional
The organization OAuth Application redirect URIs.
integer
refreshTokenTTL
Optional
The organization OAuth Application refresh token time to live in seconds.
integer
secretRotationExpirationInSeconds
Optional
The secret rotation expiration in seconds. The old OAuth Application secret will expire after it. If not specified, the default expiration time is 48 hours.
string
serviceDefinitionId
Optional
The unique identifier of the Service
Errors
Code Samples
Code Samples
cURL Command
curl -X PATCH -H "Content-Type: application/json" -d '{"accessTokenTTL":0,"additionalAttributeMasks":["string"],"allowedOrgs":["string"],"allowedScopes":{"generalScopes":["string"],"organizationScopes":{"allPermissions":false,"allRoles":false,"keptInToken":["ROLES"],"permissions":[{"permissionId":"string","resources":["string"]}],"roles":[{"name":"string","resource":"string"}]},"servicesScopes":[{"allPermissions":false,"allRoles":false,"keptInToken":["ROLES"],"permissions":[{"permissionId":"string","resources":["string"]}],"roles":[{"name":"string","resource":"string"}],"serviceDefinitionId":"string"}]},"description":"string","displayName":"string","forcePkce":false,"grantTypes":["string"],"groupDomainAppendedInIDToken":false,"maxCharactersInAccessToken":0,"maxGroupsInIdToken":0,"ownerOnlySecretRotation":false,"postLogoutRedirectUris":["string"],"redirectUris":["string"],"refreshTokenTTL":0,"secret":"string","secretRotationExpirationInSeconds":0,"serviceDefinitionId":"string"}' https://{api_host}/csp/gateway/am/api/orgs/{orgId}/oauth-apps/{oauthAppId}
Vendor Extensions
This operation contains the following vendor extensions defined in the spec:
x-required-roles: org_owner,developer
x-slo-tier: TIER2
