--- layout: api page_title: 'OIDC Identity Provider' description: >- This is the API documentation for configuring and managing OIDC providers with Vault. --- ## Create or Update a Provider This endpoint creates or updates a Provider. | Method | Path | | :----- | :----------------- | | `POST` | `identity/oidc/provider/:name` | ### Parameters - `name` `(string: )` – The name of the provider. This parameter is specified as part of the URL. - `issuer` `(string: )` - Specifies what will be used as the `scheme://host:port` component for the `iss` claim of ID tokens. This defaults to a URL with Vault's `api_addr` as the `scheme://host:port` component and `/v1/:namespace/identity/oidc/provider/:name` as the path component. If provided explicitly, it must point to a Vault instance that is network reachable by clients for ID token validation. - `allowed_client_ids` `([]string: )` – The client IDs that are permitted to use the provider. If empty, no clients are allowed. If "*", all clients are allowed. - `scopes_supported` `([]string: )` – The scopes available for requesting on the provider. ### Sample Payload ```json { "allowed_client_ids": ["*"], "scopes_supported": ["test-scope"] } ``` ### Sample Request ```shell-session $ curl \ --header "X-Vault-Token: ..." \ --request POST \ --data @payload.json \ http://127.0.0.1:8200/v1/identity/oidc/provider/test-provider ``` ## Read Provider by Name This endpoint queries the OIDC provider by its name. | Method | Path | | :----- | :------------------------ | | `GET` | `/identity/oidc/provider/:name` | ### Parameters - `name` `(string: )` – The name of the provider. ### Sample Request ```shell-session $ curl \ --header "X-Vault-Token: ..." \ http://127.0.0.1:8200/v1/identity/oidc/provider/test-provider ``` ### Sample Response ```json { "data": { "allowed_client_ids":["*"], "issuer":"", "scopes_supported":["test-scope"] } } ``` ## List Providers This endpoint returns a list of all OIDC providers. | Method | Path | | :----- | :------------------------------ | | `LIST` | `/identity/oidc/provider` | ### Sample Request ```shell-session $ curl \ --header "X-Vault-Token: ..." \ --request LIST \ http://127.0.0.1:8200/v1/identity/oidc/provider ``` ### Sample Response ```json { "data": { "keys":[ "test-provider" ] } } ``` ## Delete Provider by Name This endpoint deletes an OIDC provider. | Method | Path | | :------- | :------------------------ | | `DELETE` | `/identity/oidc/provider/:name` | ### Parameters - `name` `(string: )` – The name of the provider. ### Sample Request ```shell-session $ curl \ --header "X-Vault-Token: ..." \ --request DELETE \ http://127.0.0.1:8200/v1/identity/oidc/provider/test-provider ``` ## Create or Update a Scope This endpoint creates or updates a scope. | Method | Path | | :----- | :----------------- | | `POST` | `identity/oidc/scope/:name` | ### Parameters - `name` `(string: )` – The name of the scope. This parameter is specified as part of the URL. The `openid` scope name is reserved. - `template` `(string: )` - The template string for the scope. This may be provided as escaped JSON or base64 encoded JSON. - `description` `(string: )` – A description of the scope. ### Sample Payload ```json { "template":"{ \"groups\": {{identity.entity.groups.names}} }", "description":"A simple scope example." } ``` ### Sample Request ```shell-session $ curl \ --header "X-Vault-Token: ..." \ --request POST \ --data @payload.json \ http://127.0.0.1:8200/v1/identity/oidc/scope/test-scope ``` ## Read Scope by Name This endpoint queries a scope by its name. | Method | Path | | :----- | :------------------------ | | `GET` | `/identity/oidc/scope/:name` | ### Parameters - `name` `(string: )` – The name of the scope. ### Sample Request ```shell-session $ curl \ --header "X-Vault-Token: ..." \ http://127.0.0.1:8200/v1/identity/oidc/scope/test-scope ``` ### Sample Response ```json { "data": { "description":"A simple scope example.", "template":"{ \"groups\": {{identity.entity.groups.names}} }" } } ``` ## List Scopes This endpoint returns a list of all configured scopes. | Method | Path | | :----- | :------------------------------ | | `LIST` | `/identity/oidc/scope` | ### Sample Request ```shell-session $ curl \ --header "X-Vault-Token: ..." \ --request LIST \ http://127.0.0.1:8200/v1/identity/oidc/scope ``` ### Sample Response ```json { "data": { "keys":[ "test-scope" ] } } ``` ## Delete Scope by Name This endpoint deletes a scope. | Method | Path | | :------- | :------------------------ | | `DELETE` | `/identity/oidc/scope/:name` | ### Parameters - `name` `(string: )` – The name of the scope. ### Sample Request ```shell-session $ curl \ --header "X-Vault-Token: ..." \ --request DELETE \ http://127.0.0.1:8200/v1/identity/oidc/scope/test-scope ``` ## Create or Update a Client This endpoint creates or updates a client. | Method | Path | | :----- | :----------------- | | `POST` | `identity/oidc/client/:name` | ### Parameters - `name` `(string: )` – The name of the client. This parameter is specified as part of the URL. - `key` `(string: )` – A reference to a named key resource. This cannot be modified after creation. - `redirect_uris` `([]string: )` - Redirection URI values used by the client. One of these values must exactly match the `redirect_uri` parameter value used in each [authentication request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest). - `assignments` `([]string: )` – A list of assignment resources associated with the client. - `id_token_ttl` `(int or duration: )` – The time-to-live for ID tokens obtained by the client. This can be specified as a number of seconds or as a [Go duration format string](https://golang.org/pkg/time/#ParseDuration) like `"30m"` or `"6h"`. The value should be less than the `verification_ttl` on the key. - `access_token_ttl` `(int or duration: )` – The time-to-live for access tokens obtained by the client. This can be specified as a number of seconds or as a [Go duration format string](https://golang.org/pkg/time/#ParseDuration) like `"30m"` or `"6h"`. ### Sample Payload ```json { "key":"test-key", "access_token_ttl":"30m", "id_token_ttl":"1h" } ``` ### Sample Request ```shell-session $ curl \ --header "X-Vault-Token: ..." \ --request POST \ --data @payload.json \ http://127.0.0.1:8200/v1/identity/oidc/client/test-client ``` ## Read Client by Name This endpoint queries a client by its name. | Method | Path | | :----- | :------------------------ | | `GET` | `/identity/oidc/client/:name` | ### Parameters - `name` `(string: )` – The name of the client. ### Sample Request ```shell-session $ curl \ --header "X-Vault-Token: ..." \ http://127.0.0.1:8200/v1/identity/oidc/client/test-client ``` ### Sample Response ```json { "data":{ "access_token_ttl":1800, "assignments":[], "client_id":"014zXvcvbvIZWwD5NfD1Uzmv7c5JBRMb", "client_secret":"hvo_secret_bZtgQPBZaJXK7F5vOI7JlvEuLOfOUS7DmwynFjE3xKcsen7TyowqPFfYFXG2tbWM", "id_token_ttl":3600, "key":"test-key", "redirect_uris":[] } } ``` ## List Clients This endpoint returns a list of all configured clients. | Method | Path | | :----- | :------------------------------ | | `LIST` | `/identity/oidc/client` | ### Sample Request ```shell-session $ curl \ --header "X-Vault-Token: ..." \ --request LIST \ http://127.0.0.1:8200/v1/identity/oidc/client ``` ### Sample Response ```json { "data": { "keys":[ "test-client" ] } } ``` ## Delete Client by Name This endpoint deletes a client. | Method | Path | | :------- | :------------------------ | | `DELETE` | `/identity/oidc/client/:name` | ### Parameters - `name` `(string: )` – The name of the client. ### Sample Request ```shell-session $ curl \ --header "X-Vault-Token: ..." \ --request DELETE \ http://127.0.0.1:8200/v1/identity/oidc/client/test-client ``` ## Create or Update an Assignment This endpoint creates or updates an assignment. | Method | Path | | :----- | :----------------- | | `POST` | `identity/oidc/assignment/:name` | ### Parameters - `name` `(string: )` – The name of the assignment. This parameter is specified as part of the URL. - `entity_ids` `([]string: )` - A list of Vault [entity](https://www.vaultproject.io/docs/secrets/identity#entities-and-aliases) IDs. - `group_ids` `([]string: )` – A list of Vault [group](https://www.vaultproject.io/docs/secrets/identity#identity-groups) IDs. ### Sample Payload ```json { "group_ids":["my-group"], "entity_ids":["my-entity"] } ``` ### Sample Request ```shell-session $ curl \ --header "X-Vault-Token: ..." \ --request POST \ --data @payload.json \ http://127.0.0.1:8200/v1/identity/oidc/assignment/test-assignment ``` ## Read Assignment by Name This endpoint queries an assignment by its name. | Method | Path | | :----- | :------------------------ | | `GET` | `/identity/oidc/assignment/:name` | ### Parameters - `name` `(string: )` – The name of the assignment. ### Sample Request ```shell-session $ curl \ --header "X-Vault-Token: ..." \ http://127.0.0.1:8200/v1/identity/oidc/assignment/test-assignment ``` ### Sample Response ```json { "data":{ "entity_ids":[ "my-entity" ], "group_ids":[ "my-group" ] } } ``` ## List Assignments This endpoint returns a list of all configured assignments. | Method | Path | | :----- | :------------------------------ | | `LIST` | `/identity/oidc/assignment` | ### Sample Request ```shell-session $ curl \ --header "X-Vault-Token: ..." \ --request LIST \ http://127.0.0.1:8200/v1/identity/oidc/assignment ``` ### Sample Response ```json { "data": { "keys":[ "test-assignment" ] } } ``` ## Delete Assignment by Name This endpoint deletes an assignment. | Method | Path | | :------- | :------------------------ | | `DELETE` | `/identity/oidc/assignment/:name` | ### Parameters - `name` `(string: )` – The name of the assignment. ### Sample Request ```shell-session $ curl \ --header "X-Vault-Token: ..." \ --request DELETE \ http://127.0.0.1:8200/v1/identity/oidc/assignment/test-assignment ```