mirrors/vault
1
0
Fork 0
mirror of https://github.com/hashicorp/vault.git synced 2025-08-15 02:57:04 +02:00
Code Issues Projects Releases Wiki Activity
fa03adb718
vault/website/content/api-docs/secret/identity/oidc-provider.mdx

495 lines
11 KiB
Plaintext
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

---
layout: api
page_title: 'OIDC Identity Provider'
description: >-
This is the API documentation for configuring and managing OIDC providers with Vault.
---
## Create or Update a Provider
This endpoint creates or updates a Provider.
| Method | Path |
| :----- | :----------------- |
| `POST` | `identity/oidc/provider/:name` |
### Parameters
- `name` `(string: <required>)` The name of the provider. This parameter is specified as part of the URL.
- `issuer` `(string: <optional>)` - Specifies what will be used as the `scheme://host:port` component for the `iss` claim of ID tokens. This defaults to a URL with
Vault's `api_addr` as the `scheme://host:port` component and `/v1/:namespace/identity/oidc/provider/:name` as the path
component. If provided explicitly, it must point to a Vault instance that is network reachable by clients for ID token validation.
- `allowed_client_ids` `([]string: <optional>)` The client IDs that are permitted to use the provider. If empty, no clients are allowed. If "*", all clients are allowed.
- `scopes_supported` `([]string: <optional>)` The scopes available for requesting on the provider.
### Sample Payload
```json
{
"allowed_client_ids": ["*"],
"scopes_supported": ["test-scope"]
}
```
### Sample Request
```shell-session
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload.json \
http://127.0.0.1:8200/v1/identity/oidc/provider/test-provider
```
## Read Provider by Name
This endpoint queries the OIDC provider by its name.
| Method | Path |
| :----- | :------------------------ |
| `GET` | `/identity/oidc/provider/:name` |
### Parameters
- `name` `(string: <required>)` The name of the provider.
### Sample Request
```shell-session
$ curl \
--header "X-Vault-Token: ..." \
http://127.0.0.1:8200/v1/identity/oidc/provider/test-provider
```
### Sample Response
```json
{
"data": {
"allowed_client_ids":["*"],
"issuer":"",
"scopes_supported":["test-scope"]
}
}
```
## List Providers
This endpoint returns a list of all OIDC providers.
| Method | Path |
| :----- | :------------------------------ |
| `LIST` | `/identity/oidc/provider` |
### Sample Request
```shell-session
$ curl \
--header "X-Vault-Token: ..." \
--request LIST \
http://127.0.0.1:8200/v1/identity/oidc/provider
```
### Sample Response
```json
{
"data": {
"keys":[
"test-provider"
]
}
}
```
## Delete Provider by Name
This endpoint deletes an OIDC provider.
| Method | Path |
| :------- | :------------------------ |
| `DELETE` | `/identity/oidc/provider/:name` |
### Parameters
- `name` `(string: <required>)` The name of the provider.
### Sample Request
```shell-session
$ curl \
--header "X-Vault-Token: ..." \
--request DELETE \
http://127.0.0.1:8200/v1/identity/oidc/provider/test-provider
```
## Create or Update a Scope
This endpoint creates or updates a scope.
| Method | Path |
| :----- | :----------------- |
| `POST` | `identity/oidc/scope/:name` |
### Parameters
- `name` `(string: <required>)` The name of the scope. This parameter is specified as part of the URL. The `openid` scope name is reserved.
- `template` `(string: <optional>)` - The template string for the scope. This may be provided as escaped JSON or base64 encoded JSON.
- `description` `(string: <optional>)` A description of the scope.
### Sample Payload
```json
{
"template":"{ \"groups\": {{identity.entity.groups.names}} }",
"description":"A simple scope example."
}
```
### Sample Request
```shell-session
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload.json \
http://127.0.0.1:8200/v1/identity/oidc/scope/test-scope
```
## Read Scope by Name
This endpoint queries a scope by its name.
| Method | Path |
| :----- | :------------------------ |
| `GET` | `/identity/oidc/scope/:name` |
### Parameters
- `name` `(string: <required>)` The name of the scope.
### Sample Request
```shell-session
$ curl \
--header "X-Vault-Token: ..." \
http://127.0.0.1:8200/v1/identity/oidc/scope/test-scope
```
### Sample Response
```json
{
"data": {
"description":"A simple scope example.",
"template":"{ \"groups\": {{identity.entity.groups.names}} }"
}
}
```
## List Scopes
This endpoint returns a list of all configured scopes.
| Method | Path |
| :----- | :------------------------------ |
| `LIST` | `/identity/oidc/scope` |
### Sample Request
```shell-session
$ curl \
--header "X-Vault-Token: ..." \
--request LIST \
http://127.0.0.1:8200/v1/identity/oidc/scope
```
### Sample Response
```json
{
"data": {
"keys":[
"test-scope"
]
}
}
```
## Delete Scope by Name
This endpoint deletes a scope.
| Method | Path |
| :------- | :------------------------ |
| `DELETE` | `/identity/oidc/scope/:name` |
### Parameters
- `name` `(string: <required>)` The name of the scope.
### Sample Request
```shell-session
$ curl \
--header "X-Vault-Token: ..." \
--request DELETE \
http://127.0.0.1:8200/v1/identity/oidc/scope/test-scope
```
## Create or Update a Client
This endpoint creates or updates a client.
| Method | Path |
| :----- | :----------------- |
| `POST` | `identity/oidc/client/:name` |
### Parameters
- `name` `(string: <required>)` The name of the client. This parameter is specified as part of the URL.
- `key` `(string: <required>)` A reference to a named key resource. This cannot be modified after creation.
- `redirect_uris` `([]string: <optional>)` - Redirection URI values used by the client. One of these values
must exactly match the `redirect_uri` parameter value used in each [authentication request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
- `assignments` `([]string: <optional>)` A list of assignment resources associated with the client.
- `id_token_ttl` `(int or duration: <optional>)` The time-to-live for ID tokens obtained by the client.
This can be specified as a number of seconds or as a [Go duration format string](https://golang.org/pkg/time/#ParseDuration)
like `"30m"` or `"6h"`. The value should be less than the `verification_ttl` on the key.
- `access_token_ttl` `(int or duration: <optional>)` The time-to-live for access tokens obtained by the client.
This can be specified as a number of seconds or as a [Go duration format string](https://golang.org/pkg/time/#ParseDuration) like `"30m"` or `"6h"`.
### Sample Payload
```json
{
"key":"test-key",
"access_token_ttl":"30m",
"id_token_ttl":"1h"
}
```
### Sample Request
```shell-session
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload.json \
http://127.0.0.1:8200/v1/identity/oidc/client/test-client
```
## Read Client by Name
This endpoint queries a client by its name.
| Method | Path |
| :----- | :------------------------ |
| `GET` | `/identity/oidc/client/:name` |
### Parameters
- `name` `(string: <required>)` The name of the client.
### Sample Request
```shell-session
$ curl \
--header "X-Vault-Token: ..." \
http://127.0.0.1:8200/v1/identity/oidc/client/test-client
```
### Sample Response
```json
{
"data":{
"access_token_ttl":1800,
"assignments":[],
"client_id":"014zXvcvbvIZWwD5NfD1Uzmv7c5JBRMb",
"client_secret":"hvo_secret_bZtgQPBZaJXK7F5vOI7JlvEuLOfOUS7DmwynFjE3xKcsen7TyowqPFfYFXG2tbWM",
"id_token_ttl":3600,
"key":"test-key",
"redirect_uris":[]
}
}
```
## List Clients
This endpoint returns a list of all configured clients.
| Method | Path |
| :----- | :------------------------------ |
| `LIST` | `/identity/oidc/client` |
### Sample Request
```shell-session
$ curl \
--header "X-Vault-Token: ..." \
--request LIST \
http://127.0.0.1:8200/v1/identity/oidc/client
```
### Sample Response
```json
{
"data": {
"keys":[
"test-client"
]
}
}
```
## Delete Client by Name
This endpoint deletes a client.
| Method | Path |
| :------- | :------------------------ |
| `DELETE` | `/identity/oidc/client/:name` |
### Parameters
- `name` `(string: <required>)` The name of the client.
### Sample Request
```shell-session
$ curl \
--header "X-Vault-Token: ..." \
--request DELETE \
http://127.0.0.1:8200/v1/identity/oidc/client/test-client
```
## Create or Update an Assignment
This endpoint creates or updates an assignment.
| Method | Path |
| :----- | :----------------- |
| `POST` | `identity/oidc/assignment/:name` |
### Parameters
- `name` `(string: <required>)` The name of the assignment. This parameter is specified as part of the URL.
- `entity_ids` `([]string: <optional>)` - A list of Vault [entity](https://www.vaultproject.io/docs/secrets/identity#entities-and-aliases) IDs.
- `group_ids` `([]string: <optional>)` A list of Vault [group](https://www.vaultproject.io/docs/secrets/identity#identity-groups) IDs.
### Sample Payload
```json
{
"group_ids":["my-group"],
"entity_ids":["my-entity"]
}
```
### Sample Request
```shell-session
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload.json \
http://127.0.0.1:8200/v1/identity/oidc/assignment/test-assignment
```
## Read Assignment by Name
This endpoint queries an assignment by its name.
| Method | Path |
| :----- | :------------------------ |
| `GET` | `/identity/oidc/assignment/:name` |
### Parameters
- `name` `(string: <required>)` The name of the assignment.
### Sample Request
```shell-session
$ curl \
--header "X-Vault-Token: ..." \
http://127.0.0.1:8200/v1/identity/oidc/assignment/test-assignment
```
### Sample Response
```json
{
"data":{
"entity_ids":[
"my-entity"
],
"group_ids":[
"my-group"
]
}
}
```
## List Assignments
This endpoint returns a list of all configured assignments.
| Method | Path |
| :----- | :------------------------------ |
| `LIST` | `/identity/oidc/assignment` |
### Sample Request
```shell-session
$ curl \
--header "X-Vault-Token: ..." \
--request LIST \
http://127.0.0.1:8200/v1/identity/oidc/assignment
```
### Sample Response
```json
{
"data": {
"keys":[
"test-assignment"
]
}
}
```
## Delete Assignment by Name
This endpoint deletes an assignment.
| Method | Path |
| :------- | :------------------------ |
| `DELETE` | `/identity/oidc/assignment/:name` |
### Parameters
- `name` `(string: <required>)` The name of the assignment.
### Sample Request
```shell-session
$ curl \
--header "X-Vault-Token: ..." \
--request DELETE \
http://127.0.0.1:8200/v1/identity/oidc/assignment/test-assignment
```
Reference in New Issue View Git Blame Copy Permalink