Overview

The User Account and Authentication Service (UAA):

is an OAuth2 / OpenID Connect (OIDC) server that can be used for centralized identity management.
owns the user accounts and authentication sources (SAML, LDAP, OIDC) and proxied authentication
supports standard protocols such as SAML, LDAP and OIDC to provide single sign-on and delegated authorization to web applications
can be invoked via JSON APIs
provides a basic login/approval UI for web client apps
supports APIs for user account management for an external web UI
most of the APIs are defined by the specs for the OAuth2, OIDC, and SCIM standards.

Authorization

Authorization Code Grant

Browser flow

$ curl 'http://localhost/oauth/authorize?response_type=code&client_id=login&scope=openid+oauth.approvals&redirect_uri=http%3A%2F%2Flocalhost%2Fapp&login_hint=%257B%2522origin%2522%253A%2522uaa%2522%257D&code_challenge=E9Melhoa2OwvFrEMTJguCHaoeK1t8URWbuGJSstw-cM&code_challenge_method=S256' -i -X GET \
    -H 'Accept: application/x-www-form-urlencoded'

GET /oauth/authorize?response_type=code&client_id=login&scope=openid+oauth.approvals&redirect_uri=http%3A%2F%2Flocalhost%2Fapp&login_hint=%257B%2522origin%2522%253A%2522uaa%2522%257D&code_challenge=E9Melhoa2OwvFrEMTJguCHaoeK1t8URWbuGJSstw-cM&code_challenge_method=S256 HTTP/1.1
Accept: application/x-www-form-urlencoded
Host: localhost

HTTP/1.1 302 Found
Content-Security-Policy: script-src 'self'
Strict-Transport-Security: max-age=31536000
Set-Cookie: X-Uaa-Csrf=gwWRjoQuT4Fgc_jcONCK4H; Path=/; Max-Age=86400; Expires=Thu, 21 Nov 2024 08:36:19 GMT; HttpOnly; SameSite=Lax
Cache-Control: no-store
Content-Language: en
Location: http://localhost/app?code=QCmpeSRvZj2N0uXlp-jLGgZwveQREF4-
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff

Request Parameters

Parameter	Type	Constraints	Description
response_type	String	Required	Space-delimited list of response types. Here, `code` for requesting an authorization code for an access token, as per OAuth spec
client_id	String	Required	a unique string representing the registration information provided by the client
scope	String	Optional	requested scopes, space-delimited
redirect_uri	String	Optional	redirection URI to which the authorization server will send the user-agent back once access is granted (or denied), optional if pre-registered by the client
code_challenge	String	Optional	UAA 75.5.0 PKCE Code Challenge. When `code_challenge` is present also a `code_challenge_method` must be provided. A matching `code_verifier` parameter must be provided in the subsequent request to get an `access_token` from `/oauth/token`
code_challenge_method	String	Optional	UAA 75.5.0 PKCE Code Challenge Method. `S256` and `plain` methods are supported. `S256` method creates a BASE64 URL encoded SHA256 hash of the `code_verifier`. The `plain` method is intended for constrained devices unable to calculate SHA256. In this case the `code_verifier` equals the `code_challenge`. If possible it is recommended to use `S256`.
login_hint	String	Optional	UAA 4.19.0 Indicates the identity provider to be used. The passed string has to be a URL-Encoded JSON Object, containing the field `origin` with value as `origin_key` of an identity provider.

Api flow

$ curl 'http://localhost/oauth/authorize?response_type=code&client_id=login&redirect_uri=http%3A%2F%2Flocalhost%2Fredirect%2Fcf&code_challenge=E9Melhoa2OwvFrEMTJguCHaoeK1t8URWbuGJSstw-cM&code_challenge_method=S256&state=6KW5NQ' -i -X GET \
    -H 'Authorization: Bearer eyJqa3UiOiJodHRwczovL2xvY2FsaG9zdDo4MDgwL3VhYS90b2tlbl9rZXlzIiwia2lkIjoibGVnYWN5LXRva2VuLWtleSIsInR5cCI6IkpXVCIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiI5YmU5MjRlMi03OTM4LTQ5YjMtYjk0OS1kY2FiMWMzODk3ZTUiLCJ1c2VyX25hbWUiOiJtYXJpc3NhIiwib3JpZ2luIjoidWFhIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3VhYS9vYXV0aC90b2tlbiIsImNsaWVudF9pZCI6ImNmIiwiYXVkIjpbImNmIiwidWFhIl0sInppZCI6InVhYSIsImdyYW50X3R5cGUiOiJwYXNzd29yZCIsInVzZXJfaWQiOiI5YmU5MjRlMi03OTM4LTQ5YjMtYjk0OS1kY2FiMWMzODk3ZTUiLCJhenAiOiJjZiIsInNjb3BlIjpbInVhYS51c2VyIl0sImF1dGhfdGltZSI6MTczMjA5MTc3OCwiZXhwIjoxNzMyMTM0OTc4LCJpYXQiOjE3MzIwOTE3NzgsImp0aSI6IjkxZGM2ZTlmN2I0MjQ5NGM5NmM2YmNhNDY3YzQzMGVkIiwiZW1haWwiOiJtYXJpc3NhQHRlc3Qub3JnIiwicmV2X3NpZyI6IjI2ZGIyMmQxIiwiY2xpZW50X2F1dGhfbWV0aG9kIjoibm9uZSIsImNpZCI6ImNmIn0.RzvJsXMfntaCr_iC7zmQIpFmG9LDdZ-KNTdoWC1uTGX6GqFca_7lFflvlL6irXYxmyyFwzoxN1mjELNqQlS5s9ou2E1QAzA6uW2AufpTda_eIcwChRBt4LOQESEnd3LgWAmlyPAWNZ36W7Bq1_4rvdgI0lhHAuFjHYPKzXap0XkgZT5ZxJ_aMJ84hWjx86Z6VhP4woflYlHypyCZS8roWhMMFlx8jbTNJ2ON6pVda34xL6VhtTwuxVxXPktK8yjs_p8DT3MQzI7KMcfX1JBC_zYRbGbiZq-p62pEgU-V9zzu-KOvKtu0xb8FTsCTFsJFULHoYZsTawFc4C4jUH-wBA'

GET /oauth/authorize?response_type=code&client_id=login&redirect_uri=http%3A%2F%2Flocalhost%2Fredirect%2Fcf&code_challenge=E9Melhoa2OwvFrEMTJguCHaoeK1t8URWbuGJSstw-cM&code_challenge_method=S256&state=6KW5NQ HTTP/1.1
Authorization: Bearer eyJqa3UiOiJodHRwczovL2xvY2FsaG9zdDo4MDgwL3VhYS90b2tlbl9rZXlzIiwia2lkIjoibGVnYWN5LXRva2VuLWtleSIsInR5cCI6IkpXVCIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiI5YmU5MjRlMi03OTM4LTQ5YjMtYjk0OS1kY2FiMWMzODk3ZTUiLCJ1c2VyX25hbWUiOiJtYXJpc3NhIiwib3JpZ2luIjoidWFhIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3VhYS9vYXV0aC90b2tlbiIsImNsaWVudF9pZCI6ImNmIiwiYXVkIjpbImNmIiwidWFhIl0sInppZCI6InVhYSIsImdyYW50X3R5cGUiOiJwYXNzd29yZCIsInVzZXJfaWQiOiI5YmU5MjRlMi03OTM4LTQ5YjMtYjk0OS1kY2FiMWMzODk3ZTUiLCJhenAiOiJjZiIsInNjb3BlIjpbInVhYS51c2VyIl0sImF1dGhfdGltZSI6MTczMjA5MTc3OCwiZXhwIjoxNzMyMTM0OTc4LCJpYXQiOjE3MzIwOTE3NzgsImp0aSI6IjkxZGM2ZTlmN2I0MjQ5NGM5NmM2YmNhNDY3YzQzMGVkIiwiZW1haWwiOiJtYXJpc3NhQHRlc3Qub3JnIiwicmV2X3NpZyI6IjI2ZGIyMmQxIiwiY2xpZW50X2F1dGhfbWV0aG9kIjoibm9uZSIsImNpZCI6ImNmIn0.RzvJsXMfntaCr_iC7zmQIpFmG9LDdZ-KNTdoWC1uTGX6GqFca_7lFflvlL6irXYxmyyFwzoxN1mjELNqQlS5s9ou2E1QAzA6uW2AufpTda_eIcwChRBt4LOQESEnd3LgWAmlyPAWNZ36W7Bq1_4rvdgI0lhHAuFjHYPKzXap0XkgZT5ZxJ_aMJ84hWjx86Z6VhP4woflYlHypyCZS8roWhMMFlx8jbTNJ2ON6pVda34xL6VhtTwuxVxXPktK8yjs_p8DT3MQzI7KMcfX1JBC_zYRbGbiZq-p62pEgU-V9zzu-KOvKtu0xb8FTsCTFsJFULHoYZsTawFc4C4jUH-wBA
Host: localhost

HTTP/1.1 302 Found
Content-Security-Policy: script-src 'self'
Cache-Control: no-store
Content-Language: en
Location: http://localhost/redirect/cf?code=OMCDG1k8Omt3afksGI2SefV7ZIVihT8R&state=6KW5NQ
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff

Request Parameters

Parameter	Type	Constraints	Description
response_type	String	Required	Space-delimited list of response types. Here, `code` for requesting an authorization code for an access token, as per OAuth spec
client_id	String	Required	a unique string representing the registration information provided by the client
redirect_uri	String	Optional	redirection URI to which the authorization server will send the user-agent back once access is granted (or denied), optional if pre-registered by the client
code_challenge	String	Optional	UAA 75.5.0 PKCE Code Challenge. When `code_challenge` is present also a `code_challenge_method` must be provided. A matching `code_verifier` parameter must be provided in the subsequent request to get an `access_token` from `/oauth/token`
code_challenge_method	String	Optional	UAA 75.5.0 PKCE Code Challenge Method. `S256` and `plain` methods are supported. `S256` method creates a BASE64 URL encoded SHA256 hash of the `code_verifier`. The `plain` method is intended for constrained devices unable to calculate SHA256. In this case the `code_verifier` equals the `code_challenge`. If possible it is recommended to use `S256`.
state	String	Required	any random string to be returned in the Location header as a query parameter, used to achieve per-request customization

Request Headers

Name	Description
`Authorization`	Bearer token containing uaa.user scope - the authentication for this user

Implicit Grant

$ curl 'http://localhost/oauth/authorize?response_type=token&client_id=app&scope=openid&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fapp%2F&login_hint=%257B%2522origin%2522%253A%2522uaa%2522%257D' -i -X GET \
    -H 'Accept: application/x-www-form-urlencoded'

GET /oauth/authorize?response_type=token&client_id=app&scope=openid&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fapp%2F&login_hint=%257B%2522origin%2522%253A%2522uaa%2522%257D HTTP/1.1
Accept: application/x-www-form-urlencoded
Host: localhost

HTTP/1.1 302 Found
Content-Security-Policy: script-src 'self'
Strict-Transport-Security: max-age=31536000
Set-Cookie: X-Uaa-Csrf=8wUOKg2m2ZjAGdVMA08tCq; Path=/; Max-Age=86400; Expires=Thu, 21 Nov 2024 08:36:18 GMT; HttpOnly; SameSite=Lax
Cache-Control: no-store
Content-Language: en
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Location: http://localhost:8080/app/#token_type=bearer&access_token=eyJqa3UiOiJodHRwczovL2xvY2FsaG9zdDo4MDgwL3VhYS90b2tlbl9rZXlzIiwia2lkIjoibGVnYWN5LXRva2VuLWtleSIsInR5cCI6IkpXVCIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiI5YmU5MjRlMi03OTM4LTQ5YjMtYjk0OS1kY2FiMWMzODk3ZTUiLCJ1c2VyX25hbWUiOiJtYXJpc3NhIiwib3JpZ2luIjoidWFhIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3VhYS9vYXV0aC90b2tlbiIsImNsaWVudF9pZCI6ImFwcCIsImF1ZCI6WyJhcHAiLCJvcGVuaWQiXSwiemlkIjoidWFhIiwiZ3JhbnRfdHlwZSI6ImltcGxpY2l0IiwidXNlcl9pZCI6IjliZTkyNGUyLTc5MzgtNDliMy1iOTQ5LWRjYWIxYzM4OTdlNSIsImF6cCI6ImFwcCIsInNjb3BlIjpbIm9wZW5pZCJdLCJhdXRoX3RpbWUiOjE3MzIwOTE3NzgsImV4cCI6MTczMjEzNDk3OCwiaWF0IjoxNzMyMDkxNzc4LCJqdGkiOiJhMjQyNDhkNTVkZGU0NGYzYjJmN2ZiNjliYzNkYzBkNiIsImVtYWlsIjoibWFyaXNzYUB0ZXN0Lm9yZyIsInJldl9zaWciOiJmYzZlNjM2MCIsImNpZCI6ImFwcCJ9.lVkyxM3mwNcKWmgshQso7P8HzsoqEgIrYvpbxXf6w9vmdG-1D6Nl_2SuPeKNrUMjDenSq4OOK8rYMefUPJfrTyzqqpO_xG_P7G2ZVOm4JVdqX_bzrR8BDOZmmQvulBf07G33QjXpeSQXhfQYJaDI06RD0QqbpdQjSUN_AwMi0TFRl05J4Cq7yNAGGp4UkGTgsUN_8Gf-UCOfKBqfjo1bXSu9zbht0EijjkRHEcaISRrR1vtFWHGsD85HFKSOTomNnp8a6P8Tkx8YZnM7_AUrx58Uw0GjL4KptYvgCW6G_npxUuyUjqJzKwVA9sKXXoGvcqX6BP-wZev6Bl1aWWL8HQ&expires_in=43199&jti=a24248d55dde44f3b2f7fb69bc3dc0d6

Request Parameters

Parameter	Type	Constraints	Description
response_type	String	Required	Space-delimited list of response types. Here, `token`, i.e. an access token
client_id	String	Required	a unique string representing the registration information provided by the client
scope	String	Optional	requested scopes, space-delimited
redirect_uri	String	Optional	redirection URI to which the authorization server will send the user-agent back once access is granted (or denied), optional if pre-registered by the client
login_hint	String	Optional	UAA 4.19.0 Indicates the identity provider to be used. The passed string has to be a URL-Encoded JSON Object, containing the field `origin` with value as `origin_key` of an identity provider.

Response Headers

Name	Description
`Location`	Location as defined in the spec includes access_token in the reply fragment if successful

Implicit Grant with prompt

$ curl 'http://localhost/oauth/authorize?response_type=token&client_id=app&scope=openid&prompt=none&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fapp%2F' -i -X GET \
    -H 'Accept: application/x-www-form-urlencoded'

GET /oauth/authorize?response_type=token&client_id=app&scope=openid&prompt=none&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fapp%2F HTTP/1.1
Accept: application/x-www-form-urlencoded
Host: localhost

HTTP/1.1 302 Found
Content-Security-Policy: script-src 'self'
Set-Cookie: Current-User=; Path=/; Max-Age=0; Expires=Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Location: http://localhost:8080/app/#error=login_required&session_state=1c02565870029b4789b9b1db7dfe4d48592ace988a9e9c10aff4d85f801a6b9b.2a5a55590d990468e88983da4801d3920f645940b915f79708648f3d00eee5ad

Request Parameters

Parameter	Type	Constraints	Description
response_type	String	Required	Space-delimited list of response types. Here, `token`, i.e. an access token
client_id	String	Required	a unique string representing the registration information provided by the client
scope	String	Optional	requested scopes, space-delimited
redirect_uri	String	Optional	redirection URI to which the authorization server will send the user-agent back once access is granted (or denied), optional if pre-registered by the client
prompt	String	Optional	specifies whether to prompt for user authentication. Only value `none` is supported.

Response Headers

Name	Description
`Location`	Redirect url specified in the request parameters.

OpenID Connect flow

OpenID Provider Configuration Request

An OpenID Provider Configuration Document MUST be queried using an HTTP GET request at the previously specified path.

$ curl 'http://localhost/.well-known/openid-configuration' -i -X GET \
    -H 'Accept: application/json'

GET /.well-known/openid-configuration HTTP/1.1
Accept: application/json
Host: localhost

HTTP/1.1 200 OK
Content-Security-Policy: script-src 'self'
Content-Type: application/json
Content-Length: 1375

{
  "issuer" : "http://localhost:8080/uaa/oauth/token",
  "authorization_endpoint" : "http://localhost/oauth/authorize",
  "token_endpoint" : "http://localhost/oauth/token",
  "token_endpoint_auth_methods_supported" : [ "client_secret_basic", "client_secret_post", "private_key_jwt" ],
  "token_endpoint_auth_signing_alg_values_supported" : [ "RS256", "HS256" ],
  "userinfo_endpoint" : "http://localhost/userinfo",
  "jwks_uri" : "http://localhost/token_keys",
  "end_session_endpoint" : "http://localhost/logout.do",
  "scopes_supported" : [ "openid", "profile", "email", "phone", "roles", "user_attributes" ],
  "response_types_supported" : [ "code", "code id_token", "id_token", "token id_token" ],
  "subject_types_supported" : [ "public" ],
  "id_token_signing_alg_values_supported" : [ "RS256", "HS256" ],
  "id_token_encryption_alg_values_supported" : [ "none" ],
  "claim_types_supported" : [ "normal" ],
  "claims_supported" : [ "sub", "user_name", "origin", "iss", "auth_time", "amr", "acr", "client_id", "aud", "zid", "grant_type", "user_id", "azp", "scope", "exp", "iat", "jti", "rev_sig", "cid", "given_name", "family_name", "phone_number", "email" ],
  "claims_parameter_supported" : false,
  "service_documentation" : "http://docs.cloudfoundry.org/api/uaa/",
  "ui_locales_supported" : [ "en-US" ],
  "code_challenge_methods_supported" : [ "S256", "plain" ]
}

Response Fields

Path	Type	Description
`issuer`	`String`	URL using the https scheme with no query or fragment component that the OP asserts as its Issuer Identifier.
`authorization_endpoint`	`String`	URL of authorization endpoint.
`token_endpoint`	`String`	URL of token endpoint.
`userinfo_endpoint`	`String`	URL of the OP's UserInfo Endpoint.
`jwks_uri`	`String`	URL of the OP's JSON Web Key Set document.
`end_session_endpoint`	`String`	URL of the logout endpoint.
`scopes_supported`	`Array`	JSON array containing a list of the OAuth 2.0 scope values that this server supports.
`subject_types_supported`	`Array`	JSON array containing a list of the Subject Identifier types that this OP supports.
`token_endpoint_auth_methods_supported`	`Array`	JSON array containing a list of Client Authentication methods supported by this Token Endpoint.
`token_endpoint_auth_signing_alg_values_supported`	`Array`	JSON array containing a list of the JWS signing algorithms.
`response_types_supported`	`Array`	JSON array containing a list of the OAuth 2.0 response_type values that this OP supports.
`id_token_signing_alg_values_supported`	`Array`	JSON array containing a list of the JWS signing algorithms (alg values) supported by the OP for the ID Token to encode the Claims in a JWT.
`id_token_encryption_alg_values_supported`	`Array`	JSON array containing a list of the JWE encryption algorithms (alg values) supported by the OP.
`claim_types_supported`	`Array`	JSON array containing a list of the Claim Types that the OpenID Provider supports.
`claims_supported`	`Array`	JSON array containing a list of the Claim Names of the Claims that the OpenID Provider MAY be able to supply values for.
`claims_parameter_supported`	`Boolean`	Boolean value specifying whether the OP supports use of the claims parameter.
`service_documentation`	`String`	URL of a page containing human-readable information that developers might want or need to know when using the OpenID Provider.
`code_challenge_methods_supported`	`Array`	UAA 75.5.0JSON array containing a list of PKCE code challenge methods supported by this authorization endpoint.
`ui_locales_supported`	`Array`	Languages and scripts supported for the user interface.

ID token

The authorization request may specify a response type of id_token, and an ID token as defined by OpenID Connect will be included in the fragment of the redirect URL.

$ curl 'http://localhost/oauth/authorize?response_type=id_token&client_id=app&scope=openid&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fapp%2F&login_hint=%257B%2522origin%2522%253A%2522uaa%2522%257D' -i -X GET \
    -H 'Accept: application/x-www-form-urlencoded'

GET /oauth/authorize?response_type=id_token&client_id=app&scope=openid&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fapp%2F&login_hint=%257B%2522origin%2522%253A%2522uaa%2522%257D HTTP/1.1
Accept: application/x-www-form-urlencoded
Host: localhost

HTTP/1.1 302 Found
Content-Security-Policy: script-src 'self'
Strict-Transport-Security: max-age=31536000
Set-Cookie: X-Uaa-Csrf=xHvJ1VPrF-nI2hPv7NI2em; Path=/; Max-Age=86400; Expires=Thu, 21 Nov 2024 08:36:18 GMT; HttpOnly; SameSite=Lax
Cache-Control: no-store
Content-Language: en
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Location: http://localhost:8080/app/#token_type=bearer&id_token=eyJqa3UiOiJodHRwczovL2xvY2FsaG9zdDo4MDgwL3VhYS90b2tlbl9rZXlzIiwia2lkIjoibGVnYWN5LXRva2VuLWtleSIsInR5cCI6IkpXVCIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiI5YmU5MjRlMi03OTM4LTQ5YjMtYjk0OS1kY2FiMWMzODk3ZTUiLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwidXNlcl9uYW1lIjoibWFyaXNzYSIsIm9yaWdpbiI6InVhYSIsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC91YWEvb2F1dGgvdG9rZW4iLCJjbGllbnRfaWQiOiJhcHAiLCJhdWQiOlsiYXBwIl0sInppZCI6InVhYSIsImdyYW50X3R5cGUiOiJpbXBsaWNpdCIsInVzZXJfaWQiOiI5YmU5MjRlMi03OTM4LTQ5YjMtYjk0OS1kY2FiMWMzODk3ZTUiLCJhenAiOiJhcHAiLCJzY29wZSI6WyJvcGVuaWQiXSwiYXV0aF90aW1lIjoxNzMyMDkxNzc4LCJleHAiOjE3MzIxMzQ5NzgsImlhdCI6MTczMjA5MTc3OCwiZW1haWwiOiJtYXJpc3NhQHRlc3Qub3JnIiwianRpIjoiYTViMGNlZDg5YWUxNDk4ZWEzNmY0NjhkMmY4MTY5MWMiLCJyZXZfc2lnIjoiZmM2ZTYzNjAiLCJjaWQiOiJhcHAifQ.aQQqrWiWArTo_YIcJ893oobkTEfE6joC4Yu0bG9K-r_yzhII2oYKRAoSLaH8eD1zXp28cbnAfIF2kECUPYVwl09D-vrlZRxFI79QSWgnKAat734pqif3bOlGkfvE__EytQcUE84gDlYq2CfszyIVVLF7WT4HPSW_i2BUoGYvgIthI-6mzafYVkPcikDHS3WiAgAnXrElyMFhueT8NPkH0rultrzbT31mqi4HbEK225z7ROW46iEegXAkBvA3Z6LDKGV6dga-fWWArzQw4w7U0paT_kcpx7wShnHp6s_oWoI3q7-UrRKsHTD_yd4WW-7Va74RljG13uFZxK_VUy0DTg&expires_in=43199&jti=a5b0ced89ae1498ea36f468d2f81691c

Request Parameters

Parameter	Type	Constraints	Description
response_type	String	Required	Space-delimited list of response types. Here, `id_token`
client_id	String	Required	a unique string representing the registration information provided by the client
scope	String	Optional	requested scopes, space-delimited
redirect_uri	String	Optional	redirection URI to which the authorization server will send the user-agent back once access is granted (or denied), optional if pre-registered by the client
login_hint	String	Optional	UAA 4.19.0 Indicates the identity provider to be used. The passed string has to be a URL-Encoded JSON Object, containing the field `origin` with value as `origin_key` of an identity provider.

Response Headers

Name	Description
`Location`	Location as defined in the spec includes id_token in the reply fragment if successful

ID token and Access token

The request may specify that the client expects an ID token as defined by OpenID Connect, and this ID token will be included alongside the access token.

$ curl 'http://localhost/oauth/authorize?response_type=token+id_token&client_id=app&scope=openid&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fapp%2F&login_hint=%257B%2522origin%2522%253A%2522uaa%2522%257D' -i -X GET \
    -H 'Accept: application/x-www-form-urlencoded'

GET /oauth/authorize?response_type=token+id_token&client_id=app&scope=openid&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fapp%2F&login_hint=%257B%2522origin%2522%253A%2522uaa%2522%257D HTTP/1.1
Accept: application/x-www-form-urlencoded
Host: localhost

HTTP/1.1 302 Found
Content-Security-Policy: script-src 'self'
Strict-Transport-Security: max-age=31536000
Set-Cookie: X-Uaa-Csrf=WM-icOs2MxM0KHTGaUM1m7; Path=/; Max-Age=86400; Expires=Thu, 21 Nov 2024 08:36:18 GMT; HttpOnly; SameSite=Lax
Cache-Control: no-store
Content-Language: en
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Location: http://localhost:8080/app/#token_type=bearer&access_token=eyJqa3UiOiJodHRwczovL2xvY2FsaG9zdDo4MDgwL3VhYS90b2tlbl9rZXlzIiwia2lkIjoibGVnYWN5LXRva2VuLWtleSIsInR5cCI6IkpXVCIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiI5YmU5MjRlMi03OTM4LTQ5YjMtYjk0OS1kY2FiMWMzODk3ZTUiLCJ1c2VyX25hbWUiOiJtYXJpc3NhIiwib3JpZ2luIjoidWFhIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3VhYS9vYXV0aC90b2tlbiIsImNsaWVudF9pZCI6ImFwcCIsImF1ZCI6WyJhcHAiLCJvcGVuaWQiXSwiemlkIjoidWFhIiwiZ3JhbnRfdHlwZSI6ImltcGxpY2l0IiwidXNlcl9pZCI6IjliZTkyNGUyLTc5MzgtNDliMy1iOTQ5LWRjYWIxYzM4OTdlNSIsImF6cCI6ImFwcCIsInNjb3BlIjpbIm9wZW5pZCJdLCJhdXRoX3RpbWUiOjE3MzIwOTE3NzgsImV4cCI6MTczMjEzNDk3OCwiaWF0IjoxNzMyMDkxNzc4LCJqdGkiOiIwYjQ4M2YxNjZhYTk0YzUzOGMzYTNmM2RiZWJmMDg1ZCIsImVtYWlsIjoibWFyaXNzYUB0ZXN0Lm9yZyIsInJldl9zaWciOiJmYzZlNjM2MCIsImNpZCI6ImFwcCJ9.fGwzQWxXBCAAUAjRJ2OSMev9Syx4Ktm2vrCBX8Nq0Kv7YQtpm2M2VhwMm5XXrsasBJxtvK-woYhPwGL_o0Y9upsmfGARWLB4lHmKStY2vr3p3LDohF3E9_lIYxptPCegXfPWDW_w-_tSLcQPCCRUlHhAQkXY4U-CRBwOgCruvrJwmK9gBaqwPcxnTkehB9MCoYhxjudhkGz-58pBlsE9lk9g1i_XzU3c1DbN4CDWRoH_7GFxPcjqvP5n8p-MMSdxp-HtbQivbkYQ8n49yjrtfu2XVXc_0vonSpFfX-iDG9bR_bZ1ORKYnW6dNmjbsr9k3P4E_MYsADdoAsd5jThLOw&id_token=eyJqa3UiOiJodHRwczovL2xvY2FsaG9zdDo4MDgwL3VhYS90b2tlbl9rZXlzIiwia2lkIjoibGVnYWN5LXRva2VuLWtleSIsInR5cCI6IkpXVCIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiI5YmU5MjRlMi03OTM4LTQ5YjMtYjk0OS1kY2FiMWMzODk3ZTUiLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwidXNlcl9uYW1lIjoibWFyaXNzYSIsIm9yaWdpbiI6InVhYSIsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC91YWEvb2F1dGgvdG9rZW4iLCJjbGllbnRfaWQiOiJhcHAiLCJhdWQiOlsiYXBwIl0sInppZCI6InVhYSIsImdyYW50X3R5cGUiOiJpbXBsaWNpdCIsInVzZXJfaWQiOiI5YmU5MjRlMi03OTM4LTQ5YjMtYjk0OS1kY2FiMWMzODk3ZTUiLCJhenAiOiJhcHAiLCJzY29wZSI6WyJvcGVuaWQiXSwiYXV0aF90aW1lIjoxNzMyMDkxNzc4LCJleHAiOjE3MzIxMzQ5NzksImlhdCI6MTczMjA5MTc3OSwiZW1haWwiOiJtYXJpc3NhQHRlc3Qub3JnIiwianRpIjoiMGI0ODNmMTY2YWE5NGM1MzhjM2EzZjNkYmViZjA4NWQiLCJyZXZfc2lnIjoiZmM2ZTYzNjAiLCJjaWQiOiJhcHAifQ.bIloGb6uoivY_Ntp4921TrNqg-gV1en0gRsicVBRfN0Cset44Is3UwMLP8I3GBNmnNq-s3SRDruw9bofXkFrHYsl6CH1DzznsrV5hSLpw-EDaDCQ1qgba_hXiltRIzTUP_vWxDdjtN-VtBh1j8elc2R72YqtgB5MaXZY9d8GGYbNRzYBzyJiqGBwr40czarn6rr2R9YsAbRtYVcbF2gE1A1Eukw0JK0ggRw7xX189L0KaZC6NRAbr6IcdYHLd-RudrnqO0Cem24rR0mpkB7PA1tDgGKXtZSLZztKOPva-MKoHrUGjtw7ZyWP5C6dVHYkG7vMa7_gQloltiNlL8JNMA&expires_in=43199&jti=0b483f166aa94c538c3a3f3dbebf085d

Request Parameters

Parameter	Type	Constraints	Description
response_type	String	Required	Space-delimited list of response types. Here, `token id_token`, indicating both an access token and an ID token.
client_id	String	Required	a unique string representing the registration information provided by the client
scope	String	Optional	requested scopes, space-delimited
redirect_uri	String	Optional	redirection URI to which the authorization server will send the user-agent back once access is granted (or denied), optional if pre-registered by the client
login_hint	String	Optional	UAA 4.19.0 Indicates the identity provider to be used. The passed string has to be a URL-Encoded JSON Object, containing the field `origin` with value as `origin_key` of an identity provider.

Response Headers

Name	Description
`Location`	Location as defined in the spec includes access_token and id_token in the reply fragment if successful

Hybrid flow

The request may specify that the client expects an ID token as defined by OpenID Connect, and this ID token will be included alongside the authorization code.

$ curl 'http://localhost/oauth/authorize?response_type=code+id_token&client_id=app&scope=openid&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fapp%2F&login_hint=%257B%2522origin%2522%253A%2522uaa%2522%257D' -i -X GET \
    -H 'Accept: application/x-www-form-urlencoded'

GET /oauth/authorize?response_type=code+id_token&client_id=app&scope=openid&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fapp%2F&login_hint=%257B%2522origin%2522%253A%2522uaa%2522%257D HTTP/1.1
Accept: application/x-www-form-urlencoded
Host: localhost

HTTP/1.1 302 Found
Content-Security-Policy: script-src 'self'
Strict-Transport-Security: max-age=31536000
Set-Cookie: X-Uaa-Csrf=tLvLI5cCtq3Fx4-6DjhR-y; Path=/; Max-Age=86400; Expires=Thu, 21 Nov 2024 08:36:19 GMT; HttpOnly; SameSite=Lax
Cache-Control: no-store
Content-Language: en
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Location: http://localhost:8080/app/#token_type=bearer&id_token=eyJqa3UiOiJodHRwczovL2xvY2FsaG9zdDo4MDgwL3VhYS90b2tlbl9rZXlzIiwia2lkIjoibGVnYWN5LXRva2VuLWtleSIsInR5cCI6IkpXVCIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiI5YmU5MjRlMi03OTM4LTQ5YjMtYjk0OS1kY2FiMWMzODk3ZTUiLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwidXNlcl9uYW1lIjoibWFyaXNzYSIsIm9yaWdpbiI6InVhYSIsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC91YWEvb2F1dGgvdG9rZW4iLCJjbGllbnRfaWQiOiJhcHAiLCJhdWQiOlsiYXBwIl0sInppZCI6InVhYSIsImdyYW50X3R5cGUiOiJhdXRob3JpemF0aW9uX2NvZGUiLCJ1c2VyX2lkIjoiOWJlOTI0ZTItNzkzOC00OWIzLWI5NDktZGNhYjFjMzg5N2U1IiwiYXpwIjoiYXBwIiwic2NvcGUiOlsib3BlbmlkIl0sImF1dGhfdGltZSI6MTczMjA5MTc3OSwiZXhwIjoxNzMyMTM0OTc5LCJpYXQiOjE3MzIwOTE3NzksImVtYWlsIjoibWFyaXNzYUB0ZXN0Lm9yZyIsImp0aSI6IjA2MjA1NzNlZDhhNzQwMGE4ODg2NmYwNzI0OGI2YWM4IiwicmV2X3NpZyI6ImZjNmU2MzYwIiwiY2lkIjoiYXBwIn0.ApwtPEYqrYv1ZltObebfhTvoGHPJF8zhsD72ZudJMub_45OOeeyWM8u5pBhfC7MjT-IesVul_VTrcSjwKlSudRnVyHyVXMGgchAJzk5s4NDzdkMkVifS0ml0s6ED_RVn38Y1YzRaivi5TBC_9R_NCIYISrEb5XymODNpiPbL-blJ2eUqmRCV3lGnW60f9M0kwktIFDBOFHuMewK9b_HHA4gXbxY13cTdXcJzpd_xV0poqV_GwjwaHPL7YVslp6ITbe3800F5LD7b4c42eMT9GUVWa3jrxeJx1IVR4euOQE6x_a5veg54nO8QGQs0zFxBLTB7w13tZzndxWlSkdUbVg&code=fI51uXARydb4j33xUxdX5q0GBPt_-SeN&expires_in=43199&jti=0620573ed8a7400a88866f07248b6ac8

Request Parameters

Parameter	Type	Constraints	Description
response_type	String	Required	Space-delimited list of response types. Here, `id_token code`, indicating a request for an ID token and an authorization code.
client_id	String	Required	a unique string representing the registration information provided by the client
scope	String	Optional	requested scopes, space-delimited
redirect_uri	String	Optional	redirection URI to which the authorization server will send the user-agent back once access is granted (or denied), optional if pre-registered by the client
login_hint	String	Optional	UAA 4.19.0 Indicates the identity provider to be used. The passed string has to be a URL-Encoded JSON Object, containing the field `origin` with value as `origin_key` of an identity provider.

Response Headers

Name	Description
`Location`	Location as defined in the spec includes code and id_token in the reply fragment if successful

Token

The /oauth/token endpoint requires client authentication to be accessed, except you allow the public usage. For more details about public usage see allowpublic flag in client details configuration. For confidential client usages, the client authentication can be passed as part of the request authorization header, using basic authentication, or as part of the request parameters, using the combination of client_id and client_secret or client_assertion_type and client_assertion parameter names. The client authentication methods are explained in the OpenID Core specification. UAA supports currently none, client_secret_basic, client_secret_post and private_key_jwt.

Authorization Code Grant

$ curl 'http://localhost/oauth/token' -i -u 'login:loginsecret' -X POST \
    -H 'Content-Type: application/x-www-form-urlencoded' \
    -H 'Accept: application/json' \
    -d 'client_id=login&client_secret=loginsecret&client_assertion=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IjU4ZDU1YzUwMGNjNmI1ODM3OTYxN2UwNmU3ZGVjNmNhIn0.eyJzdWIiOiJsb2dpbiIsImlzcyI6ImxvZ2luIiwianRpIjoiNThkNTVjNTAwY2M2YjU4Mzc5NjE3ZTA2ZTdhZmZlZSIsImV4cCI6MTIzNDU2NzgsImF1ZCI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC91YWEvb2F1dGgvdG9rZW4ifQ.jwWw0OKZecd4ZjtwQ_ievqBVrh2SieqMF6vY74Oo5H6v-Ibcmumq96NLNtoUEwaAEQQOHb8MWcC8Gwi9dVQdCrtpomC86b_LKkihRBSKuqpw0udL9RMH5kgtC04ctsN0yZNifUWMP85VHn97Ual5eZ2miaBFob3H5jUe98CcBj1TSRehr64qBFYuwt9vD19q6U-ONhRt0RXBPB7ayHAOMYtb1LFIzGAiKvqWEy9f-TBPXSsETjKkAtSuM-WVWi4EhACMtSvI6iJN15f7qlverRSkGIdh1j2vPXpKKBJoRhoLw6YqbgcUC9vAr17wfa_POxaRHvh9JPty0ZXLA4XPtA&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&grant_type=authorization_code&code=ya5CA_CTCuSuxl6xI0WE36Z7Bk_XRGco&token_format=opaque&code_verifier=dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk&redirect_uri=http%3A%2F%2Flocalhost%2Fredirect%2Fcf'

POST /oauth/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Authorization: Basic bG9naW46bG9naW5zZWNyZXQ=
Accept: application/json
Host: localhost

client_id=login&client_secret=loginsecret&client_assertion=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IjU4ZDU1YzUwMGNjNmI1ODM3OTYxN2UwNmU3ZGVjNmNhIn0.eyJzdWIiOiJsb2dpbiIsImlzcyI6ImxvZ2luIiwianRpIjoiNThkNTVjNTAwY2M2YjU4Mzc5NjE3ZTA2ZTdhZmZlZSIsImV4cCI6MTIzNDU2NzgsImF1ZCI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC91YWEvb2F1dGgvdG9rZW4ifQ.jwWw0OKZecd4ZjtwQ_ievqBVrh2SieqMF6vY74Oo5H6v-Ibcmumq96NLNtoUEwaAEQQOHb8MWcC8Gwi9dVQdCrtpomC86b_LKkihRBSKuqpw0udL9RMH5kgtC04ctsN0yZNifUWMP85VHn97Ual5eZ2miaBFob3H5jUe98CcBj1TSRehr64qBFYuwt9vD19q6U-ONhRt0RXBPB7ayHAOMYtb1LFIzGAiKvqWEy9f-TBPXSsETjKkAtSuM-WVWi4EhACMtSvI6iJN15f7qlverRSkGIdh1j2vPXpKKBJoRhoLw6YqbgcUC9vAr17wfa_POxaRHvh9JPty0ZXLA4XPtA&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&grant_type=authorization_code&code=ya5CA_CTCuSuxl6xI0WE36Z7Bk_XRGco&token_format=opaque&code_verifier=dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk&redirect_uri=http%3A%2F%2Flocalhost%2Fredirect%2Fcf

HTTP/1.1 200 OK
Content-Security-Policy: script-src 'self'
Cache-Control: no-store
Pragma: no-cache
Content-Type: application/json;charset=UTF-8
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 1386

{
  "access_token" : "a63d1ede97674b8bb0e91aa23e584eed",
  "token_type" : "bearer",
  "id_token" : "eyJqa3UiOiJodHRwczovL2xvY2FsaG9zdDo4MDgwL3VhYS90b2tlbl9rZXlzIiwia2lkIjoibGVnYWN5LXRva2VuLWtleSIsInR5cCI6IkpXVCIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiI1NTc5MTcwYi1iMmNjLTRkMDMtOGNlZC1kYjkxNGRhMzc2YjEiLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwidXNlcl9uYW1lIjoiYmVaOHVoQHRlc3Qub3JnIiwib3JpZ2luIjoidWFhIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3VhYS9vYXV0aC90b2tlbiIsImNsaWVudF9pZCI6ImxvZ2luIiwiYXVkIjpbImxvZ2luIl0sInppZCI6InVhYSIsImdyYW50X3R5cGUiOiJhdXRob3JpemF0aW9uX2NvZGUiLCJ1c2VyX2lkIjoiNTU3OTE3MGItYjJjYy00ZDAzLThjZWQtZGI5MTRkYTM3NmIxIiwiYXpwIjoibG9naW4iLCJzY29wZSI6WyJvcGVuaWQiXSwiYXV0aF90aW1lIjoxNzMyMDkxNzg1LCJleHAiOjE3MzIxMzQ5ODUsImlhdCI6MTczMjA5MTc4NSwiZW1haWwiOiJiZVo4dWhAdGVzdC5vcmciLCJqdGkiOiJhNjNkMWVkZTk3Njc0YjhiYjBlOTFhYTIzZTU4NGVlZCIsInJldl9zaWciOiI3MzA4NWI2IiwiY2lkIjoibG9naW4ifQ.NJQ4Vbj2p3h1S4Pf67PVKSjtoqyq0oV0wGXxgI5gYjvx00qo_0ABhboL5b3VZOL7JxnLKatlgO8Kev9c42MCEiJAsqd0lZEiXcnffilrrTVeC-9pCnjJl1G8VSqXLRZvSsYywtOQDfKwS8TkDDEjkV_gLQK9YGz0hP_AYFzSc4eISROyrDlgtls3UVJfvI9VGHleXxMhuh_1zRzpJs5-12TIUBIcmnGEJl3Kwv8ZKsNWF1fQy7aXTi2wYcJ_zA7oBjRsSg9I-rkN9eVV5ljIghxpMtM9FBQ9JoW0wCUMcNbNuuV91RvjTv3tCIdAjZBbtDxwJkbAtHlJeNFAUw5RPw",
  "refresh_token" : "5df1598d0e2344a8ab3c87ed3e49ceea-r",
  "expires_in" : 43199,
  "scope" : "openid oauth.approvals",
  "jti" : "a63d1ede97674b8bb0e91aa23e584eed"
}

Request Headers

Name	Description
`Authorization`	Client ID and secret may be passed as a basic authorization header, per RFC 6749 or as request parameters.

Request Parameters

Parameter	Type	Constraints	Description
client_id	String	Optional	A unique string representing the registration information provided by the client, the recipient of the token. Optional if it is passed as part of the Basic Authorization header or as part of the client_assertion.
redirect_uri	String	Required if provided on authorization request	redirection URI to which the authorization server will send the user-agent back once access is granted (or denied)
code	String	Required	the authorization code, obtained from `/oauth/authorize`, issued for the user
grant_type	String	Required	the type of authentication being used to obtain the token, in this case `authorization_code`
client_secret	String	Optional	UAA 75.21.0 Optional and can be omitted if client has configured allowpublic and PKCE with `code_challenge_method=S256` is used to create to `code`.
client_assertion	String	Optional	UAA 76.23.0 Client authentication using method private_key_jwt. Optional as replacement of methods client_secret_basic or client_secret_post using secrets. The client needs to have a valid JWT confiuration for trust to JWT in client_assertion.
client_assertion_type	String	Optional	UAA 76.23.0 RFC 7523 describes the type. Must be set to `urn:ietf:params:oauth:client-assertion-type:jwt-bearer` if `client_assertion` parameter is present.
code_verifier	String	Optional	UAA 75.5.0 PKCE Code Verifier. A `code_verifier` parameter must be provided if a `code_challenge` parameter was present in the previous call to `/oauth/authorize`. The `code_verifier` must match the used `code_challenge` (according to the selected `code_challenge_method`)
token_format	String	Optional (defaults to `jwt`)	Can be set to `opaque` to retrieve an opaque token or to `jwt` to retrieve a JWT token. Please refer to the Revoke Tokens endpoint doc for information about the revocability of opaque vs. jwt tokens.

Response Fields

Path	Type	Description
`access_token`	`String`	An OAuth2 access token. When `token_format=opaque` is requested this value will be a random string that can only be validated using the UAA's `/check_token` or `/introspect` endpoints. When `token_format=jwt` is requested, this token will be a JSON Web Token suitable for offline validation by OAuth2 Resource Servers.
`id_token`	`String`	An OpenID Connect ID token. This portion of the token response is only returned when clients are configured with the scope `openid`, the `response_type` includes `id_token`, and the user has granted approval to the client for the `openid` scope.
`token_type`	`String`	The type of the access token issued. This field is mandated in RFC 6749. In the UAA, the only supported `token_type` is `bearer`.
`expires_in`	`Number`	The number of seconds until the access token expires.
`scope`	`String`	A space-delimited list of scopes authorized by the user for this client. This list is the intersection of the scopes configured on the client, the group memberships of the user, and the user's approvals (when `autoapprove: true` is not configured on the client).
`refresh_token`	`String`	An OAuth2 refresh token. Clients typically use the refresh token to obtain a new access token without the need for the user to authenticate again. They do this by calling `/oauth/token` with `grant_type=refresh_token`. See here for more information. A refresh token will only be issued to clients that have `refresh_token` in their list of `authorized_grant_types`.
`jti`	`String`	A globally unique identifier for this access token. This identifier is used when revoking tokens.

Client Credentials Grant

Without Authorization

$ curl 'http://localhost/oauth/token' -i -X POST \
    -H 'Content-Type: application/x-www-form-urlencoded' \
    -H 'Accept: application/json' \
    -d 'client_id=login&client_secret=loginsecret&client_assertion=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IjU4ZDU1YzUwMGNjNmI1ODM3OTYxN2UwNmU3ZGVjNmNhIn0.eyJzdWIiOiJsb2dpbiIsImlzcyI6ImxvZ2luIiwianRpIjoiNThkNTVjNTAwY2M2YjU4Mzc5NjE3ZTA2ZTdhZmZlZSIsImV4cCI6MTIzNDU2NzgsImF1ZCI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC91YWEvb2F1dGgvdG9rZW4ifQ.jwWw0OKZecd4ZjtwQ_ievqBVrh2SieqMF6vY74Oo5H6v-Ibcmumq96NLNtoUEwaAEQQOHb8MWcC8Gwi9dVQdCrtpomC86b_LKkihRBSKuqpw0udL9RMH5kgtC04ctsN0yZNifUWMP85VHn97Ual5eZ2miaBFob3H5jUe98CcBj1TSRehr64qBFYuwt9vD19q6U-ONhRt0RXBPB7ayHAOMYtb1LFIzGAiKvqWEy9f-TBPXSsETjKkAtSuM-WVWi4EhACMtSvI6iJN15f7qlverRSkGIdh1j2vPXpKKBJoRhoLw6YqbgcUC9vAr17wfa_POxaRHvh9JPty0ZXLA4XPtA&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&scope=scim.write&grant_type=client_credentials&token_format=opaque'

POST /oauth/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Accept: application/json
Host: localhost

client_id=login&client_secret=loginsecret&client_assertion=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IjU4ZDU1YzUwMGNjNmI1ODM3OTYxN2UwNmU3ZGVjNmNhIn0.eyJzdWIiOiJsb2dpbiIsImlzcyI6ImxvZ2luIiwianRpIjoiNThkNTVjNTAwY2M2YjU4Mzc5NjE3ZTA2ZTdhZmZlZSIsImV4cCI6MTIzNDU2NzgsImF1ZCI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC91YWEvb2F1dGgvdG9rZW4ifQ.jwWw0OKZecd4ZjtwQ_ievqBVrh2SieqMF6vY74Oo5H6v-Ibcmumq96NLNtoUEwaAEQQOHb8MWcC8Gwi9dVQdCrtpomC86b_LKkihRBSKuqpw0udL9RMH5kgtC04ctsN0yZNifUWMP85VHn97Ual5eZ2miaBFob3H5jUe98CcBj1TSRehr64qBFYuwt9vD19q6U-ONhRt0RXBPB7ayHAOMYtb1LFIzGAiKvqWEy9f-TBPXSsETjKkAtSuM-WVWi4EhACMtSvI6iJN15f7qlverRSkGIdh1j2vPXpKKBJoRhoLw6YqbgcUC9vAr17wfa_POxaRHvh9JPty0ZXLA4XPtA&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&scope=scim.write&grant_type=client_credentials&token_format=opaque

HTTP/1.1 200 OK
Content-Security-Policy: script-src 'self'
Cache-Control: no-store
Pragma: no-cache
Content-Type: application/json;charset=UTF-8
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 180

{
  "access_token" : "c1ef9c8c720b413496473e3abe983f7e",
  "token_type" : "bearer",
  "expires_in" : 43199,
  "scope" : "scim.write",
  "jti" : "c1ef9c8c720b413496473e3abe983f7e"
}

Request Parameters

Parameter	Type	Constraints	Description
client_id	String	Optional	A unique string representing the registration information provided by the client, the recipient of the token. Optional if it is passed as part of the Basic Authorization header or as part of the client_assertion.
grant_type	String	Required	the type of authentication being used to obtain the token, in this case `client_credentials`
client_secret	String	Optional	The secret passphrase configured for the OAuth client. Optional if it is passed as part of the Basic Authorization header or if client_assertion is sent as part of private_key_jwt authentication.
client_assertion	String	Optional	UAA 76.23.0 Client authentication using method private_key_jwt. Optional as replacement of methods client_secret_basic or client_secret_post using secrets. The client needs to have a valid JWT confiuration for trust to JWT in client_assertion.
client_assertion_type	String	Optional	UAA 76.23.0 RFC 7523 describes the type. Must be set to `urn:ietf:params:oauth:client-assertion-type:jwt-bearer` if `client_assertion` parameter is present.
scope	String	Optional	The list of scopes requested for the token. Use when you wish to reduce the number of scopes the token will have.
token_format	String	Optional (defaults to `jwt`)	Can be set to `opaque` to retrieve an opaque token or to `jwt` to retrieve a JWT token. Please refer to the Revoke Tokens endpoint doc for information about the revocability of opaque vs. jwt tokens.

Response Fields

Path	Type	Description
`access_token`	`String`	An OAuth2 access token. When `token_format=opaque` is requested this value will be a random string that can only be validated using the UAA's `/check_token` or `/introspect` endpoints. When `token_format=jwt` is requested, this token will be a JSON Web Token suitable for offline validation by OAuth2 Resource Servers.
`token_type`	`String`	The type of the access token issued. This field is mandated in RFC 6749. In the UAA, the only supported `token_type` is `bearer`.
`expires_in`	`Number`	The number of seconds until the access token expires.
`scope`	`String`	A space-delimited list of scopes authorized for this client. This list is derived from the `authorities` configured on the client.
`jti`	`String`	A globally unique identifier for this access token. This identifier is used when revoking tokens.

With Authorization

$ curl 'http://localhost/oauth/token' -i -u 'login:loginsecret' -X POST \
    -H 'Content-Type: application/x-www-form-urlencoded' \
    -H 'Accept: application/json' \
    -d 'grant_type=client_credentials&scope=scim.write&token_format=opaque'

POST /oauth/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Accept: application/json
Authorization: Basic bG9naW46bG9naW5zZWNyZXQ=
Host: localhost

grant_type=client_credentials&scope=scim.write&token_format=opaque

HTTP/1.1 200 OK
Content-Security-Policy: script-src 'self'
Cache-Control: no-store
Pragma: no-cache
Content-Type: application/json;charset=UTF-8
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 180

{
  "access_token" : "4c68b2d6651f4f25b472e60c5155e2aa",
  "token_type" : "bearer",
  "expires_in" : 43199,
  "scope" : "scim.write",
  "jti" : "4c68b2d6651f4f25b472e60c5155e2aa"
}

Request Header

Name	Description
`Authorization`	Base64 encoded client details in the format: `Basic client_id:client_secret`

Request Parameters

Parameter	Type	Constraints	Description
grant_type	String	Required	the type of authentication being used to obtain the token, in this case `client_credentials`
scope	String	Optional	The list of scopes requested for the token. Use when you wish to reduce the number of scopes the token will have.
token_format	String	Optional (defaults to `jwt`)	Can be set to `opaque` to retrieve an opaque token or to `jwt` to retrieve a JWT token. Please refer to the Revoke Tokens endpoint doc for information about the revocability of opaque vs. jwt tokens.

Response Fields

Path	Type	Description
`access_token`	`String`	An OAuth2 access token. When `token_format=opaque` is requested this value will be a random string that can only be validated using the UAA's `/check_token` or `/introspect` endpoints. When `token_format=jwt` is requested, this token will be a JSON Web Token suitable for offline validation by OAuth2 Resource Servers.
`token_type`	`String`	The type of the access token issued. This field is mandated in RFC 6749. In the UAA, the only supported `token_type` is `bearer`.
`expires_in`	`Number`	The number of seconds until the access token expires.
`scope`	`String`	A space-delimited list of scopes authorized for this client. This list is derived from the `authorities` configured on the client.
`jti`	`String`	A globally unique identifier for this access token. This identifier is used when revoking tokens.

Password Grant

$ curl 'http://localhost/oauth/token' -i -X POST \
    -H 'Content-Type: application/x-www-form-urlencoded' \
    -H 'Accept: application/json' \
    -d 'client_id=app&client_secret=appclientsecret&client_assertion=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IjU4ZDU1YzUwMGNjNmI1ODM3OTYxN2UwNmU3ZGVjNmNhIn0.eyJzdWIiOiJsb2dpbiIsImlzcyI6ImxvZ2luIiwianRpIjoiNThkNTVjNTAwY2M2YjU4Mzc5NjE3ZTA2ZTdhZmZlZSIsImV4cCI6MTIzNDU2NzgsImF1ZCI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC91YWEvb2F1dGgvdG9rZW4ifQ.jwWw0OKZecd4ZjtwQ_ievqBVrh2SieqMF6vY74Oo5H6v-Ibcmumq96NLNtoUEwaAEQQOHb8MWcC8Gwi9dVQdCrtpomC86b_LKkihRBSKuqpw0udL9RMH5kgtC04ctsN0yZNifUWMP85VHn97Ual5eZ2miaBFob3H5jUe98CcBj1TSRehr64qBFYuwt9vD19q6U-ONhRt0RXBPB7ayHAOMYtb1LFIzGAiKvqWEy9f-TBPXSsETjKkAtSuM-WVWi4EhACMtSvI6iJN15f7qlverRSkGIdh1j2vPXpKKBJoRhoLw6YqbgcUC9vAr17wfa_POxaRHvh9JPty0ZXLA4XPtA&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&grant_type=password&username=vPDUJL%40test.org&password=secr3T&token_format=opaque&login_hint=%7B%22origin%22%3A%22uaa%22%7D'

POST /oauth/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Accept: application/json
Host: localhost

client_id=app&client_secret=appclientsecret&client_assertion=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IjU4ZDU1YzUwMGNjNmI1ODM3OTYxN2UwNmU3ZGVjNmNhIn0.eyJzdWIiOiJsb2dpbiIsImlzcyI6ImxvZ2luIiwianRpIjoiNThkNTVjNTAwY2M2YjU4Mzc5NjE3ZTA2ZTdhZmZlZSIsImV4cCI6MTIzNDU2NzgsImF1ZCI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC91YWEvb2F1dGgvdG9rZW4ifQ.jwWw0OKZecd4ZjtwQ_ievqBVrh2SieqMF6vY74Oo5H6v-Ibcmumq96NLNtoUEwaAEQQOHb8MWcC8Gwi9dVQdCrtpomC86b_LKkihRBSKuqpw0udL9RMH5kgtC04ctsN0yZNifUWMP85VHn97Ual5eZ2miaBFob3H5jUe98CcBj1TSRehr64qBFYuwt9vD19q6U-ONhRt0RXBPB7ayHAOMYtb1LFIzGAiKvqWEy9f-TBPXSsETjKkAtSuM-WVWi4EhACMtSvI6iJN15f7qlverRSkGIdh1j2vPXpKKBJoRhoLw6YqbgcUC9vAr17wfa_POxaRHvh9JPty0ZXLA4XPtA&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&grant_type=password&username=vPDUJL%40test.org&password=secr3T&token_format=opaque&login_hint=%7B%22origin%22%3A%22uaa%22%7D

HTTP/1.1 200 OK
Content-Security-Policy: script-src 'self'
Cache-Control: no-store
Pragma: no-cache
Content-Type: application/json;charset=UTF-8
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 1439

{
  "access_token" : "8a96de3465a740e495d560a29b227cce",
  "token_type" : "bearer",
  "id_token" : "eyJqa3UiOiJodHRwczovL2xvY2FsaG9zdDo4MDgwL3VhYS90b2tlbl9rZXlzIiwia2lkIjoibGVnYWN5LXRva2VuLWtleSIsInR5cCI6IkpXVCIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiIwMjliODM1YS1kMWQ0LTQyZDMtODE3MS0xNjVlODkyMDQ5YjEiLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwidXNlcl9uYW1lIjoidlBEVUpMQHRlc3Qub3JnIiwiYW1yIjpbInB3ZCJdLCJvcmlnaW4iOiJ1YWEiLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvdWFhL29hdXRoL3Rva2VuIiwiY2xpZW50X2lkIjoiYXBwIiwiYXVkIjpbImFwcCJdLCJ6aWQiOiJ1YWEiLCJncmFudF90eXBlIjoicGFzc3dvcmQiLCJ1c2VyX2lkIjoiMDI5YjgzNWEtZDFkNC00MmQzLTgxNzEtMTY1ZTg5MjA0OWIxIiwiYXpwIjoiYXBwIiwic2NvcGUiOlsib3BlbmlkIl0sImF1dGhfdGltZSI6MTczMjA5MTc4MiwiZXhwIjoxNzMyMTM0OTgyLCJpYXQiOjE3MzIwOTE3ODIsImVtYWlsIjoidlBEVUpMQHRlc3Qub3JnIiwianRpIjoiOGE5NmRlMzQ2NWE3NDBlNDk1ZDU2MGEyOWIyMjdjY2UiLCJyZXZfc2lnIjoiYTBkYzgwZDgiLCJjaWQiOiJhcHAifQ.enajTKmNrGSXEs0n-u7OnvfzOa7Zzv5uamUDXeyEkM8rLDVmx__RgNWga1lHD1zxj1Diisirh5bF4X-rS6_k9fTFB2ShwaWkQCakgY38yTt_e762VF7cRKmL56CZeqyqD9yutUkdwEFFXrCu7vRvYKTuwzZA31ko0eO9G4-o1KV3HYyYBkI27D6jOJJGVjFkooTC0-L2l0945Tzdq6uChdhFZZfa1JNx3aT3u7rxnpPDivpfhNLOLPax3cOIFo1jlEuj9LL3FH8jQJdu9Rqvt5aBjbZlVO0wd4dqnSwdl3I1kxffq47zTsWvIlQCx55he-qcyNI3wv7Cd2tzGGx7Pw",
  "refresh_token" : "970efe03e2a14c18856a44b95aaea4b1-r",
  "expires_in" : 43199,
  "scope" : "scim.userids openid cloud_controller.read password.write cloud_controller.write",
  "jti" : "8a96de3465a740e495d560a29b227cce"
}

Request Parameters

Parameter	Type	Constraints	Description
client_id	String	Optional	A unique string representing the registration information provided by the client, the recipient of the token. Optional if it is passed as part of the Basic Authorization header or as part of the client_assertion.
grant_type	String	Required	the type of authentication being used to obtain the token, in this case `password`
client_secret	String	Optional	The secret passphrase configured for the OAuth client. Optional if it is passed as part of the Basic Authorization header or if client_assertion is sent as part of private_key_jwt authentication.
client_assertion	String	Optional	UAA 76.23.0 Client authentication using method private_key_jwt. Optional as replacement of methods client_secret_basic or client_secret_post using secrets. The client needs to have a valid JWT confiuration for trust to JWT in client_assertion.
client_assertion_type	String	Optional	UAA 76.23.0 RFC 7523 describes the type. Must be set to `urn:ietf:params:oauth:client-assertion-type:jwt-bearer` if `client_assertion` parameter is present.
username	String	Required	the username for the user trying to get a token
password	String	Required	the password for the user trying to get a token
token_format	String	Optional (defaults to `jwt`)	Can be set to `opaque` to retrieve an opaque token or to `jwt` to retrieve a JWT token. Please refer to the Revoke Tokens endpoint doc for information about the revocability of opaque vs. jwt tokens.
login_hint	String	Optional	UAA 75.5.0 Indicates the identity provider to be used. The passed string has to be a URL-Encoded JSON Object, containing the field `origin` with value as `origin_key` of an identity provider. Note that this identity provider must support the grant type `password`.

Response Fields

Path	Type	Description
`access_token`	`String`	An OAuth2 access token. When `token_format=opaque` is requested this value will be a random string that can only be validated using the UAA's `/check_token` or `/introspect` endpoints. When `token_format=jwt` is requested, this token will be a JSON Web Token suitable for offline validation by OAuth2 Resource Servers.
`id_token`	`String`	An OpenID Connect ID token. This portion of the token response is only returned when clients are configured with the scope `openid`, the `response_type` includes `id_token`, and the user has granted approval to the client for the `openid` scope.
`token_type`	`String`	The type of the access token issued. This field is mandated in RFC 6749. In the UAA, the only supported `token_type` is `bearer`.
`expires_in`	`Number`	The number of seconds until the access token expires.
`scope`	`String`	A space-delimited list of scopes authorized by the user for this client. This list is the intersection of the scopes configured on the client, the group memberships of the user, and the user's approvals (when `autoapprove: true` is not configured on the client).
`refresh_token`	`String`	An OAuth2 refresh token. Clients typically use the refresh token to obtain a new access token without the need for the user to authenticate again. They do this by calling `/oauth/token` with `grant_type=refresh_token`. See here for more information. A refresh token will only be issued to clients that have `refresh_token` in their list of `authorized_grant_types`.
`jti`	`String`	A globally unique identifier for this access token. This identifier is used when revoking tokens.

One-time Passcode

$ curl 'http://localhost/oauth/token' -i -u 'app:appclientsecret' -X POST \
    -H 'Content-Type: application/x-www-form-urlencoded' \
    -H 'Accept: application/json' \
    -d 'grant_type=password&passcode=HdX38Hd56qjeY40edn35dZr8DoGI38S6&token_format=opaque'

POST /oauth/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Accept: application/json
Authorization: Basic YXBwOmFwcGNsaWVudHNlY3JldA==
Host: localhost

grant_type=password&passcode=HdX38Hd56qjeY40edn35dZr8DoGI38S6&token_format=opaque

HTTP/1.1 200 OK
Content-Security-Policy: script-src 'self'
Cache-Control: no-store
Pragma: no-cache
Content-Type: application/json;charset=UTF-8
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 1380

{
  "access_token" : "213b4d748531494eaf885e6780cd9d89",
  "token_type" : "bearer",
  "id_token" : "eyJqa3UiOiJodHRwczovL2xvY2FsaG9zdDo4MDgwL3VhYS90b2tlbl9rZXlzIiwia2lkIjoibGVnYWN5LXRva2VuLWtleSIsInR5cCI6IkpXVCIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiI5YTEzZjViZi1kNGM5LTQ1M2EtYTdkYS00YjkyNjZhYmFiNmEiLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwidXNlcl9uYW1lIjoibWFyaXNzYSIsIm9yaWdpbiI6InVhYSIsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC91YWEvb2F1dGgvdG9rZW4iLCJjbGllbnRfaWQiOiJhcHAiLCJhdWQiOlsiYXBwIl0sInppZCI6InVhYSIsImdyYW50X3R5cGUiOiJwYXNzd29yZCIsInVzZXJfaWQiOiI5YTEzZjViZi1kNGM5LTQ1M2EtYTdkYS00YjkyNjZhYmFiNmEiLCJhenAiOiJhcHAiLCJzY29wZSI6WyJvcGVuaWQiXSwiZXhwIjoxNzMyMTM0OTgxLCJpYXQiOjE3MzIwOTE3ODEsImVtYWlsIjoibWFyaXNzYUB0ZXN0Lm9yZyIsImp0aSI6IjIxM2I0ZDc0ODUzMTQ5NGVhZjg4NWU2NzgwY2Q5ZDg5IiwicmV2X3NpZyI6IjY0MzQ1NjhlIiwiY2lkIjoiYXBwIn0.OS958Xk6Mo_9NJzSqK8GFuWhvlIEPEJGJe_-OxaMSReWEJf6Q12sRBTSObaBDRmcMAUNekVElcHxWmF4YNt3JYLFp_T2LtYn9Nh4USWkaExXAXKowT2m79XbShgUXABYhs7ZG0fyQwNuWvN2avKdaT1N1d6BPXyHOHQUQtWPVrs7tu9baBPO99ZdOMC5JA5sCphwGbvoAr9lsklt9PI2p9IbeA54GUv5DkU94V4viT_ilikodu7arp-Lyt4jMMKf27oaDiEXC_cvJI6FvLtrSMlEkT9TdUIH2YES0yLPko8QbRCLCDABn_RXRj9cM9sbtDiqmt63FtjWz2Yb-YaXKw",
  "refresh_token" : "43f93774898843c8b36700462759c041-r",
  "expires_in" : 43199,
  "scope" : "scim.userids openid cloud_controller.read password.write cloud_controller.write",
  "jti" : "213b4d748531494eaf885e6780cd9d89"
}

Request Header

Name	Description
`Authorization`	Base64 encoded client details in the format: `Basic client_id:client_secret`

Request Parameters

Parameter	Type	Constraints	Description
grant_type	String	Required	the type of authentication being used to obtain the token, in this case `password`
passcode	String	Required	the one-time passcode for the user which can be retrieved by going to `/passcode`
token_format	String	Optional (defaults to `jwt`)	Can be set to `opaque` to retrieve an opaque token or to `jwt` to retrieve a JWT token. Please refer to the Revoke Tokens endpoint doc for information about the revocability of opaque vs. jwt tokens.

Response Fields

Path	Type	Description
`access_token`	`String`	An OAuth2 access token. When `token_format=opaque` is requested this value will be a random string that can only be validated using the UAA's `/check_token` or `/introspect` endpoints. When `token_format=jwt` is requested, this token will be a JSON Web Token suitable for offline validation by OAuth2 Resource Servers.
`id_token`	`String`	An OpenID Connect ID token. This portion of the token response is only returned when clients are configured with the scope `openid`, the `response_type` includes `id_token`, and the user has granted approval to the client for the `openid` scope.
`token_type`	`String`	The type of the access token issued. This field is mandated in RFC 6749. In the UAA, the only supported `token_type` is `bearer`.
`expires_in`	`Number`	The number of seconds until the access token expires.
`scope`	`String`	A space-delimited list of scopes authorized by the user for this client. This list is the intersection of the scopes configured on the client, the group memberships of the user, and the user's approvals (when `autoapprove: true` is not configured on the client).
`refresh_token`	`String`	An OAuth2 refresh token. Clients typically use the refresh token to obtain a new access token without the need for the user to authenticate again. They do this by calling `/oauth/token` with `grant_type=refresh_token`. See here for more information. A refresh token will only be issued to clients that have `refresh_token` in their list of `authorized_grant_types`.
`jti`	`String`	A globally unique identifier for this access token. This identifier is used when revoking tokens.

User Token Grant

A user_token grant, is a flow that allows the generation of a refresh_token for another client. The requesting client, must have grant_type=user_token and the bearer token for this request must have uaa.user and be a token that represents an authenticated user.

The idea with this grant flow, is that a user can preapprove a token grant for another client, rather than having to participate in the approval process when the client needs the access token.

The refresh_token that results from this grant, is opaque, and can only be exchanged by the client it was intended for.

$ curl 'http://localhost/oauth/token' -i -X POST \
    -H 'Content-Type: application/x-www-form-urlencoded' \
    -H 'Authorization: Bearer 1e8337ecc90941298803c66a2455f115' \
    -H 'Accept: application/json' \
    -d 'client_id=app&grant_type=user_token&scope=openid&token_format=jwt'

POST /oauth/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Authorization: Bearer 1e8337ecc90941298803c66a2455f115
Accept: application/json
Host: localhost

client_id=app&grant_type=user_token&scope=openid&token_format=jwt

HTTP/1.1 200 OK
Content-Security-Policy: script-src 'self'
Cache-Control: no-store
Pragma: no-cache
Content-Type: application/json;charset=UTF-8
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 206

{
  "access_token" : null,
  "token_type" : "bearer",
  "refresh_token" : "3839962c2b2d4e60b2f1575c0e1b4929-r",
  "expires_in" : 43199,
  "scope" : "openid",
  "jti" : "3839962c2b2d4e60b2f1575c0e1b4929-r"
}

Request Parameters

Parameter	Type	Constraints	Description
client_id	String	Optional	The client ID of the receiving client, this client must have `refresh_token` grant type
grant_type	String	Required	The type of token grant requested, in this case `user_token`
token_format	String	Optional (defaults to `jwt`)	This parameter is ignored. The refresh_token will always be opaque
scope	String	Optional	The list of scopes requested for the token. Use when you wish to reduce the number of scopes the token will have.

Response Fields

Path	Type	Description
`access_token`	`Null`	This field is always `null`.
`token_type`	`String`	The type of the access token issued. This field is mandated in RFC 6749. In the UAA, the only supported `token_type` is `bearer`.
`expires_in`	`Number`	The number of seconds until the access token expires.
`scope`	`String`	A space-delimited list of scopes authorized by the user for this client. This list is the intersection of the scopes configured on the client, the group memberships of the user, and the user's approvals (when `autoapprove: true` is not configured on the client).
`refresh_token`	`String`	An OAuth2 refresh token. Clients typically use the refresh token to obtain a new access token without the need for the user to authenticate again. They do this by calling `/oauth/token` with `grant_type=refresh_token`. See here for more information. A refresh token will only be issued to clients that have `refresh_token` in their list of `authorized_grant_types`.
`jti`	`String`	A globally unique identifier for this access token. This identifier is used when revoking tokens.

SAML2 Bearer Grant

The SAML 2.0 bearer grant allows to request an OAuth 2.0 access token with a SAML 2.0 bearer assertion. The flow is defined in RFC 7522. The requesting client, must have grant_type=urn:ietf:params:oauth:grant-type:saml2-bearer. In addition, the requesting client must either allow the IDP in allowedproviders or omit the property so that any trusted IDP is allowed. The trust to the assertion issuer is reused from the SAML 2.0 WebSSO profiles.

This grant enables an App2App mechanism with SSO. Typical scenarios are applications outside of CF, which consume a service within the CF world. The endpoint of the bearer assertion is /oauth/token/alias/<endityid> so the Recipient attribute in the bearer assertion must point to the corresponding URI, e.g. http://localhost:8080/uaa/oauth/token/alias/cloudfoundry-saml-login.

$ curl 'http://68uexx.localhost:8080/uaa/oauth/token/alias/68uexx.cloudfoundry-saml-login' -i -X POST \
    -H 'Content-Type: application/x-www-form-urlencoded' \
    -H 'Accept: application/json' \
    -H 'Host: 68uexx.localhost' \
    -d 'grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Asaml2-bearer&client_id=testclientdI5NZY&client_secret=secret&client_assertion=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IjU4ZDU1YzUwMGNjNmI1ODM3OTYxN2UwNmU3ZGVjNmNhIn0.eyJzdWIiOiJsb2dpbiIsImlzcyI6ImxvZ2luIiwianRpIjoiNThkNTVjNTAwY2M2YjU4Mzc5NjE3ZTA2ZTdhZmZlZSIsImV4cCI6MTIzNDU2NzgsImF1ZCI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC91YWEvb2F1dGgvdG9rZW4ifQ.jwWw0OKZecd4ZjtwQ_ievqBVrh2SieqMF6vY74Oo5H6v-Ibcmumq96NLNtoUEwaAEQQOHb8MWcC8Gwi9dVQdCrtpomC86b_LKkihRBSKuqpw0udL9RMH5kgtC04ctsN0yZNifUWMP85VHn97Ual5eZ2miaBFob3H5jUe98CcBj1TSRehr64qBFYuwt9vD19q6U-ONhRt0RXBPB7ayHAOMYtb1LFIzGAiKvqWEy9f-TBPXSsETjKkAtSuM-WVWi4EhACMtSvI6iJN15f7qlverRSkGIdh1j2vPXpKKBJoRhoLw6YqbgcUC9vAr17wfa_POxaRHvh9JPty0ZXLA4XPtA&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&assertion=PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48c2FtbDI6QXNzZXJ0aW9uIHhtbG5zOnNhbWwyPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIiBJc3N1ZUluc3RhbnQ9IjIwMjQtMTEtMjBUMDg6MzY6MjMuNDM0WiIgVmVyc2lvbj0iMi4wIj48c2FtbDI6SXNzdWVyPjY4dWV4eC5jbG91ZGZvdW5kcnktc2FtbC1sb2dpbjwvc2FtbDI6SXNzdWVyPjxkczpTaWduYXR1cmUgeG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPjxkczpTaWduZWRJbmZvPjxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8-PGRzOlNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMDQveG1sZHNpZy1tb3JlI3JzYS1zaGEyNTYiLz48ZHM6UmVmZXJlbmNlIFVSST0iIj48ZHM6VHJhbnNmb3Jtcz48ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI2VudmVsb3BlZC1zaWduYXR1cmUiLz48ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8-PC9kczpUcmFuc2Zvcm1zPjxkczpEaWdlc3RNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzA0L3htbGVuYyNzaGEyNTYiLz48ZHM6RGlnZXN0VmFsdWU-RVNRODNSaFRVQ04wUUpUV2dVUWdZMTRPUGR6L25kNjZMNDVxTFpuTjRYWT08L2RzOkRpZ2VzdFZhbHVlPjwvZHM6UmVmZXJlbmNlPjwvZHM6U2lnbmVkSW5mbz48ZHM6U2lnbmF0dXJlVmFsdWU-WFA0aC9tdjBlYTRBNU10aG1ERVpEZ3BvbzJKL1FaanA1U0t0MFFzM3ZnSW9lcFJjRmtPbW85ajNQNWh4Uk9oVCtkdkpnQkVmdjBqMGl2K3FrczdzZlliUHdNMm1jeUk0d2ZxZGIrMU05QWJTa3RrYVZZcmlnZkYwR2xNeGIzaHBycjRJU1ZpbXlHMkY2QkFrTWhkU2lNWGdqYlUxR0Y2dFpNei9McENkMEI4PTwvZHM6U2lnbmF0dXJlVmFsdWU-PGRzOktleUluZm8-PGRzOlg1MDlEYXRhPjxkczpYNTA5Q2VydGlmaWNhdGU-TUlJRFNUQ0NBcktnQXdJQkFnSUJBREFOQmdrcWhraUc5dzBCQVFRRkFEQjhNUXN3Q1FZRFZRUUdFd0poZHpFT01Bd0dBMVVFQ0JNRgpZWEoxWW1FeERqQU1CZ05WQkFvVEJXRnlkV0poTVE0d0RBWURWUVFIRXdWaGNuVmlZVEVPTUF3R0ExVUVDeE1GWVhKMVltRXhEakFNCkJnTlZCQU1UQldGeWRXSmhNUjB3R3dZSktvWklodmNOQVFrQkZnNWhjblZpWVVCaGNuVmlZUzVoY2pBZUZ3MHhOVEV4TWpBeU1qSTIKTWpkYUZ3MHhOakV4TVRreU1qSTJNamRhTUh3eEN6QUpCZ05WQkFZVEFtRjNNUTR3REFZRFZRUUlFd1ZoY25WaVlURU9NQXdHQTFVRQpDaE1GWVhKMVltRXhEakFNQmdOVkJBY1RCV0Z5ZFdKaE1RNHdEQVlEVlFRTEV3VmhjblZpWVRFT01Bd0dBMVVFQXhNRllYSjFZbUV4CkhUQWJCZ2txaGtpRzl3MEJDUUVXRG1GeWRXSmhRR0Z5ZFdKaExtRnlNSUdmTUEwR0NTcUdTSWIzRFFFQkFRVUFBNEdOQURDQmlRS0IKZ1FESHRDNWdVWHhCS3BFcVpUTGtOdkZ3TkduTklrZ2dOT3dPUVZOYnBPMFdWSElpdmlnNUwzOVdxUzl1MGhuQStPN01DQS9LbHJBUgo0YlhhZVZWaHdmVVBZQktJcGFhVFdGUVI1Y1RSMVVGWkpML09GOXZBZnBPd3pub0Q2NkREQ25RVnBiQ2p0RFlXWCt4NmlteG44SENZCnhoTW9sNlpuVGJTc0ZXNlZaakZNalFJREFRQUJvNEhhTUlIWE1CMEdBMVVkRGdRV0JCVHgwbER6akgvaU9Cbk9TUWFTRVdRTHgxc3kKR0RDQnB3WURWUjBqQklHZk1JR2NnQlR4MGxEempIL2lPQm5PU1FhU0VXUUx4MXN5R0tHQmdLUitNSHd4Q3pBSkJnTlZCQVlUQW1GMwpNUTR3REFZRFZRUUlFd1ZoY25WaVlURU9NQXdHQTFVRUNoTUZZWEoxWW1FeERqQU1CZ05WQkFjVEJXRnlkV0poTVE0d0RBWURWUVFMCkV3VmhjblZpWVRFT01Bd0dBMVVFQXhNRllYSjFZbUV4SFRBYkJna3Foa2lHOXcwQkNRRVdEbUZ5ZFdKaFFHRnlkV0poTG1GeWdnRUEKTUF3R0ExVWRFd1FGTUFNQkFmOHdEUVlKS29aSWh2Y05BUUVFQlFBRGdZRUFZdkJKMEhPWmJiSENsWG1HVWpHcytHUyt4QzFGTy9hbQoyc3VDU1lxTkI5ZHlNWGZPV2lKMStUTEprK28vWVp0OHZ1eENLZGNaWWdsNGwvTDZQeEo5ODJTUmhjODNaVzJka0FaSTRNMC9VZDNvCmVQZTg0azhqbTNBN0V2SDV3aTVodkNrS1JwdVJCd24zRWkrakNSb3V4VGJ6S1BzdUNWQisxc055eE1UWHpmMD08L2RzOlg1MDlDZXJ0aWZpY2F0ZT48L2RzOlg1MDlEYXRhPjwvZHM6S2V5SW5mbz48L2RzOlNpZ25hdHVyZT48c2FtbDI6U3ViamVjdD48c2FtbDI6TmFtZUlEIEZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6MS4xOm5hbWVpZC1mb3JtYXQ6dW5zcGVjaWZpZWQiIE5hbWVRdWFsaWZpZXI9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjEuMTpuYW1laWQtZm9ybWF0OnVuc3BlY2lmaWVkIj5TYW1sMkJlYXJlckludGVncmF0aW9uVXNlcjwvc2FtbDI6TmFtZUlEPjxzYW1sMjpTdWJqZWN0Q29uZmlybWF0aW9uIE1ldGhvZD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmNtOmJlYXJlciI-PHNhbWwyOlN1YmplY3RDb25maXJtYXRpb25EYXRhIE5vdE9uT3JBZnRlcj0iMjAyNC0xMS0yMFQwOTozNjoyMy40MzRaIiBSZWNpcGllbnQ9Imh0dHA6Ly82OHVleHgubG9jYWxob3N0OjgwODAvdWFhL29hdXRoL3Rva2VuL2FsaWFzLzY4dWV4eC5jbG91ZGZvdW5kcnktc2FtbC1sb2dpbiIvPjwvc2FtbDI6U3ViamVjdENvbmZpcm1hdGlvbj48L3NhbWwyOlN1YmplY3Q-PHNhbWwyOkNvbmRpdGlvbnMgTm90QmVmb3JlPSIyMDI0LTExLTIwVDA4OjM2OjIxLjQ0MloiIE5vdE9uT3JBZnRlcj0iMjAyNC0xMS0yMFQwOTozNjoyMy40MzRaIj48c2FtbDI6QXVkaWVuY2VSZXN0cmljdGlvbj48c2FtbDI6QXVkaWVuY2U-Njh1ZXh4LmNsb3VkZm91bmRyeS1zYW1sLWxvZ2luPC9zYW1sMjpBdWRpZW5jZT48L3NhbWwyOkF1ZGllbmNlUmVzdHJpY3Rpb24-PC9zYW1sMjpDb25kaXRpb25zPjxzYW1sMjpBdXRoblN0YXRlbWVudCBBdXRobkluc3RhbnQ9IjIwMjQtMTEtMjBUMDg6MzY6MjMuNDM0WiIgU2Vzc2lvbkluZGV4PSJhMzU4YTA2YzE1amE4ZDdhMWlkamFqMDdqYjUyZ2RpIiBTZXNzaW9uTm90T25PckFmdGVyPSIyMDI0LTExLTIwVDA5OjM2OjIzLjQzNFoiPjxzYW1sMjpBdXRobkNvbnRleHQ-PHNhbWwyOkF1dGhuQ29udGV4dENsYXNzUmVmPnVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphYzpjbGFzc2VzOlBhc3N3b3JkPC9zYW1sMjpBdXRobkNvbnRleHRDbGFzc1JlZj48L3NhbWwyOkF1dGhuQ29udGV4dD48L3NhbWwyOkF1dGhuU3RhdGVtZW50Pjwvc2FtbDI6QXNzZXJ0aW9uPg&scope=openid'

POST /uaa/oauth/token/alias/68uexx.cloudfoundry-saml-login HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Accept: application/json
Host: 68uexx.localhost

grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Asaml2-bearer&client_id=testclientdI5NZY&client_secret=secret&client_assertion=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IjU4ZDU1YzUwMGNjNmI1ODM3OTYxN2UwNmU3ZGVjNmNhIn0.eyJzdWIiOiJsb2dpbiIsImlzcyI6ImxvZ2luIiwianRpIjoiNThkNTVjNTAwY2M2YjU4Mzc5NjE3ZTA2ZTdhZmZlZSIsImV4cCI6MTIzNDU2NzgsImF1ZCI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC91YWEvb2F1dGgvdG9rZW4ifQ.jwWw0OKZecd4ZjtwQ_ievqBVrh2SieqMF6vY74Oo5H6v-Ibcmumq96NLNtoUEwaAEQQOHb8MWcC8Gwi9dVQdCrtpomC86b_LKkihRBSKuqpw0udL9RMH5kgtC04ctsN0yZNifUWMP85VHn97Ual5eZ2miaBFob3H5jUe98CcBj1TSRehr64qBFYuwt9vD19q6U-ONhRt0RXBPB7ayHAOMYtb1LFIzGAiKvqWEy9f-TBPXSsETjKkAtSuM-WVWi4EhACMtSvI6iJN15f7qlverRSkGIdh1j2vPXpKKBJoRhoLw6YqbgcUC9vAr17wfa_POxaRHvh9JPty0ZXLA4XPtA&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&assertion=PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48c2FtbDI6QXNzZXJ0aW9uIHhtbG5zOnNhbWwyPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIiBJc3N1ZUluc3RhbnQ9IjIwMjQtMTEtMjBUMDg6MzY6MjMuNDM0WiIgVmVyc2lvbj0iMi4wIj48c2FtbDI6SXNzdWVyPjY4dWV4eC5jbG91ZGZvdW5kcnktc2FtbC1sb2dpbjwvc2FtbDI6SXNzdWVyPjxkczpTaWduYXR1cmUgeG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPjxkczpTaWduZWRJbmZvPjxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8-PGRzOlNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMDQveG1sZHNpZy1tb3JlI3JzYS1zaGEyNTYiLz48ZHM6UmVmZXJlbmNlIFVSST0iIj48ZHM6VHJhbnNmb3Jtcz48ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI2VudmVsb3BlZC1zaWduYXR1cmUiLz48ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8-PC9kczpUcmFuc2Zvcm1zPjxkczpEaWdlc3RNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzA0L3htbGVuYyNzaGEyNTYiLz48ZHM6RGlnZXN0VmFsdWU-RVNRODNSaFRVQ04wUUpUV2dVUWdZMTRPUGR6L25kNjZMNDVxTFpuTjRYWT08L2RzOkRpZ2VzdFZhbHVlPjwvZHM6UmVmZXJlbmNlPjwvZHM6U2lnbmVkSW5mbz48ZHM6U2lnbmF0dXJlVmFsdWU-WFA0aC9tdjBlYTRBNU10aG1ERVpEZ3BvbzJKL1FaanA1U0t0MFFzM3ZnSW9lcFJjRmtPbW85ajNQNWh4Uk9oVCtkdkpnQkVmdjBqMGl2K3FrczdzZlliUHdNMm1jeUk0d2ZxZGIrMU05QWJTa3RrYVZZcmlnZkYwR2xNeGIzaHBycjRJU1ZpbXlHMkY2QkFrTWhkU2lNWGdqYlUxR0Y2dFpNei9McENkMEI4PTwvZHM6U2lnbmF0dXJlVmFsdWU-PGRzOktleUluZm8-PGRzOlg1MDlEYXRhPjxkczpYNTA5Q2VydGlmaWNhdGU-TUlJRFNUQ0NBcktnQXdJQkFnSUJBREFOQmdrcWhraUc5dzBCQVFRRkFEQjhNUXN3Q1FZRFZRUUdFd0poZHpFT01Bd0dBMVVFQ0JNRgpZWEoxWW1FeERqQU1CZ05WQkFvVEJXRnlkV0poTVE0d0RBWURWUVFIRXdWaGNuVmlZVEVPTUF3R0ExVUVDeE1GWVhKMVltRXhEakFNCkJnTlZCQU1UQldGeWRXSmhNUjB3R3dZSktvWklodmNOQVFrQkZnNWhjblZpWVVCaGNuVmlZUzVoY2pBZUZ3MHhOVEV4TWpBeU1qSTIKTWpkYUZ3MHhOakV4TVRreU1qSTJNamRhTUh3eEN6QUpCZ05WQkFZVEFtRjNNUTR3REFZRFZRUUlFd1ZoY25WaVlURU9NQXdHQTFVRQpDaE1GWVhKMVltRXhEakFNQmdOVkJBY1RCV0Z5ZFdKaE1RNHdEQVlEVlFRTEV3VmhjblZpWVRFT01Bd0dBMVVFQXhNRllYSjFZbUV4CkhUQWJCZ2txaGtpRzl3MEJDUUVXRG1GeWRXSmhRR0Z5ZFdKaExtRnlNSUdmTUEwR0NTcUdTSWIzRFFFQkFRVUFBNEdOQURDQmlRS0IKZ1FESHRDNWdVWHhCS3BFcVpUTGtOdkZ3TkduTklrZ2dOT3dPUVZOYnBPMFdWSElpdmlnNUwzOVdxUzl1MGhuQStPN01DQS9LbHJBUgo0YlhhZVZWaHdmVVBZQktJcGFhVFdGUVI1Y1RSMVVGWkpML09GOXZBZnBPd3pub0Q2NkREQ25RVnBiQ2p0RFlXWCt4NmlteG44SENZCnhoTW9sNlpuVGJTc0ZXNlZaakZNalFJREFRQUJvNEhhTUlIWE1CMEdBMVVkRGdRV0JCVHgwbER6akgvaU9Cbk9TUWFTRVdRTHgxc3kKR0RDQnB3WURWUjBqQklHZk1JR2NnQlR4MGxEempIL2lPQm5PU1FhU0VXUUx4MXN5R0tHQmdLUitNSHd4Q3pBSkJnTlZCQVlUQW1GMwpNUTR3REFZRFZRUUlFd1ZoY25WaVlURU9NQXdHQTFVRUNoTUZZWEoxWW1FeERqQU1CZ05WQkFjVEJXRnlkV0poTVE0d0RBWURWUVFMCkV3VmhjblZpWVRFT01Bd0dBMVVFQXhNRllYSjFZbUV4SFRBYkJna3Foa2lHOXcwQkNRRVdEbUZ5ZFdKaFFHRnlkV0poTG1GeWdnRUEKTUF3R0ExVWRFd1FGTUFNQkFmOHdEUVlKS29aSWh2Y05BUUVFQlFBRGdZRUFZdkJKMEhPWmJiSENsWG1HVWpHcytHUyt4QzFGTy9hbQoyc3VDU1lxTkI5ZHlNWGZPV2lKMStUTEprK28vWVp0OHZ1eENLZGNaWWdsNGwvTDZQeEo5ODJTUmhjODNaVzJka0FaSTRNMC9VZDNvCmVQZTg0azhqbTNBN0V2SDV3aTVodkNrS1JwdVJCd24zRWkrakNSb3V4VGJ6S1BzdUNWQisxc055eE1UWHpmMD08L2RzOlg1MDlDZXJ0aWZpY2F0ZT48L2RzOlg1MDlEYXRhPjwvZHM6S2V5SW5mbz48L2RzOlNpZ25hdHVyZT48c2FtbDI6U3ViamVjdD48c2FtbDI6TmFtZUlEIEZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6MS4xOm5hbWVpZC1mb3JtYXQ6dW5zcGVjaWZpZWQiIE5hbWVRdWFsaWZpZXI9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjEuMTpuYW1laWQtZm9ybWF0OnVuc3BlY2lmaWVkIj5TYW1sMkJlYXJlckludGVncmF0aW9uVXNlcjwvc2FtbDI6TmFtZUlEPjxzYW1sMjpTdWJqZWN0Q29uZmlybWF0aW9uIE1ldGhvZD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmNtOmJlYXJlciI-PHNhbWwyOlN1YmplY3RDb25maXJtYXRpb25EYXRhIE5vdE9uT3JBZnRlcj0iMjAyNC0xMS0yMFQwOTozNjoyMy40MzRaIiBSZWNpcGllbnQ9Imh0dHA6Ly82OHVleHgubG9jYWxob3N0OjgwODAvdWFhL29hdXRoL3Rva2VuL2FsaWFzLzY4dWV4eC5jbG91ZGZvdW5kcnktc2FtbC1sb2dpbiIvPjwvc2FtbDI6U3ViamVjdENvbmZpcm1hdGlvbj48L3NhbWwyOlN1YmplY3Q-PHNhbWwyOkNvbmRpdGlvbnMgTm90QmVmb3JlPSIyMDI0LTExLTIwVDA4OjM2OjIxLjQ0MloiIE5vdE9uT3JBZnRlcj0iMjAyNC0xMS0yMFQwOTozNjoyMy40MzRaIj48c2FtbDI6QXVkaWVuY2VSZXN0cmljdGlvbj48c2FtbDI6QXVkaWVuY2U-Njh1ZXh4LmNsb3VkZm91bmRyeS1zYW1sLWxvZ2luPC9zYW1sMjpBdWRpZW5jZT48L3NhbWwyOkF1ZGllbmNlUmVzdHJpY3Rpb24-PC9zYW1sMjpDb25kaXRpb25zPjxzYW1sMjpBdXRoblN0YXRlbWVudCBBdXRobkluc3RhbnQ9IjIwMjQtMTEtMjBUMDg6MzY6MjMuNDM0WiIgU2Vzc2lvbkluZGV4PSJhMzU4YTA2YzE1amE4ZDdhMWlkamFqMDdqYjUyZ2RpIiBTZXNzaW9uTm90T25PckFmdGVyPSIyMDI0LTExLTIwVDA5OjM2OjIzLjQzNFoiPjxzYW1sMjpBdXRobkNvbnRleHQ-PHNhbWwyOkF1dGhuQ29udGV4dENsYXNzUmVmPnVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphYzpjbGFzc2VzOlBhc3N3b3JkPC9zYW1sMjpBdXRobkNvbnRleHRDbGFzc1JlZj48L3NhbWwyOkF1dGhuQ29udGV4dD48L3NhbWwyOkF1dGhuU3RhdGVtZW50Pjwvc2FtbDI6QXNzZXJ0aW9uPg&scope=openid

HTTP/1.1 200 OK
Content-Security-Policy: script-src 'self'
Cache-Control: no-store
Pragma: no-cache
Content-Type: application/json;charset=UTF-8
Content-Disposition: inline;filename=f.txt
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 1497

{
  "access_token" : "eyJqa3UiOiJodHRwczovL2xvY2FsaG9zdDo4MDgwL3VhYS90b2tlbl9rZXlzIiwia2lkIjoibGVnYWN5LXRva2VuLWtleSIsInR5cCI6IkpXVCIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiJhZTQ1YzhhMC1kNThkLTRkMTEtYThlMi1kY2JmOWQ1YTI3NjQiLCJ1c2VyX25hbWUiOiJTYW1sMkJlYXJlckludGVncmF0aW9uVXNlciIsIm9yaWdpbiI6IjY4dWV4eC5jbG91ZGZvdW5kcnktc2FtbC1sb2dpbiIsImlzcyI6Imh0dHA6Ly82OHVleHgubG9jYWxob3N0OjgwODAvdWFhL29hdXRoL3Rva2VuIiwiY2xpZW50X2lkIjoidGVzdGNsaWVudGRJNU5aWSIsImF1ZCI6WyJ0ZXN0Y2xpZW50ZEk1TlpZIiwib3BlbmlkIl0sInppZCI6IjY4dWV4eCIsImdyYW50X3R5cGUiOiJ1cm46aWV0ZjpwYXJhbXM6b2F1dGg6Z3JhbnQtdHlwZTpzYW1sMi1iZWFyZXIiLCJ1c2VyX2lkIjoiYWU0NWM4YTAtZDU4ZC00ZDExLWE4ZTItZGNiZjlkNWEyNzY0IiwiYXpwIjoidGVzdGNsaWVudGRJNU5aWSIsInNjb3BlIjpbIm9wZW5pZCJdLCJleHAiOjE3MzIwOTIzODQsImlhdCI6MTczMjA5MTc4NCwianRpIjoiNjA3NmIzZjNmOTI5NDg2ZGEyN2MwNmU5ZmQ1Y2UwNWQiLCJlbWFpbCI6IlNhbWwyQmVhcmVySW50ZWdyYXRpb25Vc2VyQHRoaXMtZGVmYXVsdC13YXMtbm90LWNvbmZpZ3VyZWQuaW52YWxpZCIsInJldl9zaWciOiIxZjgxYzk1OSIsImNpZCI6InRlc3RjbGllbnRkSTVOWlkifQ.R87xbDsrmnBEugqdFNO8Sq9FphlvM9uKVyFlLlP57T94JDMP1mFnLtV-BB7uWGo7LebEa1Kbav78M4fQJnBYetKWWH9yuGcetBCUa7f8c5zivCNN-sx5LTo6nxv3Cr_XxxL6gpwFVXTPIaL9u3XkKZFjiMZn14n99LbbRQIsDerNfhczNKeq2WdhVHrUezGwTSZGXnMDWR67ZgdLTpR-CvTpMJ4wBI5Bh6rt7qQfH2SDuKD2D39mIIBOCxb5ttYoVOuwaImHiMwX1szoYfbxMIwtIUMbarCXSS2pw26ikElF_jQb8xWCkgRw3QEa03TWj5jnvOCbq3IbFrD5NojB_g",
  "token_type" : "bearer",
  "refresh_token" : "5f50fec1a002430fb96e59a34e6ea622-r",
  "expires_in" : 599,
  "scope" : "openid",
  "jti" : "6076b3f3f929486da27c06e9fd5ce05d"
}

Request Parameters

Parameter	Type	Constraints	Description
client_id	String	Optional	The client ID of the receiving client, this client must have `urn:ietf:params:oauth:grant-type:saml2-bearer` grant type
client_secret	String	Optional	The secret passphrase configured for the OAuth client. Optional if it is passed as part of the Basic Authorization header or if client_assertion is sent as part of private_key_jwt authentication.
client_assertion	String	Optional	UAA 76.23.0 Client authentication using method private_key_jwt. Optional as replacement of methods client_secret_basic or client_secret_post using secrets. The client needs to have a valid JWT confiuration for trust to JWT in client_assertion.
client_assertion_type	String	Optional	UAA 76.23.0 RFC 7523 describes the type. Must be set to `urn:ietf:params:oauth:client-assertion-type:jwt-bearer` if `client_assertion` parameter is present.
grant_type	String	Required	The type of token grant requested, in this case `urn:ietf:params:oauth:grant-type:saml2-bearer`
assertion	String	Required	An XML based SAML 2.0 bearer assertion, which is Base64URl encoded.
scope	String	Optional	The list of scopes requested for the token. Use when you wish to reduce the number of scopes the token will have.

Response Fields

Path	Type	Description
`access_token`	`String`	An OAuth2 access token. When `token_format=opaque` is requested this value will be a random string that can only be validated using the UAA's `/check_token` or `/introspect` endpoints. When `token_format=jwt` is requested, this token will be a JSON Web Token suitable for offline validation by OAuth2 Resource Servers.
`token_type`	`String`	The type of the access token issued, always `bearer`
`expires_in`	`Number`	Number of seconds of lifetime for an access_token, when retrieved
`scope`	`String`	A space-delimited list of scopes authorized by the user for this client. This list is the intersection of the scopes configured on the client, the group memberships of the user, and the user's approvals (when `autoapprove: true` is not configured on the client).
`refresh_token`	`String`	An OAuth2 refresh token. Clients typically use the refresh token to obtain a new access token without the need for the user to authenticate again. They do this by calling `/oauth/token` with `grant_type=refresh_token`. See here for more information. A refresh token will only be issued to clients that have `refresh_token` in their list of `authorized_grant_types`.
`jti`	`String`	A globally unique identifier for this access token. This identifier is used when revoking tokens.

JWT Bearer Token Grant

The JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants allows to request an OAuth 2.0 access token with a JWT id_token bearer assertion. The flow is defined in RFC 7523. The requesting client, must have grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer. In addition, the requesting client must either allow the IDP in allowedproviders or omit the property so that any trusted IDP is allowed. The trust to the assertion, the issuer claim is used to select an OIDC provider (IDP) configured in the UAA database. If multiple providers exists that have the same issuer, the grant will fail.

$ curl 'http://localhost/oauth/token' -i -X POST \
    -H 'Accept: application/json' \
    -H 'Content-Type: application/x-www-form-urlencoded' \
    -d 'client_id=8tzkujqs3gil&client_secret=secret&client_assertion=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IjU4ZDU1YzUwMGNjNmI1ODM3OTYxN2UwNmU3ZGVjNmNhIn0.eyJzdWIiOiJsb2dpbiIsImlzcyI6ImxvZ2luIiwianRpIjoiNThkNTVjNTAwY2M2YjU4Mzc5NjE3ZTA2ZTdhZmZlZSIsImV4cCI6MTIzNDU2NzgsImF1ZCI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC91YWEvb2F1dGgvdG9rZW4ifQ.jwWw0OKZecd4ZjtwQ_ievqBVrh2SieqMF6vY74Oo5H6v-Ibcmumq96NLNtoUEwaAEQQOHb8MWcC8Gwi9dVQdCrtpomC86b_LKkihRBSKuqpw0udL9RMH5kgtC04ctsN0yZNifUWMP85VHn97Ual5eZ2miaBFob3H5jUe98CcBj1TSRehr64qBFYuwt9vD19q6U-ONhRt0RXBPB7ayHAOMYtb1LFIzGAiKvqWEy9f-TBPXSsETjKkAtSuM-WVWi4EhACMtSvI6iJN15f7qlverRSkGIdh1j2vPXpKKBJoRhoLw6YqbgcUC9vAr17wfa_POxaRHvh9JPty0ZXLA4XPtA&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&token_format=opaque&response_type=token+id_token&scope=openid&assertion=eyJqa3UiOiJodHRwczovL2xvY2FsaG9zdDo4MDgwL3VhYS90b2tlbl9rZXlzIiwia2lkIjoibGVnYWN5LXRva2VuLWtleSIsInR5cCI6IkpXVCIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiJmMTc1ZGQ0Ny1mZWYzLTQ2NjItYWEzNC1hYWQxM2UxMWFmZTMiLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwidXNlcl9uYW1lIjoiamttOWxmd2wtY3V1IiwiYW1yIjpbInB3ZCJdLCJvcmlnaW4iOiJ1YWEiLCJpc3MiOiJodHRwOi8vZWhlOGZzemN2ZXl1LmxvY2FsaG9zdDo4MDgwL3VhYS9vYXV0aC90b2tlbiIsImNsaWVudF9pZCI6ImlHWnFSMzR2dUNzUCIsImF1ZCI6WyJpR1pxUjM0dnVDc1AiXSwiemlkIjoiZWhlOGZzemN2ZXl1IiwiZ3JhbnRfdHlwZSI6InBhc3N3b3JkIiwidXNlcl9pZCI6ImYxNzVkZDQ3LWZlZjMtNDY2Mi1hYTM0LWFhZDEzZTExYWZlMyIsImF6cCI6ImlHWnFSMzR2dUNzUCIsInNjb3BlIjpbIm9wZW5pZCJdLCJhdXRoX3RpbWUiOjE3MzIwOTE3OTMsImV4cCI6MTczMjEzNDk5MywiaWF0IjoxNzMyMDkxNzkzLCJlbWFpbCI6ImprbTlsZndsLWN1dUB0ZXN0Lm9yZyIsImp0aSI6Ijc1OWI1MzU1NTJhMjQ0NWI4M2M4NmRiYWI0MDE4MGE3IiwicmV2X3NpZyI6ImM3ZDg3MmUyIiwiY2lkIjoiaUdacVIzNHZ1Q3NQIn0.b3ApztVy5EOtSks6Xf7eqRnRgEadso-Db9gN1nszTP4BIo1JjDxm65vNnt19c1pUgqQDsQ0Qnr_E0AeRpIE_99sHlbOcSJlkX3XU675WH2vCByG34wjliQj8FG1X5CK7H7YPoD4f5b350FHlJiwyiB4AzpGcts-UuMrBxDsfD6W-dROsv8pFBo21wJNoL7CrF_Leb2RGo18gO0k_YeMPpjAco0fRgg3lS-smI1GBjEDevETNiSwRn6FcferOiex8xS1qxlW_OTB5i3V3QE6E4KEwM3W0cuY-MR27f6IyWcX2lkOlZJwKPzEZhBZ8POF9ANgDWAvofA9We1HRvcodLQ'

POST /oauth/token HTTP/1.1
Accept: application/json
Content-Type: application/x-www-form-urlencoded
Host: localhost

client_id=8tzkujqs3gil&client_secret=secret&client_assertion=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IjU4ZDU1YzUwMGNjNmI1ODM3OTYxN2UwNmU3ZGVjNmNhIn0.eyJzdWIiOiJsb2dpbiIsImlzcyI6ImxvZ2luIiwianRpIjoiNThkNTVjNTAwY2M2YjU4Mzc5NjE3ZTA2ZTdhZmZlZSIsImV4cCI6MTIzNDU2NzgsImF1ZCI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC91YWEvb2F1dGgvdG9rZW4ifQ.jwWw0OKZecd4ZjtwQ_ievqBVrh2SieqMF6vY74Oo5H6v-Ibcmumq96NLNtoUEwaAEQQOHb8MWcC8Gwi9dVQdCrtpomC86b_LKkihRBSKuqpw0udL9RMH5kgtC04ctsN0yZNifUWMP85VHn97Ual5eZ2miaBFob3H5jUe98CcBj1TSRehr64qBFYuwt9vD19q6U-ONhRt0RXBPB7ayHAOMYtb1LFIzGAiKvqWEy9f-TBPXSsETjKkAtSuM-WVWi4EhACMtSvI6iJN15f7qlverRSkGIdh1j2vPXpKKBJoRhoLw6YqbgcUC9vAr17wfa_POxaRHvh9JPty0ZXLA4XPtA&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&token_format=opaque&response_type=token+id_token&scope=openid&assertion=eyJqa3UiOiJodHRwczovL2xvY2FsaG9zdDo4MDgwL3VhYS90b2tlbl9rZXlzIiwia2lkIjoibGVnYWN5LXRva2VuLWtleSIsInR5cCI6IkpXVCIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiJmMTc1ZGQ0Ny1mZWYzLTQ2NjItYWEzNC1hYWQxM2UxMWFmZTMiLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwidXNlcl9uYW1lIjoiamttOWxmd2wtY3V1IiwiYW1yIjpbInB3ZCJdLCJvcmlnaW4iOiJ1YWEiLCJpc3MiOiJodHRwOi8vZWhlOGZzemN2ZXl1LmxvY2FsaG9zdDo4MDgwL3VhYS9vYXV0aC90b2tlbiIsImNsaWVudF9pZCI6ImlHWnFSMzR2dUNzUCIsImF1ZCI6WyJpR1pxUjM0dnVDc1AiXSwiemlkIjoiZWhlOGZzemN2ZXl1IiwiZ3JhbnRfdHlwZSI6InBhc3N3b3JkIiwidXNlcl9pZCI6ImYxNzVkZDQ3LWZlZjMtNDY2Mi1hYTM0LWFhZDEzZTExYWZlMyIsImF6cCI6ImlHWnFSMzR2dUNzUCIsInNjb3BlIjpbIm9wZW5pZCJdLCJhdXRoX3RpbWUiOjE3MzIwOTE3OTMsImV4cCI6MTczMjEzNDk5MywiaWF0IjoxNzMyMDkxNzkzLCJlbWFpbCI6ImprbTlsZndsLWN1dUB0ZXN0Lm9yZyIsImp0aSI6Ijc1OWI1MzU1NTJhMjQ0NWI4M2M4NmRiYWI0MDE4MGE3IiwicmV2X3NpZyI6ImM3ZDg3MmUyIiwiY2lkIjoiaUdacVIzNHZ1Q3NQIn0.b3ApztVy5EOtSks6Xf7eqRnRgEadso-Db9gN1nszTP4BIo1JjDxm65vNnt19c1pUgqQDsQ0Qnr_E0AeRpIE_99sHlbOcSJlkX3XU675WH2vCByG34wjliQj8FG1X5CK7H7YPoD4f5b350FHlJiwyiB4AzpGcts-UuMrBxDsfD6W-dROsv8pFBo21wJNoL7CrF_Leb2RGo18gO0k_YeMPpjAco0fRgg3lS-smI1GBjEDevETNiSwRn6FcferOiex8xS1qxlW_OTB5i3V3QE6E4KEwM3W0cuY-MR27f6IyWcX2lkOlZJwKPzEZhBZ8POF9ANgDWAvofA9We1HRvcodLQ

HTTP/1.1 200 OK
Content-Security-Policy: script-src 'self'
Cache-Control: no-store
Pragma: no-cache
Content-Type: application/json;charset=UTF-8
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 234

{
  "access_token" : "e4a5853332b14ebca884bd006c2fae6e",
  "token_type" : "bearer",
  "refresh_token" : "ad18eba2061d442ea093b0d8d78f9381-r",
  "expires_in" : 43199,
  "scope" : "openid",
  "jti" : "e4a5853332b14ebca884bd006c2fae6e"
}

Request Headers

Name	Description
`Authorization`	Uses basic authorization with `base64(resource_server:shared_secret)` assuming the caller (a resource server) is actually also a registered client and has `uaa.resource` authority

Request Parameters

Parameter	Type	Constraints	Description
assertion	String	Required	JWT token identifying representing the user to be authenticated
client_id	String	Required	Required, client with
client_secret	String	Optional	The secret passphrase configured for the OAuth client. Optional if it is passed as part of the Basic Authorization header or if client_assertion is sent as part of private_key_jwt authentication.
client_assertion	String	Optional	UAA 76.23.0 Client authentication using method private_key_jwt. Optional as replacement of methods client_secret_basic or client_secret_post using secrets. The client needs to have a valid JWT confiuration for trust to JWT in client_assertion.
client_assertion_type	String	Optional	UAA 76.23.0 RFC 7523 describes the type. Must be set to `urn:ietf:params:oauth:client-assertion-type:jwt-bearer` if `client_assertion` parameter is present.
grant_type	String	Required	Must be set to `urn:ietf:params:oauth:grant-type:jwt-bearer`
scope	String	Optional	Optional parameter to limit the number of scopes in the `scope` claim of the access token
response_type	String	Optional	May be set to `token` or `token id_token` or `id_token`
token_format	String	Optional	May be set to `opaque` to retrieve revocable and non identifiable access token

Response Fields

Path	Type	Description
`access_token`	`String`	Access token generated by this grant
`token_type`	`String`	Will always be `bearer`
`scope`	`String`	List of scopes present in the `scope` claim in the access token
`expires_in`	`Number`	Number of seconds before this token expires from the time of issuance
`jti`	`String`	The unique token ID
`refresh_token`	`String`	Refresh token issued by this grant

Refresh Token

$ curl 'http://localhost/oauth/token' -i -X POST \
    -H 'Content-Type: application/x-www-form-urlencoded' \
    -H 'Accept: application/json' \
    -d 'client_id=app&client_secret=appclientsecret&client_assertion=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IjU4ZDU1YzUwMGNjNmI1ODM3OTYxN2UwNmU3ZGVjNmNhIn0.eyJzdWIiOiJsb2dpbiIsImlzcyI6ImxvZ2luIiwianRpIjoiNThkNTVjNTAwY2M2YjU4Mzc5NjE3ZTA2ZTdhZmZlZSIsImV4cCI6MTIzNDU2NzgsImF1ZCI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC91YWEvb2F1dGgvdG9rZW4ifQ.jwWw0OKZecd4ZjtwQ_ievqBVrh2SieqMF6vY74Oo5H6v-Ibcmumq96NLNtoUEwaAEQQOHb8MWcC8Gwi9dVQdCrtpomC86b_LKkihRBSKuqpw0udL9RMH5kgtC04ctsN0yZNifUWMP85VHn97Ual5eZ2miaBFob3H5jUe98CcBj1TSRehr64qBFYuwt9vD19q6U-ONhRt0RXBPB7ayHAOMYtb1LFIzGAiKvqWEy9f-TBPXSsETjKkAtSuM-WVWi4EhACMtSvI6iJN15f7qlverRSkGIdh1j2vPXpKKBJoRhoLw6YqbgcUC9vAr17wfa_POxaRHvh9JPty0ZXLA4XPtA&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&grant_type=refresh_token&token_format=opaque&refresh_token=a62c0f9f2c3b47858d68075a54ba28db-r'

POST /oauth/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Accept: application/json
Host: localhost

client_id=app&client_secret=appclientsecret&client_assertion=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IjU4ZDU1YzUwMGNjNmI1ODM3OTYxN2UwNmU3ZGVjNmNhIn0.eyJzdWIiOiJsb2dpbiIsImlzcyI6ImxvZ2luIiwianRpIjoiNThkNTVjNTAwY2M2YjU4Mzc5NjE3ZTA2ZTdhZmZlZSIsImV4cCI6MTIzNDU2NzgsImF1ZCI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC91YWEvb2F1dGgvdG9rZW4ifQ.jwWw0OKZecd4ZjtwQ_ievqBVrh2SieqMF6vY74Oo5H6v-Ibcmumq96NLNtoUEwaAEQQOHb8MWcC8Gwi9dVQdCrtpomC86b_LKkihRBSKuqpw0udL9RMH5kgtC04ctsN0yZNifUWMP85VHn97Ual5eZ2miaBFob3H5jUe98CcBj1TSRehr64qBFYuwt9vD19q6U-ONhRt0RXBPB7ayHAOMYtb1LFIzGAiKvqWEy9f-TBPXSsETjKkAtSuM-WVWi4EhACMtSvI6iJN15f7qlverRSkGIdh1j2vPXpKKBJoRhoLw6YqbgcUC9vAr17wfa_POxaRHvh9JPty0ZXLA4XPtA&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&grant_type=refresh_token&token_format=opaque&refresh_token=a62c0f9f2c3b47858d68075a54ba28db-r

HTTP/1.1 200 OK
Content-Security-Policy: script-src 'self'
Cache-Control: no-store
Pragma: no-cache
Content-Type: application/json;charset=UTF-8
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 1439

{
  "access_token" : "086020b141704f56aa9b5e38a9a6c1b5",
  "token_type" : "bearer",
  "id_token" : "eyJqa3UiOiJodHRwczovL2xvY2FsaG9zdDo4MDgwL3VhYS90b2tlbl9rZXlzIiwia2lkIjoibGVnYWN5LXRva2VuLWtleSIsInR5cCI6IkpXVCIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiJhY2Q0Zjg4My1lNGI1LTQ2NjQtYTkyZS0wODRmZjYyNjBkMjAiLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwidXNlcl9uYW1lIjoiV0JPbmlLQHRlc3Qub3JnIiwiYW1yIjpbInB3ZCJdLCJvcmlnaW4iOiJ1YWEiLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvdWFhL29hdXRoL3Rva2VuIiwiY2xpZW50X2lkIjoiYXBwIiwiYXVkIjpbImFwcCJdLCJ6aWQiOiJ1YWEiLCJncmFudF90eXBlIjoicGFzc3dvcmQiLCJ1c2VyX2lkIjoiYWNkNGY4ODMtZTRiNS00NjY0LWE5MmUtMDg0ZmY2MjYwZDIwIiwiYXpwIjoiYXBwIiwic2NvcGUiOlsib3BlbmlkIl0sImF1dGhfdGltZSI6MTczMjA5MTc4NCwiZXhwIjoxNzMyMTM0OTg0LCJpYXQiOjE3MzIwOTE3ODQsImVtYWlsIjoiV0JPbmlLQHRlc3Qub3JnIiwianRpIjoiOTdlYWRkMGY2NjVhNDQ0M2JlNzkzN2M3YzM1OTYwNzYiLCJyZXZfc2lnIjoiMzY0NWJhYzciLCJjaWQiOiJhcHAifQ.nwMyC144nbY3XDfPtJyN_dpa0yCBdVoU4Um6pqDtMUjBX-eSJ4HGYWXVGhJ6giX9FJ4Om4GFDKBixzWjAEcbi9s9v-bJPMQViRuE0lqzx5uHoulUGDm5YWql_MsFCdcpe_dtYj3MeSdUKrZ7SDf411T-s5wYJzfMDy4PEU7N4g1DxMth7-USO3VBX_ooP_9ytWVsPl6x0N-XOU7UAFXVxEvfNT-xk_jc5m6Z-QNT4HKd0Cv2YJPuoO-MJE6xm2H9gFnyN2ZLpo6AOjZqJrqChfI6VxBtSKHA9LTftSE5hoSJ-221a55i07CdJPa46O3EvMO93wyhmUTM06yiy8eMHA",
  "refresh_token" : "a62c0f9f2c3b47858d68075a54ba28db-r",
  "expires_in" : 43199,
  "scope" : "scim.userids cloud_controller.read password.write cloud_controller.write openid",
  "jti" : "086020b141704f56aa9b5e38a9a6c1b5"
}

Request Parameters

Parameter	Type	Constraints	Description
grant_type	String	Required	the type of authentication being used to obtain the token, in this case `refresh_token`
client_id	String	Optional	A unique string representing the registration information provided by the client, the recipient of the token. Optional if it is passed as part of the Basic Authorization header or as part of the client_assertion.
client_secret	String	Optional	Optional and can be omitted if token before was requested using PKCE with `code_challenge_method=S256` without a secret or client_assertion is used for private_key_jwt client authentication.
client_assertion	String	Optional	UAA 76.23.0 Client authentication using method private_key_jwt. Optional as replacement of methods client_secret_basic or client_secret_post using secrets. The client needs to have a valid JWT confiuration for trust to JWT in client_assertion.
client_assertion_type	String	Optional	UAA 76.23.0 RFC 7523 describes the type. Must be set to `urn:ietf:params:oauth:client-assertion-type:jwt-bearer` if `client_assertion` parameter is present.
refresh_token	String	Required	the refresh_token that was returned along with the access token.
token_format	String	Optional (defaults to `jwt`)	Can be set to `opaque` to retrieve an opaque token or to `jwt` to retrieve a JWT token. Please refer to the Revoke Tokens endpoint doc for information about the revocability of opaque vs. jwt tokens.

Response Fields

Path	Type	Description
`access_token`	`String`	An OAuth2 access token. When `token_format=opaque` is requested this value will be a random string that can only be validated using the UAA's `/check_token` or `/introspect` endpoints. When `token_format=jwt` is requested, this token will be a JSON Web Token suitable for offline validation by OAuth2 Resource Servers.
`id_token`	`String`	An OpenID Connect ID token. This portion of the token response is only returned when clients are configured with the scope `openid`, the `response_type` includes `id_token`, and the user has granted approval to the client for the `openid` scope.
`refresh_token`	`String`	An OAuth2 refresh token. Clients typically use the refresh token to obtain a new access token without the need for the user to authenticate again. They do this by calling `/oauth/token` with `grant_type=refresh_token`. See here for more information. A refresh token will only be issued to clients that have `refresh_token` in their list of `authorized_grant_types`.
`token_type`	`String`	The type of the access token issued. This field is mandated in RFC 6749. In the UAA, the only supported `token_type` is `bearer`.
`expires_in`	`Number`	The number of seconds until the access token expires.
`scope`	`String`	A space-delimited list of scopes authorized by the user for this client. This list is the intersection of the scopes configured on the client, the group memberships of the user, and the user's approvals (when `autoapprove: true` is not configured on the client).
`jti`	`String`	A globally unique identifier for this access token. This identifier is used when revoking tokens.

OpenID Connect

The token endpoint can provide an ID token as defined by OpenID Connect.

$ curl 'http://localhost/oauth/token' -i -X POST \
    -H 'Content-Type: application/x-www-form-urlencoded' \
    -H 'Accept: application/json' \
    -d 'client_id=login&client_secret=loginsecret&client_assertion=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IjU4ZDU1YzUwMGNjNmI1ODM3OTYxN2UwNmU3ZGVjNmNhIn0.eyJzdWIiOiJsb2dpbiIsImlzcyI6ImxvZ2luIiwianRpIjoiNThkNTVjNTAwY2M2YjU4Mzc5NjE3ZTA2ZTdhZmZlZSIsImV4cCI6MTIzNDU2NzgsImF1ZCI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC91YWEvb2F1dGgvdG9rZW4ifQ.jwWw0OKZecd4ZjtwQ_ievqBVrh2SieqMF6vY74Oo5H6v-Ibcmumq96NLNtoUEwaAEQQOHb8MWcC8Gwi9dVQdCrtpomC86b_LKkihRBSKuqpw0udL9RMH5kgtC04ctsN0yZNifUWMP85VHn97Ual5eZ2miaBFob3H5jUe98CcBj1TSRehr64qBFYuwt9vD19q6U-ONhRt0RXBPB7ayHAOMYtb1LFIzGAiKvqWEy9f-TBPXSsETjKkAtSuM-WVWi4EhACMtSvI6iJN15f7qlverRSkGIdh1j2vPXpKKBJoRhoLw6YqbgcUC9vAr17wfa_POxaRHvh9JPty0ZXLA4XPtA&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&grant_type=authorization_code&code=KBTrWSPponLUlsL8eIWyJDqp121TAWbi&token_format=opaque&code_verifier=dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk&redirect_uri=http%3A%2F%2Flocalhost%2Fredirect%2Fcf'

POST /oauth/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Accept: application/json
Host: localhost

client_id=login&client_secret=loginsecret&client_assertion=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IjU4ZDU1YzUwMGNjNmI1ODM3OTYxN2UwNmU3ZGVjNmNhIn0.eyJzdWIiOiJsb2dpbiIsImlzcyI6ImxvZ2luIiwianRpIjoiNThkNTVjNTAwY2M2YjU4Mzc5NjE3ZTA2ZTdhZmZlZSIsImV4cCI6MTIzNDU2NzgsImF1ZCI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC91YWEvb2F1dGgvdG9rZW4ifQ.jwWw0OKZecd4ZjtwQ_ievqBVrh2SieqMF6vY74Oo5H6v-Ibcmumq96NLNtoUEwaAEQQOHb8MWcC8Gwi9dVQdCrtpomC86b_LKkihRBSKuqpw0udL9RMH5kgtC04ctsN0yZNifUWMP85VHn97Ual5eZ2miaBFob3H5jUe98CcBj1TSRehr64qBFYuwt9vD19q6U-ONhRt0RXBPB7ayHAOMYtb1LFIzGAiKvqWEy9f-TBPXSsETjKkAtSuM-WVWi4EhACMtSvI6iJN15f7qlverRSkGIdh1j2vPXpKKBJoRhoLw6YqbgcUC9vAr17wfa_POxaRHvh9JPty0ZXLA4XPtA&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&grant_type=authorization_code&code=KBTrWSPponLUlsL8eIWyJDqp121TAWbi&token_format=opaque&code_verifier=dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk&redirect_uri=http%3A%2F%2Flocalhost%2Fredirect%2Fcf

HTTP/1.1 200 OK
Content-Security-Policy: script-src 'self'
Cache-Control: no-store
Pragma: no-cache
Content-Type: application/json;charset=UTF-8
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 1386

{
  "access_token" : "7e4a73a4fcf740fcb121a93c77e7f83e",
  "token_type" : "bearer",
  "id_token" : "eyJqa3UiOiJodHRwczovL2xvY2FsaG9zdDo4MDgwL3VhYS90b2tlbl9rZXlzIiwia2lkIjoibGVnYWN5LXRva2VuLWtleSIsInR5cCI6IkpXVCIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiI1ZDZkNjdhYy0wYWI5LTRmY2QtODRkNi1jYjdjOTYzNjJlYzMiLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwidXNlcl9uYW1lIjoiS3pONDNDQHRlc3Qub3JnIiwib3JpZ2luIjoidWFhIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL3VhYS9vYXV0aC90b2tlbiIsImNsaWVudF9pZCI6ImxvZ2luIiwiYXVkIjpbImxvZ2luIl0sInppZCI6InVhYSIsImdyYW50X3R5cGUiOiJhdXRob3JpemF0aW9uX2NvZGUiLCJ1c2VyX2lkIjoiNWQ2ZDY3YWMtMGFiOS00ZmNkLTg0ZDYtY2I3Yzk2MzYyZWMzIiwiYXpwIjoibG9naW4iLCJzY29wZSI6WyJvcGVuaWQiXSwiYXV0aF90aW1lIjoxNzMyMDkxNzgyLCJleHAiOjE3MzIxMzQ5ODIsImlhdCI6MTczMjA5MTc4MiwiZW1haWwiOiJLek40M0NAdGVzdC5vcmciLCJqdGkiOiI3ZTRhNzNhNGZjZjc0MGZjYjEyMWE5M2M3N2U3ZjgzZSIsInJldl9zaWciOiI3YjQ5NzI4IiwiY2lkIjoibG9naW4ifQ.HSySqARl2b0sVWB2NPO-KCuCkMHfc8eDW8_4f0PzgfLT7bIgmTSA89NtJf6KjRXftKePlijfEewdDaCDOQ3f13b1fHsQ5QlniiHCEOO9W_ANULuKxRpKjRgUzGbgVmfsKJ-5Sir8TAx0c4KzJGOckjdzYr51y_laWuL3ZZK0pxgP39f17wS1k1k9tL9144PaV2VvHnpXDwVqC2eUlaOyU4PtmTtCtmI-ksQnfSqhNSb_qAsfuoskbk9Pyuxqx6Dnzh-zvJb_asBgRj_XLAepzo1Z16L5yQi32902zBUvb8tCp6c6kHnnEteWDEj8itlW5q4tRqoeWoLzIxaniAonOw",
  "refresh_token" : "2168c95f3058401f9d250b1eecb87d5d-r",
  "expires_in" : 43199,
  "scope" : "openid oauth.approvals",
  "jti" : "7e4a73a4fcf740fcb121a93c77e7f83e"
}

Request Parameters

Parameter	Type	Constraints	Description
client_id	String	Optional	A unique string representing the registration information provided by the client, the recipient of the token. Optional if it is passed as part of the Basic Authorization header or as part of the client_assertion.
redirect_uri	String	Required if provided on authorization request	redirection URI to which the authorization server will send the user-agent back once access is granted (or denied)
code	String	Required	the authorization code, obtained from `/oauth/authorize`, issued for the user
grant_type	String	Required	the type of authentication being used to obtain the token, in this case `authorization_code`
client_secret	String	Optional	UAA 75.21.0 Optional and can be omitted if client has configured allowpublic and PKCE with `code_challenge_method=S256` is used to create to `code`.
client_assertion	String	Optional	UAA 76.23.0 Client authentication using method private_key_jwt. Optional as replacement of methods client_secret_basic or client_secret_post using secrets. The client needs to have a valid JWT confiuration for trust to JWT in client_assertion.
client_assertion_type	String	Optional	UAA 76.23.0 RFC 7523 describes the type. Must be set to `urn:ietf:params:oauth:client-assertion-type:jwt-bearer` if `client_assertion` parameter is present.
code_verifier	String	Optional	UAA 75.5.0 PKCE Code Verifier. A `code_verifier` parameter must be provided if a `code_challenge` parameter was present in the previous call to `/oauth/authorize`. The `code_verifier` must match the used `code_challenge` (according to the selected `code_challenge_method`)
token_format	String	Optional (defaults to `jwt`)	Can be set to `opaque` to retrieve an opaque token or to `jwt` to retrieve a JWT token. Please refer to the Revoke Tokens endpoint doc for information about the revocability of opaque vs. jwt tokens.

Response Fields

Path	Type	Description
`access_token`	`String`	An OAuth2 access token. When `token_format=opaque` is requested this value will be a random string that can only be validated using the UAA's `/check_token` or `/introspect` endpoints. When `token_format=jwt` is requested, this token will be a JSON Web Token suitable for offline validation by OAuth2 Resource Servers.
`id_token`	`String`	An OpenID Connect ID token. This portion of the token response is only returned when clients are configured with the scope `openid`, the `response_type` includes `id_token`, and the user has granted approval to the client for the `openid` scope.
`token_type`	`String`	The type of the access token issued. This field is mandated in RFC 6749. In the UAA, the only supported `token_type` is `bearer`.
`expires_in`	`Number`	The number of seconds until the access token expires.
`scope`	`String`	A space-delimited list of scopes authorized by the user for this client. This list is the intersection of the scopes configured on the client, the group memberships of the user, and the user's approvals (when `autoapprove: true` is not configured on the client).
`refresh_token`	`String`	An OAuth2 refresh token. Clients typically use the refresh token to obtain a new access token without the need for the user to authenticate again. They do this by calling `/oauth/token` with `grant_type=refresh_token`. See here for more information. A refresh token will only be issued to clients that have `refresh_token` in their list of `authorized_grant_types`.
`jti`	`String`	A globally unique identifier for this access token. This identifier is used when revoking tokens.

Revoke tokens

Both access and refresh tokens can be passed to the /revoke endpoint.

When the /revoke endpoint is successfully invoked with an access token, and then when the same token is passed to the UAA Introspect Token endpoint (/introspect), the UAA Introspect Token endpoint will respond with "active": false.

If the access token is in the JWT format (as opposed to the opaque format), the server config uaa.jwt.revocable or the Identity Zone config config.tokenPolicy.jwtRevocable must be set to true for the revocation to work. However, OAuth resource servers are not required to call the UAA Introspect Token endpoint to validate the token. Once issued, from a security point of view, a valid access token in the JWT format should be considered valid until its expiry. Hence, we do not recommend relying on this endpoint to revoke access tokens in the JWT format. If the ability to remove/limit access after the tokens are issued is important to you, we recommend the following instead:

Ask the OAuth client to use opaque tokens only, so that the OAuth resource server is required to use the UAA Introspect Token endpoint to validate that the tokens have not been revoked.
If the access tokens are in the JWT format, configure the access tokens to be short-lived (e.g. a few minutes), and when needed, revoke the more long-lived refresh tokens so that they may no longer be used to obtain refreshed access tokens.

When the /revoke endpoint is successfully invoked with a refresh token, the refresh token can no longer be used to perform the Refresh Token grant.

Refresh tokens in any format can be revoked using the "Revoke all tokens for a user" endpoint (/oauth/token/revoke/user/{userId}), the "Revoke all tokens for a client" endpoint (/oauth/token/revoke/client/{clientId}), or the "Revoke all tokens for a user and client combination" endpoint (/oauth/token/revoke/user/{userId}/client/{clientId}).

Refresh tokens in the opaque format can be individually revoked using the "Revoke a single token" endpoint (/oauth/token/revoke/{tokenId}). However, refresh tokens in the JWT format can only be individually revoked using the "Revoke a single token" endpoint when the server config uaa.jwt.revocable or the Identity Zone config config.tokenPolicy.jwtRevocable is set to true.

Revoke all tokens for a user

$ curl 'http://localhost/oauth/token/revoke/user/1585760f-b802-49b3-8e5c-bb4f48a20a28' -i -X GET \
    -H 'Authorization: Bearer eyJqa3UiOiJodHRwczovL2xvY2FsaG9zdDo4MDgwL3VhYS90b2tlbl9rZXlzIiwia2lkIjoibGVnYWN5LXRva2VuLWtleSIsInR5cCI6IkpXVCIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiJhZG1pbiIsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC91YWEvb2F1dGgvdG9rZW4iLCJhdXRob3JpdGllcyI6WyJjbGllbnRzLnJlYWQiLCJjbGllbnRzLnNlY3JldCIsImNsaWVudHMudHJ1c3QiLCJjbGllbnRzLndyaXRlIiwidWFhLmFkbWluIiwiY2xpZW50cy5hZG1pbiIsInNjaW0ud3JpdGUiLCJzY2ltLnJlYWQiXSwiY2xpZW50X2lkIjoiYWRtaW4iLCJhdWQiOlsic2NpbSIsImNsaWVudHMiLCJ1YWEiLCJhZG1pbiJdLCJ6aWQiOiJ1YWEiLCJncmFudF90eXBlIjoiY2xpZW50X2NyZWRlbnRpYWxzIiwiYXpwIjoiYWRtaW4iLCJzY29wZSI6WyJjbGllbnRzLnJlYWQiLCJjbGllbnRzLnNlY3JldCIsImNsaWVudHMudHJ1c3QiLCJjbGllbnRzLndyaXRlIiwidWFhLmFkbWluIiwiY2xpZW50cy5hZG1pbiIsInNjaW0ud3JpdGUiLCJzY2ltLnJlYWQiXSwiZXhwIjoxNzMyMTM0OTg1LCJpYXQiOjE3MzIwOTE3ODUsImp0aSI6ImQ2OTIyN2VhNTY2ZDQ2MWNhYjM0NGNkMTg1OWQwYWFhIiwicmV2X3NpZyI6IjY1MWE3YmYxIiwiY2lkIjoiYWRtaW4ifQ.X7LwUzng0CEseuyyimb7rH4YQk4ZMopOm5cGdq5FHsavPi9p9cR2T4823QWPpovg1KOCEG8lTEv_NVKXHZX60hLwOweTL5h4C5pEQ8uqUKf_BCrG8tTB_CoG62mzNr8nHHBTR5tCLJvSS0bR-IPnQyNCPfINN3jXVe3S2UicmWXOButyAlYiVIYj1m56eWap95C1j_fKgwbJsD4PaT9_YrtZZaOLKT1iV73b4Y3q-r_FU37FAS9V3al_lnHa7lfDU9dtEVEQuOEZeeAjry3H9SMLRBYkiNKeZysRluR9PKfOC78FT0WdZPpk_H9ksItID8z2qKZYeViDIFPMi-kbTg'

GET /oauth/token/revoke/user/1585760f-b802-49b3-8e5c-bb4f48a20a28 HTTP/1.1
Authorization: Bearer eyJqa3UiOiJodHRwczovL2xvY2FsaG9zdDo4MDgwL3VhYS90b2tlbl9rZXlzIiwia2lkIjoibGVnYWN5LXRva2VuLWtleSIsInR5cCI6IkpXVCIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiJhZG1pbiIsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC91YWEvb2F1dGgvdG9rZW4iLCJhdXRob3JpdGllcyI6WyJjbGllbnRzLnJlYWQiLCJjbGllbnRzLnNlY3JldCIsImNsaWVudHMudHJ1c3QiLCJjbGllbnRzLndyaXRlIiwidWFhLmFkbWluIiwiY2xpZW50cy5hZG1pbiIsInNjaW0ud3JpdGUiLCJzY2ltLnJlYWQiXSwiY2xpZW50X2lkIjoiYWRtaW4iLCJhdWQiOlsic2NpbSIsImNsaWVudHMiLCJ1YWEiLCJhZG1pbiJdLCJ6aWQiOiJ1YWEiLCJncmFudF90eXBlIjoiY2xpZW50X2NyZWRlbnRpYWxzIiwiYXpwIjoiYWRtaW4iLCJzY29wZSI6WyJjbGllbnRzLnJlYWQiLCJjbGllbnRzLnNlY3JldCIsImNsaWVudHMudHJ1c3QiLCJjbGllbnRzLndyaXRlIiwidWFhLmFkbWluIiwiY2xpZW50cy5hZG1pbiIsInNjaW0ud3JpdGUiLCJzY2ltLnJlYWQiXSwiZXhwIjoxNzMyMTM0OTg1LCJpYXQiOjE3MzIwOTE3ODUsImp0aSI6ImQ2OTIyN2VhNTY2ZDQ2MWNhYjM0NGNkMTg1OWQwYWFhIiwicmV2X3NpZyI6IjY1MWE3YmYxIiwiY2lkIjoiYWRtaW4ifQ.X7LwUzng0CEseuyyimb7rH4YQk4ZMopOm5cGdq5FHsavPi9p9cR2T4823QWPpovg1KOCEG8lTEv_NVKXHZX60hLwOweTL5h4C5pEQ8uqUKf_BCrG8tTB_CoG62mzNr8nHHBTR5tCLJvSS0bR-IPnQyNCPfINN3jXVe3S2UicmWXOButyAlYiVIYj1m56eWap95C1j_fKgwbJsD4PaT9_YrtZZaOLKT1iV73b4Y3q-r_FU37FAS9V3al_lnHa7lfDU9dtEVEQuOEZeeAjry3H9SMLRBYkiNKeZysRluR9PKfOC78FT0WdZPpk_H9ksItID8z2qKZYeViDIFPMi-kbTg
Host: localhost

HTTP/1.1 200 OK
Content-Security-Policy: script-src 'self'
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff

Path Parameters

/oauth/token/revoke/user/{userId}

Parameter	Description
userId	The id of the user

Request Header

Name	Description
`Authorization`	Bearer token with one of: `uaa.admin` scope OR `tokens.revoke` scope OR matching `user_id`
`X-Identity-Zone-Id`	May include this header to administer another zone if using `zones.<zoneId>.admin` or `uaa.admin` scope against the default UAA zone.
`X-Identity-Zone-Subdomain`	If using a `zones.<zoneId>.admin` scope/token, indicates what zone this request goes to by supplying a subdomain.

Revoke all tokens for a client

$ curl 'http://localhost/oauth/token/revoke/client/VnqPX4' -i -X GET \
    -H 'Authorization: Bearer 7cf85643fa2949259135956b659db373'

GET /oauth/token/revoke/client/VnqPX4 HTTP/1.1
Authorization: Bearer 7cf85643fa2949259135956b659db373
Host: localhost

HTTP/1.1 200 OK
Content-Security-Policy: script-src 'self'
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff

Path Parameters

/oauth/token/revoke/client/{clientId}

Parameter	Description
clientId	The id of the client

Request Header

Name	Description
`Authorization`	Bearer token with `uaa.admin` or `tokens.revoke` scope.
`X-Identity-Zone-Id`	May include this header to administer another zone if using `zones.<zoneId>.admin` or `uaa.admin` scope against the default UAA zone.
`X-Identity-Zone-Subdomain`	If using a `zones.<zoneId>.admin` scope/token, indicates what zone this request goes to by supplying a subdomain.

Revoke all tokens for a user and client combination

$ curl 'http://localhost/oauth/token/revoke/user/39fd0cf1-429c-49fe-9c54-05a55eb491d4/client/wlJQg3' -i -X GET \
    -H 'Authorization: Bearer eyJqa3UiOiJodHRwczovL2xvY2FsaG9zdDo4MDgwL3VhYS90b2tlbl9rZXlzIiwia2lkIjoibGVnYWN5LXRva2VuLWtleSIsInR5cCI6IkpXVCIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiJhZG1pbiIsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC91YWEvb2F1dGgvdG9rZW4iLCJhdXRob3JpdGllcyI6WyJjbGllbnRzLnJlYWQiLCJjbGllbnRzLnNlY3JldCIsImNsaWVudHMudHJ1c3QiLCJjbGllbnRzLndyaXRlIiwidWFhLmFkbWluIiwiY2xpZW50cy5hZG1pbiIsInNjaW0ud3JpdGUiLCJzY2ltLnJlYWQiXSwiY2xpZW50X2lkIjoiYWRtaW4iLCJhdWQiOlsic2NpbSIsImNsaWVudHMiLCJ1YWEiLCJhZG1pbiJdLCJ6aWQiOiJ1YWEiLCJncmFudF90eXBlIjoiY2xpZW50X2NyZWRlbnRpYWxzIiwiYXpwIjoiYWRtaW4iLCJzY29wZSI6WyJjbGllbnRzLnJlYWQiLCJjbGllbnRzLnNlY3JldCIsImNsaWVudHMudHJ1c3QiLCJjbGllbnRzLndyaXRlIiwidWFhLmFkbWluIiwiY2xpZW50cy5hZG1pbiIsInNjaW0ud3JpdGUiLCJzY2ltLnJlYWQiXSwiZXhwIjoxNzMyMTM0OTgyLCJpYXQiOjE3MzIwOTE3ODIsImp0aSI6IjFkMTc2ZjNlZGZhZDRhYmE4OTNkMzJlMDczOTVhMjkxIiwicmV2X3NpZyI6IjY1MWE3YmYxIiwiY2lkIjoiYWRtaW4ifQ.TQCFJKrOC30t4CewKwkrIs8Jb5tibmi9F2gb5hiKa6Dq7FnkZlgjKCgZxYzuN1FRAGhEbZBTwYy1dHD63q4Mq4Cgl5Om6iw85lhrx03CKHHjL7-5vOs6Q4VQqaPhfDtF0Gz2aHffPbabXGW83FxY-bHxH9YCcOwgjITkI41LjX2bLbOaA5BSFb0padpYT4_RYjGy9wGhAf_RBZKgOTW2wR0LYfYEDnK1orrfsTLcbYCxGvnyUfAD6jqKRVSzi-kQvTXOcmvo3yGHr8IMJqrN2hYTVxVVJDFz9D6OX93v7ob7uGqjb_IKIMi9WWeqjBSi3dC_IeihCVlaUhyVMrjD6w'

GET /oauth/token/revoke/user/39fd0cf1-429c-49fe-9c54-05a55eb491d4/client/wlJQg3 HTTP/1.1
Authorization: Bearer eyJqa3UiOiJodHRwczovL2xvY2FsaG9zdDo4MDgwL3VhYS90b2tlbl9rZXlzIiwia2lkIjoibGVnYWN5LXRva2VuLWtleSIsInR5cCI6IkpXVCIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiJhZG1pbiIsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC91YWEvb2F1dGgvdG9rZW4iLCJhdXRob3JpdGllcyI6WyJjbGllbnRzLnJlYWQiLCJjbGllbnRzLnNlY3JldCIsImNsaWVudHMudHJ1c3QiLCJjbGllbnRzLndyaXRlIiwidWFhLmFkbWluIiwiY2xpZW50cy5hZG1pbiIsInNjaW0ud3JpdGUiLCJzY2ltLnJlYWQiXSwiY2xpZW50X2lkIjoiYWRtaW4iLCJhdWQiOlsic2NpbSIsImNsaWVudHMiLCJ1YWEiLCJhZG1pbiJdLCJ6aWQiOiJ1YWEiLCJncmFudF90eXBlIjoiY2xpZW50X2NyZWRlbnRpYWxzIiwiYXpwIjoiYWRtaW4iLCJzY29wZSI6WyJjbGllbnRzLnJlYWQiLCJjbGllbnRzLnNlY3JldCIsImNsaWVudHMudHJ1c3QiLCJjbGllbnRzLndyaXRlIiwidWFhLmFkbWluIiwiY2xpZW50cy5hZG1pbiIsInNjaW0ud3JpdGUiLCJzY2ltLnJlYWQiXSwiZXhwIjoxNzMyMTM0OTgyLCJpYXQiOjE3MzIwOTE3ODIsImp0aSI6IjFkMTc2ZjNlZGZhZDRhYmE4OTNkMzJlMDczOTVhMjkxIiwicmV2X3NpZyI6IjY1MWE3YmYxIiwiY2lkIjoiYWRtaW4ifQ.TQCFJKrOC30t4CewKwkrIs8Jb5tibmi9F2gb5hiKa6Dq7FnkZlgjKCgZxYzuN1FRAGhEbZBTwYy1dHD63q4Mq4Cgl5Om6iw85lhrx03CKHHjL7-5vOs6Q4VQqaPhfDtF0Gz2aHffPbabXGW83FxY-bHxH9YCcOwgjITkI41LjX2bLbOaA5BSFb0padpYT4_RYjGy9wGhAf_RBZKgOTW2wR0LYfYEDnK1orrfsTLcbYCxGvnyUfAD6jqKRVSzi-kQvTXOcmvo3yGHr8IMJqrN2hYTVxVVJDFz9D6OX93v7ob7uGqjb_IKIMi9WWeqjBSi3dC_IeihCVlaUhyVMrjD6w
Host: localhost

HTTP/1.1 200 OK
Content-Security-Policy: script-src 'self'
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff

Path Parameters

/oauth/token/revoke/user/{userId}/client/{clientId}

Parameter	Description
userId	The id of the user
clientId	The id of the client

Request Header

Name	Description
`Authorization`	Bearer token with one of: `uaa.admin` scope OR `tokens.revoke` scope OR (matching `user_id` AND `client_id`)
`X-Identity-Zone-Id`	May include this header to administer another zone if using `zones.<zoneId>.admin` or `uaa.admin` scope against the default UAA zone.
`X-Identity-Zone-Subdomain`	If using a `zones.<zoneId>.admin` scope/token, indicates what zone this request goes to by supplying a subdomain.

Revoke a single token

$ curl 'http://localhost/oauth/token/revoke/150cde62a4774cb58d26c90870bc0a2d' -i -X DELETE \
    -H 'Authorization: Bearer 150cde62a4774cb58d26c90870bc0a2d'

DELETE /oauth/token/revoke/150cde62a4774cb58d26c90870bc0a2d HTTP/1.1
Authorization: Bearer 150cde62a4774cb58d26c90870bc0a2d
Host: localhost

HTTP/1.1 200 OK
Content-Security-Policy: script-src 'self'
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff

Path Parameters

/oauth/token/revoke/{tokenId}

Parameter	Description
tokenId	The identifier for the token to be revoked. For opaque tokens, use the token itself. For JWT tokens use the `jti` claim in the token.

Request Header

Name	Description
`Authorization`	Bearer token with one of: `uaa.admin` scope OR `tokens.revoke` scope OR the token ID to be revoked
`X-Identity-Zone-Id`	May include this header to administer another zone if using `zones.<zoneId>.admin` or `uaa.admin` scope against the default UAA zone.
`X-Identity-Zone-Subdomain`	If using a `zones.<zoneId>.admin` scope/token, indicates what zone this request goes to by supplying a subdomain.

List tokens

List all tokens for a user

The /oauth/token/list/user/{userId} will return all the metadata for tokens that match the user_id in the path parameter. This token requires the tokens.list scope.

$ curl 'http://localhost/oauth/token/list/user/16c15344-f2fe-410c-a010-1fd42bf9edc8' -i -X GET \
    -H 'Authorization: Bearer 1e920d332c45498db2ae255519b67013' \
    -H 'Accept: application/json'

GET /oauth/token/list/user/16c15344-f2fe-410c-a010-1fd42bf9edc8 HTTP/1.1
Authorization: Bearer 1e920d332c45498db2ae255519b67013
Accept: application/json
Host: localhost

HTTP/1.1 200 OK
Content-Security-Policy: script-src 'self'
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 631

[ {
  "tokenId" : "81ea432c5a8b42ea932821a26ff70d8c",
  "clientId" : "nRxON0",
  "userId" : "16c15344-f2fe-410c-a010-1fd42bf9edc8",
  "format" : "opaque",
  "responseType" : "ACCESS_TOKEN",
  "issuedAt" : 1732091785865,
  "expiresAt" : 1732134985846,
  "scope" : "[openid]",
  "value" : null,
  "zoneId" : "uaa"
}, {
  "tokenId" : "896a3114d58e4df095af7c97aaef29ff-r",
  "clientId" : "nRxON0",
  "userId" : "16c15344-f2fe-410c-a010-1fd42bf9edc8",
  "format" : "opaque",
  "responseType" : "REFRESH_TOKEN",
  "issuedAt" : 1732091785865,
  "expiresAt" : 1734683785838,
  "scope" : "[openid]",
  "value" : null,
  "zoneId" : "uaa"
} ]

Request Header

Name	Description
`Authorization`	Bearer token containing the `tokens.list` scope.
`Accept`	Set to application/json
`X-Identity-Zone-Id`	May include this header to administer another zone if using `zones.<zoneId>.admin` or `uaa.admin` scope against the default UAA zone.
`X-Identity-Zone-Subdomain`	If using a `zones.<zoneId>.admin` scope/token, indicates what zone this request goes to by supplying a subdomain.

Path Parameters

/oauth/token/list/user/{userId}

Parameter	Description
userId	The user ID to retrieve tokens for

Response Fields

Path	Type	Description
`[].zoneId`	`String`	The zone ID for the token
`[].tokenId`	`String`	The unique ID for the token
`[].clientId`	`String`	Client ID for this token, will always match the client_id claim in the access token used for this call
`[].userId`	`String`	User ID for this token, will always match the user_id claim in the access token used for this call
`[].format`	`String`	What format was requested, possible values OPAQUE or JWT
`[].expiresAt`	`Number`	Token expiration date, as a epoch timestamp, in milliseconds between the expires time and midnight, January 1, 1970 UTC.
`[].issuedAt`	`Number`	Token issue date as, a epoch timestamp, in milliseconds between the issued time and midnight, January 1, 1970 UTC.
`[].scope`	`String`	Comma separated list of scopes this token holds, up to 1000 characters
`[].responseType`	`String`	Response type requested during the token request, possible values ACCESS_TOKEN or REFRESH_TOKEN
`[].value`	`String`	Access token value will always be null

List all tokens for a client

The /oauth/token/list/client/{clientId} will return all the tokens that match the client_id in the path parameter. This token requires the tokens.list scope.

$ curl 'http://localhost/oauth/token/list/client/b8iHwB' -i -X GET \
    -H 'Authorization: Bearer 0c885f7578f34250aaca672ac28de4df' \
    -H 'Accept: application/json'

GET /oauth/token/list/client/b8iHwB HTTP/1.1
Authorization: Bearer 0c885f7578f34250aaca672ac28de4df
Accept: application/json
Host: localhost

HTTP/1.1 200 OK
Content-Security-Policy: script-src 'self'
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 286

[ {
  "tokenId" : "0c885f7578f34250aaca672ac28de4df",
  "clientId" : "b8iHwB",
  "userId" : null,
  "format" : "opaque",
  "responseType" : "ACCESS_TOKEN",
  "issuedAt" : 1732091785396,
  "expiresAt" : 1732134985383,
  "scope" : "[tokens.list]",
  "value" : null,
  "zoneId" : "uaa"
} ]

Request Header

Name	Description
`Authorization`	Bearer token containing the `tokens.list` scope.
`Accept`	Set to application/json
`X-Identity-Zone-Id`	May include this header to administer another zone if using `zones.<zoneId>.admin` or `uaa.admin` scope against the default UAA zone.
`X-Identity-Zone-Subdomain`	If using a `zones.<zoneId>.admin` scope/token, indicates what zone this request goes to by supplying a subdomain.

Path Parameters

/oauth/token/list/client/{clientId}

Parameter	Description
clientId	The client ID to retrieve tokens for

Response Fields

Path	Type	Description
`[].zoneId`	`String`	The zone ID for the token
`[].tokenId`	`String`	The unique ID for the token
`[].clientId`	`String`	Client ID for this token, will always match the client_id claim in the access token used for this call
`[].userId`	`String`	User ID for this token, will always match the user_id claim in the access token used for this call
`[].format`	`String`	What format was requested, possible values OPAQUE or JWT
`[].expiresAt`	`Number`	Token expiration date, as a epoch timestamp, in milliseconds between the expires time and midnight, January 1, 1970 UTC.
`[].issuedAt`	`Number`	Token issue date as, a epoch timestamp, in milliseconds between the issued time and midnight, January 1, 1970 UTC.
`[].scope`	`String`	Comma separated list of scopes this token holds, up to 1000 characters
`[].responseType`	`String`	Response type requested during the token request, possible values ACCESS_TOKEN or REFRESH_TOKEN
`[].value`	`String`	Access token value will always be null

Introspect Token

Introspect token endpoint is RFC-7662 compliant. Active flag is responsible for showing the validity of the token and not the HTTP status code. Status code will be 200 OK for both valid and invalid tokens.

$ curl 'http://localhost/introspect' -i -X POST \
    -H 'Authorization: bearer 19da86593e924e639b4544cf1b299049' \
    -d 'token=61735ab99409452493edda05b34ce178'

POST /introspect HTTP/1.1
Authorization: bearer 19da86593e924e639b4544cf1b299049
Host: localhost
Content-Type: application/x-www-form-urlencoded

token=61735ab99409452493edda05b34ce178

HTTP/1.1 200 OK
Content-Security-Policy: script-src 'self'
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 706

{
  "user_id" : "faa16cb2-46be-4367-921f-282802f7674e",
  "user_name" : "marissa",
  "email" : "[email protected]",
  "client_id" : "app",
  "exp" : 1732134991,
  "scope" : [ "scim.userids", "openid", "cloud_controller.read", "password.write", "cloud_controller.write" ],
  "jti" : "61735ab99409452493edda05b34ce178",
  "aud" : [ "app", "scim", "cloud_controller", "password", "openid" ],
  "sub" : "faa16cb2-46be-4367-921f-282802f7674e",
  "iss" : "http://localhost:8080/uaa/oauth/token",
  "iat" : 1732091791,
  "cid" : "app",
  "grant_type" : "password",
  "azp" : "app",
  "auth_time" : 1732091791,
  "zid" : "uaa",
  "rev_sig" : "57725211",
  "origin" : "uaa",
  "revocable" : true,
  "active" : true
}

Request Headers

Name	Description
`Authorization`	One of the following authentication/authorization mechanisms: Bearer token for a registered client with authority `uaa.resource` [Recommended] Basic authentication using client_id / client_secret for a registered client with authority `uaa.resource` [Deprecated] If both bearer token and basic auth credentials are provided, only the bearer token will be used.

Request Parameters

Parameter	Type	Constraints	Description
token	String	Required	The token

Response Fields

Path	Type	Description
`active`	`Boolean`	Indicates whether or not the presented token is currently valid (given token has been issued by this authorization server, has not been revoked by the resource owner, and is within its given time window of validity)
`user_id`	`String`	Only applicable for user tokens
`user_name`	`String`	Only applicable for user tokens
`email`	`String`	Only applicable for user tokens
`client_id`	`String`	A unique string representing the registration information provided by the client
`exp`	`Number`	Expiration Time Claim
`authorities`	`Array`	Only applicable for client tokens
`scope`	`Array`	List of scopes authorized by the user for this client
`jti`	`String`	JWT ID Claim
`aud`	`Array`	Audience Claim
`sub`	`String`	Subject Claim
`iss`	`String`	Issuer Claim
`iat`	`Number`	Issued At Claim
`cid`	`String`	See `client_id`
`grant_type`	`String`	The type of authentication being used to obtain the token, in this case `password`
`azp`	`String`	Authorized party
`auth_time`	`Number`	Only applicable for user tokens
`zid`	`String`	Zone ID
`rev_sig`	`String`	Revocation Signature - token revocation hash salted with at least client ID and client secret, and optionally various user values.
`origin`	`String`	Only applicable for user tokens
`revocable`	`Boolean`	Set to true if this token is revocable

Check Token

$ curl 'http://localhost/check_token' -i -u 'app:appclientsecret' -X POST \
    -d 'token=116c4cc2723840f99ef90d5f0d1468fe&scopes=password.write%2Cscim.userids'

POST /check_token HTTP/1.1
Authorization: Basic YXBwOmFwcGNsaWVudHNlY3JldA==
Host: localhost
Content-Type: application/x-www-form-urlencoded

token=116c4cc2723840f99ef90d5f0d1468fe&scopes=password.write%2Cscim.userids

HTTP/1.1 200 OK
Content-Security-Policy: script-src 'self'
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 687

{
  "user_id" : "6412cca7-da65-438a-84fb-711d66bc2dce",
  "user_name" : "marissa",
  "email" : "[email protected]",
  "client_id" : "app",
  "exp" : 1732134991,
  "scope" : [ "scim.userids", "openid", "cloud_controller.read", "password.write", "cloud_controller.write" ],
  "jti" : "116c4cc2723840f99ef90d5f0d1468fe",
  "aud" : [ "app", "scim", "cloud_controller", "password", "openid" ],
  "sub" : "6412cca7-da65-438a-84fb-711d66bc2dce",
  "iss" : "http://localhost:8080/uaa/oauth/token",
  "iat" : 1732091791,
  "cid" : "app",
  "grant_type" : "password",
  "azp" : "app",
  "auth_time" : 1732091791,
  "zid" : "uaa",
  "rev_sig" : "a9dfd6ed",
  "origin" : "uaa",
  "revocable" : true
}

Request Headers

Name	Description
`Authorization`	Uses basic authorization with base64(resource_server:shared_secret) assuming the caller (a resource server) is actually also a registered client and has `uaa.resource` authority

Request Parameters

Parameter	Type	Constraints	Description
token	String	Required	The token
scopes	Array	Optional	String of comma-separated scopes, for checking presence of scopes on the token

Response Fields

Path	Type	Description
`user_id`	`String`	Only applicable for user tokens
`user_name`	`String`	Only applicable for user tokens
`email`	`String`	Only applicable for user tokens
`client_id`	`String`	A unique string representing the registration information provided by the client
`exp`	`Number`	Expiration Time Claim
`authorities`	`Array`	Only applicable for client tokens
`scope`	`Array`	List of scopes authorized by the user for this client
`jti`	`String`	JWT ID Claim
`aud`	`Array`	Audience Claim
`sub`	`String`	Subject Claim
`iss`	`String`	Issuer Claim
`iat`	`Number`	Issued At Claim
`cid`	`String`	See `client_id`
`grant_type`	`String`	The type of authentication being used to obtain the token, in this case `password`
`azp`	`String`	Authorized party
`auth_time`	`Number`	Only applicable for user tokens
`zid`	`String`	Zone ID
`rev_sig`	`String`	Revocation Signature - token revocation hash salted with at least client ID and client secret, and optionally various user values.
`origin`	`String`	Only applicable for user tokens
`revocable`	`Boolean`	Set to true if this token is revocable

Token Key(s)

Token Key

An endpoint which returns the JSON Web Token (JWT) key, used by the UAA to sign JWT access tokens, and to be used by authorized clients to verify that a token came from the UAA. The key is in JSON Web Key format. For complete information about JSON Web Keys, see RFC 7517. In the case when the token key is symmetric, signer key and verifier key are the same, then this call is authenticated with client credentials using the HTTP Basic method.

JWT signing keys are specified via the identity zone configuration (see /identity-zones). An identity zone token policy can be configured with multiple keys for purposes of key rotation. When adding a new key, set its ID as the activeKeyId to use it to sign all new tokens. /introspect will continue to verify tokens signed with the previous signing key for as long as it is present in the keys of the identity zone's token policy. Remove it to invalidate all those tokens.

Asymmetric

$ curl 'http://localhost/token_key' -i -X GET \
    -H 'Accept: application/json' \
    -H 'If-None-Match: 1501570800000'

GET /token_key HTTP/1.1
Accept: application/json
If-None-Match: 1501570800000
Host: localhost

HTTP/1.1 200 OK
Content-Security-Policy: script-src 'self'
ETag: "1732091794155"
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 920

{
  "kty" : "RSA",
  "e" : "AQAB",
  "use" : "sig",
  "kid" : "testKey",
  "alg" : "RS256",
  "value" : "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0m59l2u9iDnMbrXHfqkO\nrn2dVQ3vfBJqcDuFUK03d+1PZGbVlNCqnkpIJ8syFppW8ljnWweP7+LiWpRoz0I7\nfYb3d8TjhV86Y997Fl4DBrxgM6KTJOuE/uxnoDhZQ14LgOU2ckXjOzOdTsnGMKQB\nLCl0vpcXBtFLMaSbpv1ozi8h7DJyVZ6EnFQZUWGdgTMhDrmqevfx95U/16c5WBDO\nkqwIn7Glry9n9Suxygbf8g5AzpWcusZgDLIIZ7JTUldBb8qU2a0Dl4mvLZOn4wPo\njfj9Cw2QICsc5+Pwf21fP+hzf+1WSRHbnYv8uanRO0gZ8ekGaghM/2H6gqJbo2nI\nJwIDAQAB\n-----END PUBLIC KEY-----",
  "n" : "0m59l2u9iDnMbrXHfqkOrn2dVQ3vfBJqcDuFUK03d-1PZGbVlNCqnkpIJ8syFppW8ljnWweP7-LiWpRoz0I7fYb3d8TjhV86Y997Fl4DBrxgM6KTJOuE_uxnoDhZQ14LgOU2ckXjOzOdTsnGMKQBLCl0vpcXBtFLMaSbpv1ozi8h7DJyVZ6EnFQZUWGdgTMhDrmqevfx95U_16c5WBDOkqwIn7Glry9n9Suxygbf8g5AzpWcusZgDLIIZ7JTUldBb8qU2a0Dl4mvLZOn4wPojfj9Cw2QICsc5-Pwf21fP-hzf-1WSRHbnYv8uanRO0gZ8ekGaghM_2H6gqJbo2nIJw"
}

Request Headers

Name	Description
`If-None-Match`	Optional. See Ref: RFC 2616

Response Headers

Name	Description
`ETag`	The ETag version of the resource - used to decide if the client's version of the resource is already up to date. The UAA will set the ETag value to the epoch time in milliseconds of the last zone configuration change.

Response Fields

Path	Type	Description
`kid`	`String`	Key ID of key to be used for verification of the token.
`alg`	`String`	Encryption algorithm
`value`	`String`	Verifier key
`kty`	`String`	Key type (RSA)
`use`	`String`	Public key use parameter - identifies intended use of the public key. (defaults to "sig")
`n`	`String`	RSA key modulus
`e`	`String`	RSA key public exponent

Error Codes

Error Code	Description
401	Unauthorized - Unregistered client or incorrect client secret

Symmetric

$ curl 'http://localhost/token_key' -i -u 'app:appclientsecret' -X GET \
    -H 'Accept: application/json' \
    -H 'If-None-Match: 1501570800000'

GET /token_key HTTP/1.1
Accept: application/json
Authorization: Basic YXBwOmFwcGNsaWVudHNlY3JldA==
If-None-Match: 1501570800000
Host: localhost

HTTP/1.1 200 OK
Content-Security-Policy: script-src 'self'
ETag: "1732091794120"
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 95

{
  "kty" : "MAC",
  "alg" : "HS256",
  "value" : "key",
  "use" : "sig",
  "kid" : "testKey"
}

Request Headers

Name	Description
`Authorization`	Uses basic authorization with `base64(resource_server:shared_secret)` assuming the caller (a resource server) is actually also a registered client and has `uaa.resource` authority
`If-None-Match`	Optional. See Ref: RFC 2616

Response Fields

Path	Type	Description
`kid`	`String`	Key ID of key to be used for verification of the token.
`alg`	`String`	Encryption algorithm
`value`	`String`	Verifier key
`kty`	`String`	Key type (MAC)
`use`	`String`	Public key use parameter - identifies intended use of the public key. (defaults to "sig")

Error Codes

Error Code	Description
401	Unauthorized - Unregistered client or incorrect client secret
403	Forbidden - Not a resource server (missing `uaa.resource` scope)

Token Keys

An endpoint which returns the list of JWT keys. To support key rotation, this list specifies the IDs of all currently valid keys. JWT tokens issued by the UAA contain a kid field, indicating which key should be used for verification of the token.

$ curl 'http://localhost/token_keys' -i -u 'app:appclientsecret' -X GET \
    -H 'Accept: application/json' \
    -H 'If-None-Match: 1501570800000'

GET /token_keys HTTP/1.1
Accept: application/json
Authorization: Basic YXBwOmFwcGNsaWVudHNlY3JldA==
If-None-Match: 1501570800000
Host: localhost

HTTP/1.1 200 OK
Content-Security-Policy: script-src 'self'
ETag: "1732091794070"
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 955

{
  "keys" : [ {
    "kty" : "RSA",
    "e" : "AQAB",
    "use" : "sig",
    "kid" : "testKey",
    "alg" : "RS256",
    "value" : "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0m59l2u9iDnMbrXHfqkO\nrn2dVQ3vfBJqcDuFUK03d+1PZGbVlNCqnkpIJ8syFppW8ljnWweP7+LiWpRoz0I7\nfYb3d8TjhV86Y997Fl4DBrxgM6KTJOuE/uxnoDhZQ14LgOU2ckXjOzOdTsnGMKQB\nLCl0vpcXBtFLMaSbpv1ozi8h7DJyVZ6EnFQZUWGdgTMhDrmqevfx95U/16c5WBDO\nkqwIn7Glry9n9Suxygbf8g5AzpWcusZgDLIIZ7JTUldBb8qU2a0Dl4mvLZOn4wPo\njfj9Cw2QICsc5+Pwf21fP+hzf+1WSRHbnYv8uanRO0gZ8ekGaghM/2H6gqJbo2nI\nJwIDAQAB\n-----END PUBLIC KEY-----",
    "n" : "0m59l2u9iDnMbrXHfqkOrn2dVQ3vfBJqcDuFUK03d-1PZGbVlNCqnkpIJ8syFppW8ljnWweP7-LiWpRoz0I7fYb3d8TjhV86Y997Fl4DBrxgM6KTJOuE_uxnoDhZQ14LgOU2ckXjOzOdTsnGMKQBLCl0vpcXBtFLMaSbpv1ozi8h7DJyVZ6EnFQZUWGdgTMhDrmqevfx95U_16c5WBDOkqwIn7Glry9n9Suxygbf8g5AzpWcusZgDLIIZ7JTUldBb8qU2a0Dl4mvLZOn4wPojfj9Cw2QICsc5-Pwf21fP-hzf-1WSRHbnYv8uanRO0gZ8ekGaghM_2H6gqJbo2nIJw"
  } ]
}

Request Headers

Name	Description
`Authorization`	No authorization is required for requesting public keys.
`If-None-Match`	Optional. See Ref: RFC 2616

Response Headers

Name	Description
`ETag`	The ETag version of the resource - used to decide if the client's version of the resource is already up to date. The UAA will set the ETag value to the epoch time in milliseconds of the last zone configuration change.

Response Fields

Path	Type	Description
`keys.[].kid`	`String`	Key ID of key to be used for verification of the token.
`keys.[].alg`	`String`	Encryption algorithm
`keys.[].value`	`String`	Verifier key
`keys.[].kty`	`String`	Key type (RSA or MAC)
`keys.[].use`	`String`	Public key use parameter - identifies intended use of the public key. (defaults to "sig")
`keys.[].n`	`String`	RSA key modulus
`keys.[].e`	`String`	RSA key public exponent

Error Codes

Error Code	Description
401	Unauthorized - Unregistered client or incorrect client secret

Session Management

Logout.do

The logout endpoint is meant to be used by applications to log the user out of the UAA session. UAA will only log a user out of the UAA session if they also hit this endpoint, and may also perform Single Logout with SAML providers if configured to do so. UAA may also log users out of OIDC proxied authenticated sessions based on OpenID Connect Session Management if configured to do so. The recommendation for application authors is to:

provide a local logout feature specific to the client application and use that to clear state in the client
as part of the logout redirect to the logout endpoint using their client ID
provide a redirect param in the link to the logout success page of their application so that the user come back to a familiar place when logged out
add the logout success page to the client's redirect_uri (or rather post_logout_redirect_uri) configuration to whitelist the URL

If the chosen redirect URI is not whitelisted, users will land on the UAA login page. This is a security feature intended to prevent open redirects as per RFC 6749.

$ curl 'http://localhost/logout.do?redirect=http%3A%2F%2Fredirect.localhost&client_id=some_client_that_contains_redirect_uri_matching_request_param&post_logout_redirect_uri=http%3A%2F%2Fredirect.localhost&id_token_hint=eyJhbGciOiJSUzI1NiIsImprdSI6Imh0dHBzOi8vbG9jYWxob3N0OjgwODAvdWFhL3Rva2VuX2tleXMiLCJraWQiOiJsZWdhY3ktdG9rZW4ta2V5IiwidHlwIjoiSldUIn0.eyJzdWIiOiJhMGZlMGQ4OS1lZTJjLTRkMjEtYjFjMS0yNTQ2MzZjNzAxMTUiLCJhdWQiOlsic29tZV9jbGllbnRfdGhhdF9jb250YWluc19yZWRpcmVjdF91cmlfbWF0Y2hpbmdfcmVxdWVzdF9wYXJhbSJdLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvdWFhL29hdXRoL3Rva2VuIiwiYXpwIjoic29tZV9jbGllbnRfdGhhdF9jb250YWluc19yZWRpcmVjdF91cmlfbWF0Y2hpbmdfcmVxdWVzdF9wYXJhbSJ9.efdaWKPkFlgXyaHeQPGgIBAhiJgfcRScVbmuVWu-aUVCZsPnhjCcJQfxcXn61yKSbs8y5Pze3PkSCZdnyh_TvjHtqGBAvTRHuC3ZEDv7tZMQd3reyiS3pLCmn0OSwLB5-Ni4-_DDOcrVy-kOF4yU8rHXiXhGtcFZWpTShvXQgm_WNFKA-kHUOxzl4bQE5S2EnJUB7i1yUMYgaWnhYGzxcIm94AuYrD3OW2D2DFkEqJnQCYUIH6h3iNs_ABHs-O2JUtz12IRVLJCrmTssF-KRBfv_dIwLxSMgK3hI0i9yYZt_pbLbshNkeu32iZgvstSGZeoYbzpZq3mGp9M1CMtvvQ' -i -X GET

GET /logout.do?redirect=http%3A%2F%2Fredirect.localhost&client_id=some_client_that_contains_redirect_uri_matching_request_param&post_logout_redirect_uri=http%3A%2F%2Fredirect.localhost&id_token_hint=eyJhbGciOiJSUzI1NiIsImprdSI6Imh0dHBzOi8vbG9jYWxob3N0OjgwODAvdWFhL3Rva2VuX2tleXMiLCJraWQiOiJsZWdhY3ktdG9rZW4ta2V5IiwidHlwIjoiSldUIn0.eyJzdWIiOiJhMGZlMGQ4OS1lZTJjLTRkMjEtYjFjMS0yNTQ2MzZjNzAxMTUiLCJhdWQiOlsic29tZV9jbGllbnRfdGhhdF9jb250YWluc19yZWRpcmVjdF91cmlfbWF0Y2hpbmdfcmVxdWVzdF9wYXJhbSJdLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvdWFhL29hdXRoL3Rva2VuIiwiYXpwIjoic29tZV9jbGllbnRfdGhhdF9jb250YWluc19yZWRpcmVjdF91cmlfbWF0Y2hpbmdfcmVxdWVzdF9wYXJhbSJ9.efdaWKPkFlgXyaHeQPGgIBAhiJgfcRScVbmuVWu-aUVCZsPnhjCcJQfxcXn61yKSbs8y5Pze3PkSCZdnyh_TvjHtqGBAvTRHuC3ZEDv7tZMQd3reyiS3pLCmn0OSwLB5-Ni4-_DDOcrVy-kOF4yU8rHXiXhGtcFZWpTShvXQgm_WNFKA-kHUOxzl4bQE5S2EnJUB7i1yUMYgaWnhYGzxcIm94AuYrD3OW2D2DFkEqJnQCYUIH6h3iNs_ABHs-O2JUtz12IRVLJCrmTssF-KRBfv_dIwLxSMgK3hI0i9yYZt_pbLbshNkeu32iZgvstSGZeoYbzpZq3mGp9M1CMtvvQ HTTP/1.1
Host: localhost

HTTP/1.1 302 Found
Content-Security-Policy: script-src 'self'
Strict-Transport-Security: max-age=31536000
Set-Cookie: X-Uaa-Csrf=QAbIFpJhms2veqMyCA4bwG; Path=/; Max-Age=86400; Expires=Thu, 21 Nov 2024 08:36:26 GMT; HttpOnly; SameSite=Lax
Set-Cookie: Current-User=; Path=/; Max-Age=0; Expires=Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: X-Uaa-Csrf=OPTrv7g0I5Qd4Gic99wIqk; Path=/; Max-Age=0; Expires=Thu, 1 Jan 1970 00:00:10 GMT; HttpOnly; SameSite=Lax
Set-Cookie: JSESSIONID=; Path=/; Max-Age=0; Expires=Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Location: http://redirect.localhost

Request Parameters

Parameter	Type	Constraints	Description
redirect	String	Optional (defaults to `Identity Zone redirect uri`)	On a successful logout redirect the user to here, provided the URL is whitelisted
client_id	String	Optional	On a successful logout the client's redirect_uri configuration is used as the redirect uri whitelist. If this value is not provided, the identity zone whitelist will be used instead.
post_logout_redirect_uri	String	Optional (defaults to `Same as redirect uri, supports OIDC logout`)	Support the parameter for OIDC applications based on OpenID Connect Session Management.
id_token_hint	String	Optional (defaults to `Support for OIDC logout`)	ID token from OIDC authentication. Used to identify the oauth client redirect uri whitelist. If this value is not provided, the identity zone whitelist will be used instead.redirect uri whitelist.

Response Headers

Name	Description
`Location`	Redirect URI

Identity Zones

The UAA supports multi tenancy. This is referred to as identity zones. An identity zone is accessed through a unique subdomain. If the standard UAA responds to https://uaa.10.244.0.34.xip.io a zone on this UAA would be accessed through https://testzone1.uaa.10.244.0.34.xip.io

A zone contains a unique identifier as well as a unique subdomain:

{
    "id":"testzone1",
    "subdomain":"testzone1",
    "name":"The Twiglet Zone[testzone1]",
    "version":0,
    "description":"Like the Twilight Zone but tastier[testzone1].",
    "created":1426258488910,
    "last_modified":1426258488910
}

The UAA by default creates a default zone. This zone will always be present, the ID will always be uaa, and the subdomain is blank:

{
    "id": "uaa",
    "subdomain": "",
    "name": "uaa",
    "version": 0,
    "description": "The system zone for backwards compatibility",
    "created": 946710000000,
    "last_modified": 946710000000
}

Creating an identity zone

An identity zone is created using a POST with an IdentityZone object. If the object contains an id, this id will be used as the identifier, otherwise an identifier will be generated. Once a zone has been created, the UAA will start accepting requests on the subdomain defined in the subdomain field of the identity zone. When an Identity Zone is created, an internal Identity Provider is automatically created with the default password policy.

$ curl 'http://localhost/identity-zones' -i -X POST \
    -H 'Content-Type: application/json' \
    -H 'Authorization: Bearer f2547a9343c0420abedeae46745597d7' \
    -d '{
  "id" : "twiglet-create",
  "subdomain" : "twiglet-create",
  "config" : {
    "clientSecretPolicy" : {
      "minLength" : -1,
      "maxLength" : -1,
      "requireUpperCaseCharacter" : -1,
      "requireLowerCaseCharacter" : -1,
      "requireDigit" : -1,
      "requireSpecialCharacter" : -1
    },
    "tokenPolicy" : {
      "accessTokenValidity" : 3600,
      "refreshTokenValidity" : 7200,
      "jwtRevocable" : false,
      "refreshTokenUnique" : false,
      "refreshTokenRotate" : false,
      "refreshTokenFormat" : "opaque",
      "activeKeyId" : "active-key-1",
      "keys" : {
        "active-key-1" : {
          "signingKey" : "-----BEGIN RSA PRIVATE KEY-----\nMIIBOwIBAAJBAJv8ZpB5hEK7qxP9K3v43hUS5fGT4waKe7ix4Z4mu5UBv+cw7WSF\nAt0Vaag0sAbsPzU8Hhsrj/qPABvfB8asUwcCAwEAAQJAG0r3ezH35WFG1tGGaUOr\nQA61cyaII53ZdgCR1IU8bx7AUevmkFtBf+aqMWusWVOWJvGu2r5VpHVAIl8nF6DS\nkQIhAMjEJ3zVYa2/Mo4ey+iU9J9Vd+WoyXDQD4EEtwmyG1PpAiEAxuZlvhDIbbce\n7o5BvOhnCZ2N7kYb1ZC57g3F+cbJyW8CIQCbsDGHBto2qJyFxbAO7uQ8Y0UVHa0J\nBO/g900SAcJbcQIgRtEljIShOB8pDjrsQPxmI1BLhnjD1EhRSubwhDw5AFUCIQCN\nA24pDtdOHydwtSB5+zFqFLfmVZplQM/g5kb4so70Yw==\n-----END RSA PRIVATE KEY-----\n",
          "signingCert" : "-----BEGIN CERTIFICATE-----\nMIICEjCCAXsCAg36MA0GCSqGSIb3DQEBBQUAMIGbMQswCQYDVQQGEwJKUDEOMAwG\nA1UECBMFVG9reW8xEDAOBgNVBAcTB0NodW8ta3UxETAPBgNVBAoTCEZyYW5rNERE\nMRgwFgYDVQQLEw9XZWJDZXJ0IFN1cHBvcnQxGDAWBgNVBAMTD0ZyYW5rNEREIFdl\nYiBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBmcmFuazRkZC5jb20wHhcNMTIw\nODIyMDUyNjU0WhcNMTcwODIxMDUyNjU0WjBKMQswCQYDVQQGEwJKUDEOMAwGA1UE\nCAwFVG9reW8xETAPBgNVBAoMCEZyYW5rNEREMRgwFgYDVQQDDA93d3cuZXhhbXBs\nZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAm/xmkHmEQrurE/0re/jeFRLl\n8ZPjBop7uLHhnia7lQG/5zDtZIUC3RVpqDSwBuw/NTweGyuP+o8AG98HxqxTBwID\nAQABMA0GCSqGSIb3DQEBBQUAA4GBABS2TLuBeTPmcaTaUW/LCB2NYOy8GMdzR1mx\n8iBIu2H6/E2tiY3RIevV2OW61qY2/XRQg7YPxx3ffeUugX9F4J/iPnnu1zAxxyBy\n2VguKv4SWjRFoRkIfIlHX0qVviMhSlNy2ioFLy7JcPZb+v3ftDGywUqcBiVDoea0\nHn+GmxZA\n-----END CERTIFICATE-----\n",
          "signingAlg" : "RS256"
        }
      }
    },
    "samlConfig" : {
      "requestSigned" : true,
      "wantAssertionSigned" : true,
      "activeKeyId" : "legacy-saml-key",
      "keys" : {
        "legacy-saml-key" : {
          "key" : "-----BEGIN RSA PRIVATE KEY-----\nMIIBOwIBAAJBAJv8ZpB5hEK7qxP9K3v43hUS5fGT4waKe7ix4Z4mu5UBv+cw7WSF\nAt0Vaag0sAbsPzU8Hhsrj/qPABvfB8asUwcCAwEAAQJAG0r3ezH35WFG1tGGaUOr\nQA61cyaII53ZdgCR1IU8bx7AUevmkFtBf+aqMWusWVOWJvGu2r5VpHVAIl8nF6DS\nkQIhAMjEJ3zVYa2/Mo4ey+iU9J9Vd+WoyXDQD4EEtwmyG1PpAiEAxuZlvhDIbbce\n7o5BvOhnCZ2N7kYb1ZC57g3F+cbJyW8CIQCbsDGHBto2qJyFxbAO7uQ8Y0UVHa0J\nBO/g900SAcJbcQIgRtEljIShOB8pDjrsQPxmI1BLhnjD1EhRSubwhDw5AFUCIQCN\nA24pDtdOHydwtSB5+zFqFLfmVZplQM/g5kb4so70Yw==\n-----END RSA PRIVATE KEY-----\n",
          "passphrase" : "password",
          "certificate" : "-----BEGIN CERTIFICATE-----\nMIICEjCCAXsCAg36MA0GCSqGSIb3DQEBBQUAMIGbMQswCQYDVQQGEwJKUDEOMAwG\nA1UECBMFVG9reW8xEDAOBgNVBAcTB0NodW8ta3UxETAPBgNVBAoTCEZyYW5rNERE\nMRgwFgYDVQQLEw9XZWJDZXJ0IFN1cHBvcnQxGDAWBgNVBAMTD0ZyYW5rNEREIFdl\nYiBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBmcmFuazRkZC5jb20wHhcNMTIw\nODIyMDUyNjU0WhcNMTcwODIxMDUyNjU0WjBKMQswCQYDVQQGEwJKUDEOMAwGA1UE\nCAwFVG9reW8xETAPBgNVBAoMCEZyYW5rNEREMRgwFgYDVQQDDA93d3cuZXhhbXBs\nZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAm/xmkHmEQrurE/0re/jeFRLl\n8ZPjBop7uLHhnia7lQG/5zDtZIUC3RVpqDSwBuw/NTweGyuP+o8AG98HxqxTBwID\nAQABMA0GCSqGSIb3DQEBBQUAA4GBABS2TLuBeTPmcaTaUW/LCB2NYOy8GMdzR1mx\n8iBIu2H6/E2tiY3RIevV2OW61qY2/XRQg7YPxx3ffeUugX9F4J/iPnnu1zAxxyBy\n2VguKv4SWjRFoRkIfIlHX0qVviMhSlNy2ioFLy7JcPZb+v3ftDGywUqcBiVDoea0\nHn+GmxZA\n-----END CERTIFICATE-----\n"
        }
      },
      "entityID" : "cloudfoundry-saml-login",
      "disableInResponseToCheck" : false,
      "privateKeyPassword" : "password",
      "certificate" : "-----BEGIN CERTIFICATE-----\nMIICEjCCAXsCAg36MA0GCSqGSIb3DQEBBQUAMIGbMQswCQYDVQQGEwJKUDEOMAwG\nA1UECBMFVG9reW8xEDAOBgNVBAcTB0NodW8ta3UxETAPBgNVBAoTCEZyYW5rNERE\nMRgwFgYDVQQLEw9XZWJDZXJ0IFN1cHBvcnQxGDAWBgNVBAMTD0ZyYW5rNEREIFdl\nYiBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBmcmFuazRkZC5jb20wHhcNMTIw\nODIyMDUyNjU0WhcNMTcwODIxMDUyNjU0WjBKMQswCQYDVQQGEwJKUDEOMAwGA1UE\nCAwFVG9reW8xETAPBgNVBAoMCEZyYW5rNEREMRgwFgYDVQQDDA93d3cuZXhhbXBs\nZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAm/xmkHmEQrurE/0re/jeFRLl\n8ZPjBop7uLHhnia7lQG/5zDtZIUC3RVpqDSwBuw/NTweGyuP+o8AG98HxqxTBwID\nAQABMA0GCSqGSIb3DQEBBQUAA4GBABS2TLuBeTPmcaTaUW/LCB2NYOy8GMdzR1mx\n8iBIu2H6/E2tiY3RIevV2OW61qY2/XRQg7YPxx3ffeUugX9F4J/iPnnu1zAxxyBy\n2VguKv4SWjRFoRkIfIlHX0qVviMhSlNy2ioFLy7JcPZb+v3ftDGywUqcBiVDoea0\nHn+GmxZA\n-----END CERTIFICATE-----\n",
      "privateKey" : "-----BEGIN RSA PRIVATE KEY-----\nMIIBOwIBAAJBAJv8ZpB5hEK7qxP9K3v43hUS5fGT4waKe7ix4Z4mu5UBv+cw7WSF\nAt0Vaag0sAbsPzU8Hhsrj/qPABvfB8asUwcCAwEAAQJAG0r3ezH35WFG1tGGaUOr\nQA61cyaII53ZdgCR1IU8bx7AUevmkFtBf+aqMWusWVOWJvGu2r5VpHVAIl8nF6DS\nkQIhAMjEJ3zVYa2/Mo4ey+iU9J9Vd+WoyXDQD4EEtwmyG1PpAiEAxuZlvhDIbbce\n7o5BvOhnCZ2N7kYb1ZC57g3F+cbJyW8CIQCbsDGHBto2qJyFxbAO7uQ8Y0UVHa0J\nBO/g900SAcJbcQIgRtEljIShOB8pDjrsQPxmI1BLhnjD1EhRSubwhDw5AFUCIQCN\nA24pDtdOHydwtSB5+zFqFLfmVZplQM/g5kb4so70Yw==\n-----END RSA PRIVATE KEY-----\n"
    },
    "corsPolicy" : {
      "xhrConfiguration" : {
        "allowedOrigins" : [ ".*" ],
        "allowedOriginPatterns" : [ ],
        "allowedUris" : [ ".*" ],
        "allowedUriPatterns" : [ ],
        "allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
        "allowedMethods" : [ "GET" ],
        "allowedCredentials" : false,
        "maxAge" : 1728000
      },
      "defaultConfiguration" : {
        "allowedOrigins" : [ ".*" ],
        "allowedOriginPatterns" : [ ],
        "allowedUris" : [ ".*" ],
        "allowedUriPatterns" : [ ],
        "allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
        "allowedMethods" : [ "GET" ],
        "allowedCredentials" : false,
        "maxAge" : 1728000
      }
    },
    "links" : {
      "logout" : {
        "redirectUrl" : "/login",
        "redirectParameterName" : "redirect",
        "disableRedirectParameter" : false,
        "whitelist" : null
      },
      "homeRedirect" : "http://my.hosted.homepage.com/",
      "selfService" : {
        "selfServiceLinksEnabled" : true,
        "signup" : null,
        "passwd" : null
      }
    },
    "prompts" : [ {
      "name" : "username",
      "type" : "text",
      "text" : "Email"
    }, {
      "name" : "password",
      "type" : "password",
      "text" : "Password"
    }, {
      "name" : "passcode",
      "type" : "password",
      "text" : "Temporary Authentication Code (Get on at /passcode)"
    } ],
    "idpDiscoveryEnabled" : false,
    "branding" : {
      "companyName" : "Test Company",
      "productLogo" : "VGVzdFByb2R1Y3RMb2dv",
      "squareLogo" : "VGVzdFNxdWFyZUxvZ28=",
      "footerLegalText" : "Test footer legal text",
      "footerLinks" : {
        "Support" : "http://support.example.com"
      },
      "banner" : {
        "logo" : "VGVzdFByb2R1Y3RMb2dv",
        "text" : "Announcement",
        "textColor" : "#000000",
        "backgroundColor" : "#89cff0",
        "link" : "http://announce.example.com"
      },
      "consent" : {
        "text" : "Some Policy",
        "link" : "http://policy.example.com"
      }
    },
    "accountChooserEnabled" : false,
    "userConfig" : {
      "defaultGroups" : [ "openid", "password.write", "uaa.user", "approvals.me", "profile", "roles", "user_attributes", "uaa.offline_token" ],
      "maxUsers" : -1,
      "checkOriginEnabled" : false,
      "allowOriginLoop" : true
    },
    "issuer" : "http://localhost:8080/uaa",
    "defaultIdentityProvider" : "uaa"
  },
  "name" : "The Twiglet Zone",
  "version" : 0,
  "description" : "Like the Twilight Zone but tastier.",
  "created" : 1732091794769,
  "active" : true,
  "last_modified" : 1732091794769
}'

POST /identity-zones HTTP/1.1
Content-Type: application/json
Authorization: Bearer f2547a9343c0420abedeae46745597d7
Content-Length: 7785
Host: localhost

{
  "id" : "twiglet-create",
  "subdomain" : "twiglet-create",
  "config" : {
    "clientSecretPolicy" : {
      "minLength" : -1,
      "maxLength" : -1,
      "requireUpperCaseCharacter" : -1,
      "requireLowerCaseCharacter" : -1,
      "requireDigit" : -1,
      "requireSpecialCharacter" : -1
    },
    "tokenPolicy" : {
      "accessTokenValidity" : 3600,
      "refreshTokenValidity" : 7200,
      "jwtRevocable" : false,
      "refreshTokenUnique" : false,
      "refreshTokenRotate" : false,
      "refreshTokenFormat" : "opaque",
      "activeKeyId" : "active-key-1",
      "keys" : {
        "active-key-1" : {
          "signingKey" : "-----BEGIN RSA PRIVATE KEY-----\nMIIBOwIBAAJBAJv8ZpB5hEK7qxP9K3v43hUS5fGT4waKe7ix4Z4mu5UBv+cw7WSF\nAt0Vaag0sAbsPzU8Hhsrj/qPABvfB8asUwcCAwEAAQJAG0r3ezH35WFG1tGGaUOr\nQA61cyaII53ZdgCR1IU8bx7AUevmkFtBf+aqMWusWVOWJvGu2r5VpHVAIl8nF6DS\nkQIhAMjEJ3zVYa2/Mo4ey+iU9J9Vd+WoyXDQD4EEtwmyG1PpAiEAxuZlvhDIbbce\n7o5BvOhnCZ2N7kYb1ZC57g3F+cbJyW8CIQCbsDGHBto2qJyFxbAO7uQ8Y0UVHa0J\nBO/g900SAcJbcQIgRtEljIShOB8pDjrsQPxmI1BLhnjD1EhRSubwhDw5AFUCIQCN\nA24pDtdOHydwtSB5+zFqFLfmVZplQM/g5kb4so70Yw==\n-----END RSA PRIVATE KEY-----\n",
          "signingCert" : "-----BEGIN CERTIFICATE-----\nMIICEjCCAXsCAg36MA0GCSqGSIb3DQEBBQUAMIGbMQswCQYDVQQGEwJKUDEOMAwG\nA1UECBMFVG9reW8xEDAOBgNVBAcTB0NodW8ta3UxETAPBgNVBAoTCEZyYW5rNERE\nMRgwFgYDVQQLEw9XZWJDZXJ0IFN1cHBvcnQxGDAWBgNVBAMTD0ZyYW5rNEREIFdl\nYiBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBmcmFuazRkZC5jb20wHhcNMTIw\nODIyMDUyNjU0WhcNMTcwODIxMDUyNjU0WjBKMQswCQYDVQQGEwJKUDEOMAwGA1UE\nCAwFVG9reW8xETAPBgNVBAoMCEZyYW5rNEREMRgwFgYDVQQDDA93d3cuZXhhbXBs\nZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAm/xmkHmEQrurE/0re/jeFRLl\n8ZPjBop7uLHhnia7lQG/5zDtZIUC3RVpqDSwBuw/NTweGyuP+o8AG98HxqxTBwID\nAQABMA0GCSqGSIb3DQEBBQUAA4GBABS2TLuBeTPmcaTaUW/LCB2NYOy8GMdzR1mx\n8iBIu2H6/E2tiY3RIevV2OW61qY2/XRQg7YPxx3ffeUugX9F4J/iPnnu1zAxxyBy\n2VguKv4SWjRFoRkIfIlHX0qVviMhSlNy2ioFLy7JcPZb+v3ftDGywUqcBiVDoea0\nHn+GmxZA\n-----END CERTIFICATE-----\n",
          "signingAlg" : "RS256"
        }
      }
    },
    "samlConfig" : {
      "requestSigned" : true,
      "wantAssertionSigned" : true,
      "activeKeyId" : "legacy-saml-key",
      "keys" : {
        "legacy-saml-key" : {
          "key" : "-----BEGIN RSA PRIVATE KEY-----\nMIIBOwIBAAJBAJv8ZpB5hEK7qxP9K3v43hUS5fGT4waKe7ix4Z4mu5UBv+cw7WSF\nAt0Vaag0sAbsPzU8Hhsrj/qPABvfB8asUwcCAwEAAQJAG0r3ezH35WFG1tGGaUOr\nQA61cyaII53ZdgCR1IU8bx7AUevmkFtBf+aqMWusWVOWJvGu2r5VpHVAIl8nF6DS\nkQIhAMjEJ3zVYa2/Mo4ey+iU9J9Vd+WoyXDQD4EEtwmyG1PpAiEAxuZlvhDIbbce\n7o5BvOhnCZ2N7kYb1ZC57g3F+cbJyW8CIQCbsDGHBto2qJyFxbAO7uQ8Y0UVHa0J\nBO/g900SAcJbcQIgRtEljIShOB8pDjrsQPxmI1BLhnjD1EhRSubwhDw5AFUCIQCN\nA24pDtdOHydwtSB5+zFqFLfmVZplQM/g5kb4so70Yw==\n-----END RSA PRIVATE KEY-----\n",
          "passphrase" : "password",
          "certificate" : "-----BEGIN CERTIFICATE-----\nMIICEjCCAXsCAg36MA0GCSqGSIb3DQEBBQUAMIGbMQswCQYDVQQGEwJKUDEOMAwG\nA1UECBMFVG9reW8xEDAOBgNVBAcTB0NodW8ta3UxETAPBgNVBAoTCEZyYW5rNERE\nMRgwFgYDVQQLEw9XZWJDZXJ0IFN1cHBvcnQxGDAWBgNVBAMTD0ZyYW5rNEREIFdl\nYiBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBmcmFuazRkZC5jb20wHhcNMTIw\nODIyMDUyNjU0WhcNMTcwODIxMDUyNjU0WjBKMQswCQYDVQQGEwJKUDEOMAwGA1UE\nCAwFVG9reW8xETAPBgNVBAoMCEZyYW5rNEREMRgwFgYDVQQDDA93d3cuZXhhbXBs\nZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAm/xmkHmEQrurE/0re/jeFRLl\n8ZPjBop7uLHhnia7lQG/5zDtZIUC3RVpqDSwBuw/NTweGyuP+o8AG98HxqxTBwID\nAQABMA0GCSqGSIb3DQEBBQUAA4GBABS2TLuBeTPmcaTaUW/LCB2NYOy8GMdzR1mx\n8iBIu2H6/E2tiY3RIevV2OW61qY2/XRQg7YPxx3ffeUugX9F4J/iPnnu1zAxxyBy\n2VguKv4SWjRFoRkIfIlHX0qVviMhSlNy2ioFLy7JcPZb+v3ftDGywUqcBiVDoea0\nHn+GmxZA\n-----END CERTIFICATE-----\n"
        }
      },
      "entityID" : "cloudfoundry-saml-login",
      "disableInResponseToCheck" : false,
      "privateKeyPassword" : "password",
      "certificate" : "-----BEGIN CERTIFICATE-----\nMIICEjCCAXsCAg36MA0GCSqGSIb3DQEBBQUAMIGbMQswCQYDVQQGEwJKUDEOMAwG\nA1UECBMFVG9reW8xEDAOBgNVBAcTB0NodW8ta3UxETAPBgNVBAoTCEZyYW5rNERE\nMRgwFgYDVQQLEw9XZWJDZXJ0IFN1cHBvcnQxGDAWBgNVBAMTD0ZyYW5rNEREIFdl\nYiBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBmcmFuazRkZC5jb20wHhcNMTIw\nODIyMDUyNjU0WhcNMTcwODIxMDUyNjU0WjBKMQswCQYDVQQGEwJKUDEOMAwGA1UE\nCAwFVG9reW8xETAPBgNVBAoMCEZyYW5rNEREMRgwFgYDVQQDDA93d3cuZXhhbXBs\nZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAm/xmkHmEQrurE/0re/jeFRLl\n8ZPjBop7uLHhnia7lQG/5zDtZIUC3RVpqDSwBuw/NTweGyuP+o8AG98HxqxTBwID\nAQABMA0GCSqGSIb3DQEBBQUAA4GBABS2TLuBeTPmcaTaUW/LCB2NYOy8GMdzR1mx\n8iBIu2H6/E2tiY3RIevV2OW61qY2/XRQg7YPxx3ffeUugX9F4J/iPnnu1zAxxyBy\n2VguKv4SWjRFoRkIfIlHX0qVviMhSlNy2ioFLy7JcPZb+v3ftDGywUqcBiVDoea0\nHn+GmxZA\n-----END CERTIFICATE-----\n",
      "privateKey" : "-----BEGIN RSA PRIVATE KEY-----\nMIIBOwIBAAJBAJv8ZpB5hEK7qxP9K3v43hUS5fGT4waKe7ix4Z4mu5UBv+cw7WSF\nAt0Vaag0sAbsPzU8Hhsrj/qPABvfB8asUwcCAwEAAQJAG0r3ezH35WFG1tGGaUOr\nQA61cyaII53ZdgCR1IU8bx7AUevmkFtBf+aqMWusWVOWJvGu2r5VpHVAIl8nF6DS\nkQIhAMjEJ3zVYa2/Mo4ey+iU9J9Vd+WoyXDQD4EEtwmyG1PpAiEAxuZlvhDIbbce\n7o5BvOhnCZ2N7kYb1ZC57g3F+cbJyW8CIQCbsDGHBto2qJyFxbAO7uQ8Y0UVHa0J\nBO/g900SAcJbcQIgRtEljIShOB8pDjrsQPxmI1BLhnjD1EhRSubwhDw5AFUCIQCN\nA24pDtdOHydwtSB5+zFqFLfmVZplQM/g5kb4so70Yw==\n-----END RSA PRIVATE KEY-----\n"
    },
    "corsPolicy" : {
      "xhrConfiguration" : {
        "allowedOrigins" : [ ".*" ],
        "allowedOriginPatterns" : [ ],
        "allowedUris" : [ ".*" ],
        "allowedUriPatterns" : [ ],
        "allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
        "allowedMethods" : [ "GET" ],
        "allowedCredentials" : false,
        "maxAge" : 1728000
      },
      "defaultConfiguration" : {
        "allowedOrigins" : [ ".*" ],
        "allowedOriginPatterns" : [ ],
        "allowedUris" : [ ".*" ],
        "allowedUriPatterns" : [ ],
        "allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
        "allowedMethods" : [ "GET" ],
        "allowedCredentials" : false,
        "maxAge" : 1728000
      }
    },
    "links" : {
      "logout" : {
        "redirectUrl" : "/login",
        "redirectParameterName" : "redirect",
        "disableRedirectParameter" : false,
        "whitelist" : null
      },
      "homeRedirect" : "http://my.hosted.homepage.com/",
      "selfService" : {
        "selfServiceLinksEnabled" : true,
        "signup" : null,
        "passwd" : null
      }
    },
    "prompts" : [ {
      "name" : "username",
      "type" : "text",
      "text" : "Email"
    }, {
      "name" : "password",
      "type" : "password",
      "text" : "Password"
    }, {
      "name" : "passcode",
      "type" : "password",
      "text" : "Temporary Authentication Code (Get on at /passcode)"
    } ],
    "idpDiscoveryEnabled" : false,
    "branding" : {
      "companyName" : "Test Company",
      "productLogo" : "VGVzdFByb2R1Y3RMb2dv",
      "squareLogo" : "VGVzdFNxdWFyZUxvZ28=",
      "footerLegalText" : "Test footer legal text",
      "footerLinks" : {
        "Support" : "http://support.example.com"
      },
      "banner" : {
        "logo" : "VGVzdFByb2R1Y3RMb2dv",
        "text" : "Announcement",
        "textColor" : "#000000",
        "backgroundColor" : "#89cff0",
        "link" : "http://announce.example.com"
      },
      "consent" : {
        "text" : "Some Policy",
        "link" : "http://policy.example.com"
      }
    },
    "accountChooserEnabled" : false,
    "userConfig" : {
      "defaultGroups" : [ "openid", "password.write", "uaa.user", "approvals.me", "profile", "roles", "user_attributes", "uaa.offline_token" ],
      "maxUsers" : -1,
      "checkOriginEnabled" : false,
      "allowOriginLoop" : true
    },
    "issuer" : "http://localhost:8080/uaa",
    "defaultIdentityProvider" : "uaa"
  },
  "name" : "The Twiglet Zone",
  "version" : 0,
  "description" : "Like the Twilight Zone but tastier.",
  "created" : 1732091794769,
  "active" : true,
  "last_modified" : 1732091794769
}

HTTP/1.1 201 Created
Content-Security-Policy: script-src 'self'
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 5195

{
  "id" : "twiglet-create",
  "subdomain" : "twiglet-create",
  "config" : {
    "clientSecretPolicy" : {
      "minLength" : -1,
      "maxLength" : -1,
      "requireUpperCaseCharacter" : -1,
      "requireLowerCaseCharacter" : -1,
      "requireDigit" : -1,
      "requireSpecialCharacter" : -1
    },
    "tokenPolicy" : {
      "accessTokenValidity" : 3600,
      "refreshTokenValidity" : 7200,
      "jwtRevocable" : false,
      "refreshTokenUnique" : false,
      "refreshTokenRotate" : false,
      "refreshTokenFormat" : "opaque",
      "activeKeyId" : "active-key-1"
    },
    "samlConfig" : {
      "requestSigned" : true,
      "wantAssertionSigned" : true,
      "activeKeyId" : "legacy-saml-key",
      "keys" : {
        "legacy-saml-key" : {
          "certificate" : "-----BEGIN CERTIFICATE-----\nMIICEjCCAXsCAg36MA0GCSqGSIb3DQEBBQUAMIGbMQswCQYDVQQGEwJKUDEOMAwG\nA1UECBMFVG9reW8xEDAOBgNVBAcTB0NodW8ta3UxETAPBgNVBAoTCEZyYW5rNERE\nMRgwFgYDVQQLEw9XZWJDZXJ0IFN1cHBvcnQxGDAWBgNVBAMTD0ZyYW5rNEREIFdl\nYiBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBmcmFuazRkZC5jb20wHhcNMTIw\nODIyMDUyNjU0WhcNMTcwODIxMDUyNjU0WjBKMQswCQYDVQQGEwJKUDEOMAwGA1UE\nCAwFVG9reW8xETAPBgNVBAoMCEZyYW5rNEREMRgwFgYDVQQDDA93d3cuZXhhbXBs\nZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAm/xmkHmEQrurE/0re/jeFRLl\n8ZPjBop7uLHhnia7lQG/5zDtZIUC3RVpqDSwBuw/NTweGyuP+o8AG98HxqxTBwID\nAQABMA0GCSqGSIb3DQEBBQUAA4GBABS2TLuBeTPmcaTaUW/LCB2NYOy8GMdzR1mx\n8iBIu2H6/E2tiY3RIevV2OW61qY2/XRQg7YPxx3ffeUugX9F4J/iPnnu1zAxxyBy\n2VguKv4SWjRFoRkIfIlHX0qVviMhSlNy2ioFLy7JcPZb+v3ftDGywUqcBiVDoea0\nHn+GmxZA\n-----END CERTIFICATE-----\n"
        }
      },
      "entityID" : "cloudfoundry-saml-login",
      "disableInResponseToCheck" : false,
      "certificate" : "-----BEGIN CERTIFICATE-----\nMIICEjCCAXsCAg36MA0GCSqGSIb3DQEBBQUAMIGbMQswCQYDVQQGEwJKUDEOMAwG\nA1UECBMFVG9reW8xEDAOBgNVBAcTB0NodW8ta3UxETAPBgNVBAoTCEZyYW5rNERE\nMRgwFgYDVQQLEw9XZWJDZXJ0IFN1cHBvcnQxGDAWBgNVBAMTD0ZyYW5rNEREIFdl\nYiBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBmcmFuazRkZC5jb20wHhcNMTIw\nODIyMDUyNjU0WhcNMTcwODIxMDUyNjU0WjBKMQswCQYDVQQGEwJKUDEOMAwGA1UE\nCAwFVG9reW8xETAPBgNVBAoMCEZyYW5rNEREMRgwFgYDVQQDDA93d3cuZXhhbXBs\nZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAm/xmkHmEQrurE/0re/jeFRLl\n8ZPjBop7uLHhnia7lQG/5zDtZIUC3RVpqDSwBuw/NTweGyuP+o8AG98HxqxTBwID\nAQABMA0GCSqGSIb3DQEBBQUAA4GBABS2TLuBeTPmcaTaUW/LCB2NYOy8GMdzR1mx\n8iBIu2H6/E2tiY3RIevV2OW61qY2/XRQg7YPxx3ffeUugX9F4J/iPnnu1zAxxyBy\n2VguKv4SWjRFoRkIfIlHX0qVviMhSlNy2ioFLy7JcPZb+v3ftDGywUqcBiVDoea0\nHn+GmxZA\n-----END CERTIFICATE-----\n"
    },
    "corsPolicy" : {
      "xhrConfiguration" : {
        "allowedOrigins" : [ ".*" ],
        "allowedOriginPatterns" : [ ],
        "allowedUris" : [ ".*" ],
        "allowedUriPatterns" : [ ],
        "allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
        "allowedMethods" : [ "GET" ],
        "allowedCredentials" : false,
        "maxAge" : 1728000
      },
      "defaultConfiguration" : {
        "allowedOrigins" : [ ".*" ],
        "allowedOriginPatterns" : [ ],
        "allowedUris" : [ ".*" ],
        "allowedUriPatterns" : [ ],
        "allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
        "allowedMethods" : [ "GET" ],
        "allowedCredentials" : false,
        "maxAge" : 1728000
      }
    },
    "links" : {
      "logout" : {
        "redirectUrl" : "/login",
        "redirectParameterName" : "redirect",
        "disableRedirectParameter" : false,
        "whitelist" : null
      },
      "homeRedirect" : "http://my.hosted.homepage.com/",
      "selfService" : {
        "selfServiceLinksEnabled" : true,
        "signup" : null,
        "passwd" : null
      }
    },
    "prompts" : [ {
      "name" : "username",
      "type" : "text",
      "text" : "Email"
    }, {
      "name" : "password",
      "type" : "password",
      "text" : "Password"
    }, {
      "name" : "passcode",
      "type" : "password",
      "text" : "Temporary Authentication Code (Get on at /passcode)"
    } ],
    "idpDiscoveryEnabled" : false,
    "branding" : {
      "companyName" : "Test Company",
      "productLogo" : "VGVzdFByb2R1Y3RMb2dv",
      "squareLogo" : "VGVzdFNxdWFyZUxvZ28=",
      "footerLegalText" : "Test footer legal text",
      "footerLinks" : {
        "Support" : "http://support.example.com"
      },
      "banner" : {
        "logo" : "VGVzdFByb2R1Y3RMb2dv",
        "text" : "Announcement",
        "textColor" : "#000000",
        "backgroundColor" : "#89cff0",
        "link" : "http://announce.example.com"
      },
      "consent" : {
        "text" : "Some Policy",
        "link" : "http://policy.example.com"
      }
    },
    "accountChooserEnabled" : false,
    "userConfig" : {
      "defaultGroups" : [ "openid", "password.write", "uaa.user", "approvals.me", "profile", "roles", "user_attributes", "uaa.offline_token" ],
      "maxUsers" : -1,
      "checkOriginEnabled" : false,
      "allowOriginLoop" : true
    },
    "issuer" : "http://localhost:8080/uaa",
    "defaultIdentityProvider" : "uaa"
  },
  "name" : "The Twiglet Zone",
  "version" : 0,
  "description" : "Like the Twilight Zone but tastier.",
  "created" : 1732091794777,
  "active" : true,
  "last_modified" : 1732091794777
}

Request Headers

Name	Description
`Authorization`	Bearer token containing `zones.write` or `uaa.admin`

Request Fields

Path	Type	Constraints	Description
id	String	Optional	Unique ID of the identity zone
subdomain	String	Required	Unique subdomain for the running instance. May only contain legal characters for a subdomain name.
name	String	Required	Human-readable zone name
description	String	Optional	Description of the zone
version	Number	Optional	Reserved for future use of E-Tag versioning
active	Boolean	Optional	Indicates whether the identity zone is active. Defaults to true.
config.clientSecretPolicy.minLength	Number	Required when `clientSecretPolicy` in the config is not null	Minimum number of characters required for secret to be considered valid (defaults to 0).
config.clientSecretPolicy.maxLength	Number	Required when `clientSecretPolicy` in the config is not null	Maximum number of characters required for secret to be considered valid (defaults to 255).
config.clientSecretPolicy.requireUpperCaseCharacter	Number	Required when `clientSecretPolicy` in the config is not null	Minimum number of uppercase characters required for secret to be considered valid (defaults to 0).
config.clientSecretPolicy.requireLowerCaseCharacter	Number	Required when `clientSecretPolicy` in the config is not null	Minimum number of lowercase characters required for secret to be considered valid (defaults to 0).
config.clientSecretPolicy.requireDigit	Number	Required when `clientSecretPolicy` in the config is not null	Minimum number of digits required for secret to be considered valid (defaults to 0).
config.clientSecretPolicy.requireSpecialCharacter	Number	Required when `clientSecretPolicy` in the config is not null	Minimum number of special characters required for secret to be considered valid (defaults to 0).
config.tokenPolicy	Object	Optional	Various fields pertaining to the JWT access and refresh tokens.
config.tokenPolicy.activeKeyId	String	Required if `config.tokenPolicy.keys` are set	The ID for the key that is being used to sign tokens
config.tokenPolicy.keys.*.signingKey	String	Key to be used for signing	Keys which will be used to sign the token
config.tokenPolicy.keys.*.signingAlg	String	Optional. Can only be used in conjunction with `keys.<key-id>.signingKey` and `keys.<key-id>.signingCert`	Algorithm parameter according to RFC7518
config.tokenPolicy.keys.*.signingCert	String	Optional. Can only be used in conjunction with `keys.<key-id>.signingKey` and `keys.<key-id>.signingCert`	PEM encoded X.509 to be used in x5c, e.g. RFC7517
config.tokenPolicy.accessTokenValidity	Number	Optional	Time in seconds between when a access token is issued and when it expires. Defaults to global `accessTokenValidity`
config.tokenPolicy.refreshTokenValidity	Number	Optional	Time in seconds between when a refresh token is issued and when it expires. Defaults to global `refreshTokenValidity`
config.tokenPolicy.jwtRevocable	Boolean	Optional	Set to true if JWT tokens should be stored in the token store, and thus made individually revocable. Opaque tokens are always stored and revocable.
config.tokenPolicy.refreshTokenUnique	Boolean	Optional	If true, uaa will only issue one refresh token per client_id/user_id combination. Defaults to `false`.
config.tokenPolicy.refreshTokenRotate	Boolean	Optional	If true, uaa will issue a new refresh token value in grant type refresh_token. Defaults to `false`.
config.tokenPolicy.refreshTokenFormat	String	Optional	The format for the refresh token. Allowed values are `jwt`, `opaque`. Defaults to `opaque`.
config.samlConfig.disableInResponseToCheck	Boolean	Optional	If `true`, this zone will not validate the `InResponseToField` part of an incoming IDP assertion. Please see https://docs.spring.io/spring-security-saml/docs/current/reference/html/chapter-troubleshooting.html
config.samlConfig.wantAssertionSigned	Boolean	Optional	Exposed SAML metadata property. If `true`, all assertions received by the SAML provider must be signed. Defaults to `true`.
config.samlConfig.requestSigned	Boolean	Optional	Exposed SAML metadata property. If `true`, the service provider will sign all outgoing authentication requests. Defaults to `true`.
config.samlConfig.entityID	String	Optional	Unique ID of the SAML2 entity
config.samlConfig.certificate	String	Deprecated	Exposed SAML metadata property. The certificate used to verify the authenticity all communications.
config.samlConfig.privateKey	String	Deprecated	Exposed SAML metadata property. The SAML provider's private key.
config.samlConfig.privateKeyPassword	String	Deprecated	Exposed SAML metadata property. The SAML provider's private key password. Reserved for future use.
config.samlConfig.activeKeyId	String	Required if a list of keys defined in `keys` map	The ID of the key that should be used for signing metadata and assertions.
config.samlConfig.keys.*.key	String	Optional. Can only be used in conjunction with `keys.<key-id>.passphrase` and `keys.<key-id>.certificate`	Exposed SAML metadata property. The SAML provider's private key.
config.samlConfig.keys.*.passphrase	String	Optional. Can only be used in conjunction with `keys.<key-id>.key` and `keys.<key-id>.certificate`	Exposed SAML metadata property. The SAML provider's private key password. Reserved for future use.
config.samlConfig.keys.*.certificate	String	Optional. Can only be used in conjunction with `keys.<key-id>.key` and `keys.<key-id>.passphrase`	Exposed SAML metadata property. The certificate used to verify the authenticity all communications.
config.samlConfig.entityID	String	Optional	Unique ID of the SAML2 entity
config.links.logout.redirectUrl	String	Optional	Logout redirect url
config.links.homeRedirect	String	Optional	Overrides the UAA home page and issues a redirect to this URL when the browser requests `/` and `/home`.
config.links.logout.redirectParameterName	String	Optional	Changes the name of the redirect parameter
config.links.logout.disableRedirectParameter	Boolean	Optional	Deprecated, no longer affects zone behavior. Whether or not to allow the redirect parameter on logout
config.links.logout.whitelist	Array	Optional	List of allowed whitelist redirects
config.links.selfService.selfServiceLinksEnabled	Boolean	Optional	Whether or not users are allowed to sign up or reset their passwords via the UI
config.links.selfService.signup	Null	Optional	Where users are directed upon clicking the account creation link
config.links.selfService.passwd	Null	Optional	Where users are directed upon clicking the password reset link
config.prompts[]	Array	Optional	List of fields that users are prompted for to login. Defaults to username, password, and passcode.
config.prompts[].name	String	Optional	Name of field
config.prompts[].type	String	Optional	What kind of field this is (e.g. text or password)
config.prompts[].text	String	Optional	Actual text displayed on prompt for field
config.idpDiscoveryEnabled	Boolean	Optional	IDP Discovery should be set to true if you have configured more than one identity provider for UAA. The discovery relies on email domain being set for each additional provider
config.accountChooserEnabled	Boolean	Optional	This flag enables the account choosing functionality. If idpDiscoveryEnabled is set to true in the config the IDP is chosen by discovery. Otherwise, the user can enter the IDP by providing the origin.
config.issuer	String	Optional	Issuer of this zone. Must be a valid URL.
config.defaultIdentityProvider	String	Optional	This value can be set to the origin key of an identity provider. If set, the user will be directed to this identity provider automatically if no other identity provider is discovered or selected via login_hint.
config.branding.companyName	String	Optional	This name is used on the UAA Pages and in account management related communication in UAA
config.branding.productLogo	String	Optional	This is a base64Url encoded PNG image which will be used as the logo on all UAA pages like Login, Sign Up etc.
config.branding.squareLogo	String	Optional	This is a base64 encoded PNG image which will be used as the favicon for the UAA pages
config.branding.footerLegalText	String	Optional	This text appears on the footer of all UAA pages
config.branding.footerLinks.*	String	Optional	These links (Map) appear on the footer of all UAA pages. You may choose to add multiple urls for things like Support, Terms of Service etc.
config.branding.banner.text	String	Optional	This is text displayed in a banner at the top of the UAA login page
config.branding.banner.logo	String	Optional	This is base64 encoded PNG data displayed in a banner at the top of the UAA login page, overrides banner text
config.branding.banner.link	String	Optional	The UAA login banner will be a link pointing to this url
config.branding.banner.textColor	String	Optional	Hexadecimal color code for banner text color, does not allow color names
config.branding.banner.backgroundColor	String	Optional	Hexadecimal color code for banner background color, does not allow color names
config.branding.consent.text	String	Optional. Must be set if configuring consent.	If set, a checkbox on the registration and invitation pages will appear with the phrase `I agree to` followed by this text. The checkbox must be selected before the user can continue.
config.branding.consent.link	String	Optional. Can be null if configuring consent.	If `config.branding.consent.text` is set, the text after `I agree to` will be hyperlinked to this location.
config.corsPolicy.xhrConfiguration.allowedOrigins	Array	Optional	`Access-Control-Allow-Origin header`. Indicates whether a resource can be shared based by returning the value of the Origin request header, "*", or "null" in the response.
config.corsPolicy.xhrConfiguration.allowedOriginPatterns	Array	Optional	Indicates whether a resource can be shared based by returning the value of the Origin patterns.
config.corsPolicy.xhrConfiguration.allowedUris	Array	Optional	The list of allowed URIs.
config.corsPolicy.xhrConfiguration.allowedUriPatterns	Array	Optional	The list of allowed URI patterns.
config.corsPolicy.xhrConfiguration.allowedHeaders	Array	Optional	`Access-Control-Allow-Headers` header. Indicates which header field names can be used during the actual response
config.corsPolicy.xhrConfiguration.allowedMethods	Array	Optional	`Access-Control-Allow-Methods` header. Indicates which method will be used in the actual request as part of the preflight request.
config.corsPolicy.xhrConfiguration.allowedCredentials	Boolean	Optional	`Access-Control-Allow-Credentials` header. Indicates whether the response to request can be exposed when the omit credentials flag is unset. When part of the response to a preflight request it indicates that the actual request can include user credentials..
config.corsPolicy.xhrConfiguration.maxAge	Number	Optional	`Access-Control-Max-Age` header. Indicates how long the results of a preflight request can be cached in a preflight result cache
config.corsPolicy.defaultConfiguration.allowedOrigins	Array	Optional	`Access-Control-Allow-Origin header`. Indicates whether a resource can be shared based by returning the value of the Origin request header, "*", or "null" in the response.
config.corsPolicy.defaultConfiguration.allowedOriginPatterns	Array	Optional	Indicates whether a resource can be shared based by returning the value of the Origin patterns.
config.corsPolicy.defaultConfiguration.allowedUris	Array	Optional	The list of allowed URIs.
config.corsPolicy.defaultConfiguration.allowedUriPatterns	Array	Optional	The list of allowed URI patterns.
config.corsPolicy.defaultConfiguration.allowedHeaders	Array	Optional	`Access-Control-Allow-Headers` header. Indicates which header field names can be used during the actual response
config.corsPolicy.defaultConfiguration.allowedMethods	Array	Optional	`Access-Control-Allow-Methods` header. Indicates which method will be used in the actual request as part of the preflight request.
config.corsPolicy.defaultConfiguration.allowedCredentials	Boolean	Optional	`Access-Control-Allow-Credentials` header. Indicates whether the response to request can be exposed when the omit credentials flag is unset. When part of the response to a preflight request it indicates that the actual request can include user credentials..
config.corsPolicy.defaultConfiguration.maxAge	Number	Optional	`Access-Control-Max-Age` header. Indicates how long the results of a preflight request can be cached in a preflight result cache
config.userConfig.defaultGroups	Array	Optional	Default groups each user in the zone inherits.
config.userConfig.allowedGroups	Array	Optional	Allowed groups in the zone. Defaults to null (all groups allowed)
config.userConfig.maxUsers	Number	Optional number, default -1, no limit.	Number of users in the zone. If more than 0, it limits the amount of users in the zone. (defaults to -1, no limit).
config.userConfig.checkOriginEnabled	Boolean	Optional	Flag for switching on the check if origin is valid when creating or updating users (defaults to false)
config.userConfig.allowOriginLoop	Boolean	Optional	Flag for switching off the loop over all origins in a zone (defaults to true)

Response Fields

Path	Type	Description
`id`	`String`	Unique ID of the identity zone
`subdomain`	`String`	Unique subdomain for the running instance. May only contain legal characters for a subdomain name.
`name`	`String`	Human-readable zone name
`description`	`String`	Description of the zone
`version`	`Number`	Reserved for future use of E-Tag versioning
`active`	`Boolean`	Indicates whether the identity zone is active. Defaults to true.
`config.tokenPolicy.activeKeyId`	`String`	The ID for the key that is being used to sign tokens
`config.tokenPolicy.accessTokenValidity`	`Number`	Time in seconds between when a access token is issued and when it expires. Defaults to global `accessTokenValidity`
`config.tokenPolicy.refreshTokenValidity`	`Number`	Time in seconds between when a refresh token is issued and when it expires. Defaults to global `refreshTokenValidity`
`config.tokenPolicy.jwtRevocable`	`Boolean`	Set to true if JWT tokens should be stored in the token store, and thus made individually revocable. Opaque tokens are always stored and revocable.
`config.tokenPolicy.refreshTokenUnique`	`Boolean`	If true, uaa will only issue one refresh token per client_id/user_id combination. Defaults to `false`.
`config.tokenPolicy.refreshTokenRotate`	`Boolean`	If true, uaa will issue a new refresh token value in grant type refresh_token. Defaults to `false`.
`config.tokenPolicy.refreshTokenFormat`	`String`	The format for the refresh token. Allowed values are `jwt`, `opaque`. Defaults to `opaque`.
`config.clientSecretPolicy.minLength`	`Number`	Minimum number of characters required for secret to be considered valid (defaults to 0).
`config.clientSecretPolicy.maxLength`	`Number`	Maximum number of characters required for secret to be considered valid (defaults to 255).
`config.clientSecretPolicy.requireUpperCaseCharacter`	`Number`	Minimum number of uppercase characters required for secret to be considered valid (defaults to 0).
`config.clientSecretPolicy.requireLowerCaseCharacter`	`Number`	Minimum number of lowercase characters required for secret to be considered valid (defaults to 0).
`config.clientSecretPolicy.requireDigit`	`Number`	Minimum number of digits required for secret to be considered valid (defaults to 0).
`config.clientSecretPolicy.requireSpecialCharacter`	`Number`	Minimum number of special characters required for secret to be considered valid (defaults to 0).
`config.samlConfig.disableInResponseToCheck`	`Boolean`	If `true`, this zone will not validate the `InResponseToField` part of an incoming IDP assertion. Please see https://docs.spring.io/spring-security-saml/docs/current/reference/html/chapter-troubleshooting.html
`config.samlConfig.wantAssertionSigned`	`Boolean`	Exposed SAML metadata property. If `true`, all assertions received by the SAML provider must be signed. Defaults to `true`.
`config.samlConfig.requestSigned`	`Boolean`	Exposed SAML metadata property. If `true`, the service provider will sign all outgoing authentication requests. Defaults to `true`.
`config.samlConfig.entityID`	`String`	Unique ID of the SAML2 entity
`config.samlConfig.certificate`	`String`	Exposed SAML metadata property. The certificate used to verify the authenticity all communications.
`config.samlConfig.activeKeyId`	`String`	The ID of the key that should be used for signing metadata and assertions.
`config.samlConfig.keys.*.certificate`	`String`	Exposed SAML metadata property. The certificate used to verify the authenticity all communications.
`config.links.logout.redirectUrl`	`String`	Logout redirect url
`config.links.homeRedirect`	`String`	Overrides the UAA home page and issues a redirect to this URL when the browser requests `/` and `/home`.
`config.links.logout.redirectParameterName`	`String`	Changes the name of the redirect parameter
`config.links.logout.disableRedirectParameter`	`Boolean`	Deprecated, no longer affects zone behavior. Whether or not to allow the redirect parameter on logout
`config.links.logout.whitelist`	`Array`	List of allowed whitelist redirects
`config.links.selfService.selfServiceLinksEnabled`	`Boolean`	Whether or not users are allowed to sign up or reset their passwords via the UI
`config.links.selfService.signup`	`Null`	Where users are directed upon clicking the account creation link
`config.links.selfService.passwd`	`Null`	Where users are directed upon clicking the password reset link
`config.prompts[]`	`Array`	List of fields that users are prompted for to login. Defaults to username, password, and passcode.
`config.prompts[].name`	`String`	Name of field
`config.prompts[].type`	`String`	What kind of field this is (e.g. text or password)
`config.prompts[].text`	`String`	Actual text displayed on prompt for field
`config.defaultIdentityProvider`	`String`	This value can be set to the origin key of an identity provider. If set, the user will be directed to this identity provider automatically if no other identity provider is discovered or selected via login_hint.
`config.idpDiscoveryEnabled`	`Boolean`	IDP Discovery should be set to true if you have configured more than one identity provider for UAA. The discovery relies on email domain being set for each additional provider
`config.accountChooserEnabled`	`Boolean`	This flag enables the account choosing functionality. If idpDiscoveryEnabled is set to true in the config the IDP is chosen by discovery. Otherwise, the user can enter the IDP by providing the origin.
`config.issuer`	`String`	Issuer of this zone. Must be a valid URL.
`config.branding.companyName`	`String`	This name is used on the UAA Pages and in account management related communication in UAA
`config.branding.productLogo`	`String`	This is a base64Url encoded PNG image which will be used as the logo on all UAA pages like Login, Sign Up etc.
`config.branding.squareLogo`	`String`	This is a base64 encoded PNG image which will be used as the favicon for the UAA pages
`config.branding.footerLegalText`	`String`	This text appears on the footer of all UAA pages
`config.branding.footerLinks.*`	`String`	These links (Map) appear on the footer of all UAA pages. You may choose to add multiple urls for things like Support, Terms of Service etc.
`config.branding.banner.text`	`String`	This is text displayed in a banner at the top of the UAA login page
`config.branding.banner.logo`	`String`	This is base64 encoded PNG data displayed in a banner at the top of the UAA login page, overrides banner text
`config.branding.banner.link`	`String`	The UAA login banner will be a link pointing to this url
`config.branding.banner.textColor`	`String`	Hexadecimal color code for banner text color, does not allow color names
`config.branding.banner.backgroundColor`	`String`	Hexadecimal color code for banner background color, does not allow color names
`config.branding.consent.text`	`String`	If set, a checkbox on the registration and invitation pages will appear with the phrase `I agree to` followed by this text. The checkbox must be selected before the user can continue.
`config.branding.consent.link`	`String`	If `config.branding.consent.text` is set, the text after `I agree to` will be hyperlinked to this location.
`config.corsPolicy.defaultConfiguration.allowedOrigins`	`Array`	`Access-Control-Allow-Origin header`. Indicates whether a resource can be shared based by returning the value of the Origin request header, "*", or "null" in the response.
`config.corsPolicy.defaultConfiguration.allowedOriginPatterns`	`Array`	Indicates whether a resource can be shared based by returning the value of the Origin patterns.
`config.corsPolicy.defaultConfiguration.allowedUris`	`Array`	The list of allowed URIs.
`config.corsPolicy.defaultConfiguration.allowedUriPatterns`	`Array`	The list of allowed URI patterns.
`config.corsPolicy.defaultConfiguration.allowedHeaders`	`Array`	`Access-Control-Allow-Headers` header. Indicates which header field names can be used during the actual response
`config.corsPolicy.defaultConfiguration.allowedMethods`	`Array`	`Access-Control-Allow-Methods` header. Indicates which method will be used in the actual request as part of the preflight request.
`config.corsPolicy.defaultConfiguration.allowedCredentials`	`Boolean`	`Access-Control-Allow-Credentials` header. Indicates whether the response to request can be exposed when the omit credentials flag is unset. When part of the response to a preflight request it indicates that the actual request can include user credentials..
`config.corsPolicy.defaultConfiguration.maxAge`	`Number`	`Access-Control-Max-Age` header. Indicates how long the results of a preflight request can be cached in a preflight result cache
`config.corsPolicy.xhrConfiguration.allowedOrigins`	`Array`	`Access-Control-Allow-Origin header`. Indicates whether a resource can be shared based by returning the value of the Origin request header, "*", or "null" in the response.
`config.corsPolicy.xhrConfiguration.allowedOriginPatterns`	`Array`	Indicates whether a resource can be shared based by returning the value of the Origin patterns.
`config.corsPolicy.xhrConfiguration.allowedUris`	`Array`	The list of allowed URIs.
`config.corsPolicy.xhrConfiguration.allowedUriPatterns`	`Array`	The list of allowed URI patterns.
`config.corsPolicy.xhrConfiguration.allowedHeaders`	`Array`	`Access-Control-Allow-Headers` header. Indicates which header field names can be used during the actual response
`config.corsPolicy.xhrConfiguration.allowedMethods`	`Array`	`Access-Control-Allow-Methods` header. Indicates which method will be used in the actual request as part of the preflight request.
`config.corsPolicy.xhrConfiguration.allowedCredentials`	`Boolean`	`Access-Control-Allow-Credentials` header. Indicates whether the response to request can be exposed when the omit credentials flag is unset. When part of the response to a preflight request it indicates that the actual request can include user credentials..
`config.corsPolicy.xhrConfiguration.maxAge`	`Number`	`Access-Control-Max-Age` header. Indicates how long the results of a preflight request can be cached in a preflight result cache
`config.userConfig.defaultGroups`	`Array`	Default groups each user in the zone inherits.
`config.userConfig.allowedGroups`	`Array`	Allowed groups in the zone. Defaults to null (all groups allowed)
`config.userConfig.maxUsers`	`Number`	Number of users in the zone. If more than 0, it limits the amount of users in the zone. (defaults to -1, no limit).
`config.userConfig.checkOriginEnabled`	`Boolean`	Flag for switching on the check if origin is valid when creating or updating users (defaults to false)
`config.userConfig.allowOriginLoop`	`Boolean`	Flag for switching off the loop over all origins in a zone (defaults to true)

Error Codes

Error Code	Description
400	Bad Request
401	Unauthorized - Invalid token
403	Forbidden - Insufficient scope (Zones can only be created by being authenticated in the default zone.)
422	Unprocessable Entity - Invalid zone details

Sequential example of creating a zone and creating an admin client in that zone:

uaac target http://localhost:8080/uaa

uaac token client get admin -s adminsecret

uaac client update admin --authorities "uaa.admin,clients.read,clients.write,clients.secret,scim.read,scim.write,clients.admin,zones.testzone1.admin,zones.write"

uaac token client get admin -s adminsecret

uaac -t curl -XPOST -H"Content-Type:application/json" -H"Accept:application/json" --data '{ "id":"testzone1", "subdomain":"testzone1", "name":"The Twiglet Zone[testzone1]", "version":0, "description":"Like the Twilight Zone but tastier[testzone1]."}' /identity-zones

uaac -t curl -H"X-Identity-Zone-Id:testzone1" -XPOST -H"Content-Type:application/json" -H"Accept:application/json" --data '{ "client_id" : "admin", "client_secret" : "adminsecret", "scope" : ["uaa.none"], "resource_ids" : ["none"], "authorities" : ["uaa.admin","clients.read","clients.write","clients.secret","scim.read","scim.write","clients.admin"], "authorized_grant_types" : ["client_credentials"]}' /oauth/clients

uaac target http://testzone1.localhost:8080/uaa

uaac token client get admin -s adminsecret

uaac token decode

Retrieving an identity zone

$ curl 'http://localhost/identity-zones/twiglet-get' -i -X GET \
    -H 'Authorization: Bearer 74058a2ecbcd4156a0b186544c0dc237'

GET /identity-zones/twiglet-get HTTP/1.1
Authorization: Bearer 74058a2ecbcd4156a0b186544c0dc237
Host: localhost

HTTP/1.1 200 OK
Content-Security-Policy: script-src 'self'
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 5093

{
  "id" : "twiglet-get",
  "subdomain" : "twiglet-get",
  "config" : {
    "clientSecretPolicy" : {
      "minLength" : -1,
      "maxLength" : -1,
      "requireUpperCaseCharacter" : -1,
      "requireLowerCaseCharacter" : -1,
      "requireDigit" : -1,
      "requireSpecialCharacter" : -1
    },
    "tokenPolicy" : {
      "accessTokenValidity" : 3600,
      "refreshTokenValidity" : 7200,
      "jwtRevocable" : false,
      "refreshTokenUnique" : false,
      "refreshTokenRotate" : false,
      "refreshTokenFormat" : "opaque",
      "activeKeyId" : "active-key-1"
    },
    "samlConfig" : {
      "requestSigned" : true,
      "wantAssertionSigned" : true,
      "activeKeyId" : "legacy-saml-key",
      "keys" : {
        "legacy-saml-key" : {
          "certificate" : "-----BEGIN CERTIFICATE-----\nMIICEjCCAXsCAg36MA0GCSqGSIb3DQEBBQUAMIGbMQswCQYDVQQGEwJKUDEOMAwG\nA1UECBMFVG9reW8xEDAOBgNVBAcTB0NodW8ta3UxETAPBgNVBAoTCEZyYW5rNERE\nMRgwFgYDVQQLEw9XZWJDZXJ0IFN1cHBvcnQxGDAWBgNVBAMTD0ZyYW5rNEREIFdl\nYiBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBmcmFuazRkZC5jb20wHhcNMTIw\nODIyMDUyNjU0WhcNMTcwODIxMDUyNjU0WjBKMQswCQYDVQQGEwJKUDEOMAwGA1UE\nCAwFVG9reW8xETAPBgNVBAoMCEZyYW5rNEREMRgwFgYDVQQDDA93d3cuZXhhbXBs\nZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAm/xmkHmEQrurE/0re/jeFRLl\n8ZPjBop7uLHhnia7lQG/5zDtZIUC3RVpqDSwBuw/NTweGyuP+o8AG98HxqxTBwID\nAQABMA0GCSqGSIb3DQEBBQUAA4GBABS2TLuBeTPmcaTaUW/LCB2NYOy8GMdzR1mx\n8iBIu2H6/E2tiY3RIevV2OW61qY2/XRQg7YPxx3ffeUugX9F4J/iPnnu1zAxxyBy\n2VguKv4SWjRFoRkIfIlHX0qVviMhSlNy2ioFLy7JcPZb+v3ftDGywUqcBiVDoea0\nHn+GmxZA\n-----END CERTIFICATE-----\n"
        }
      },
      "entityID" : "cloudfoundry-saml-login",
      "disableInResponseToCheck" : false,
      "certificate" : "-----BEGIN CERTIFICATE-----\nMIICEjCCAXsCAg36MA0GCSqGSIb3DQEBBQUAMIGbMQswCQYDVQQGEwJKUDEOMAwG\nA1UECBMFVG9reW8xEDAOBgNVBAcTB0NodW8ta3UxETAPBgNVBAoTCEZyYW5rNERE\nMRgwFgYDVQQLEw9XZWJDZXJ0IFN1cHBvcnQxGDAWBgNVBAMTD0ZyYW5rNEREIFdl\nYiBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBmcmFuazRkZC5jb20wHhcNMTIw\nODIyMDUyNjU0WhcNMTcwODIxMDUyNjU0WjBKMQswCQYDVQQGEwJKUDEOMAwGA1UE\nCAwFVG9reW8xETAPBgNVBAoMCEZyYW5rNEREMRgwFgYDVQQDDA93d3cuZXhhbXBs\nZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAm/xmkHmEQrurE/0re/jeFRLl\n8ZPjBop7uLHhnia7lQG/5zDtZIUC3RVpqDSwBuw/NTweGyuP+o8AG98HxqxTBwID\nAQABMA0GCSqGSIb3DQEBBQUAA4GBABS2TLuBeTPmcaTaUW/LCB2NYOy8GMdzR1mx\n8iBIu2H6/E2tiY3RIevV2OW61qY2/XRQg7YPxx3ffeUugX9F4J/iPnnu1zAxxyBy\n2VguKv4SWjRFoRkIfIlHX0qVviMhSlNy2ioFLy7JcPZb+v3ftDGywUqcBiVDoea0\nHn+GmxZA\n-----END CERTIFICATE-----\n"
    },
    "corsPolicy" : {
      "xhrConfiguration" : {
        "allowedOrigins" : [ ".*" ],
        "allowedOriginPatterns" : [ ],
        "allowedUris" : [ ".*" ],
        "allowedUriPatterns" : [ ],
        "allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
        "allowedMethods" : [ "GET" ],
        "allowedCredentials" : false,
        "maxAge" : 1728000
      },
      "defaultConfiguration" : {
        "allowedOrigins" : [ ".*" ],
        "allowedOriginPatterns" : [ ],
        "allowedUris" : [ ".*" ],
        "allowedUriPatterns" : [ ],
        "allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
        "allowedMethods" : [ "GET" ],
        "allowedCredentials" : false,
        "maxAge" : 1728000
      }
    },
    "links" : {
      "logout" : {
        "redirectUrl" : "/login",
        "redirectParameterName" : "redirect",
        "disableRedirectParameter" : false,
        "whitelist" : null
      },
      "homeRedirect" : "http://my.hosted.homepage.com/",
      "selfService" : {
        "selfServiceLinksEnabled" : true,
        "signup" : null,
        "passwd" : null
      }
    },
    "prompts" : [ {
      "name" : "username",
      "type" : "text",
      "text" : "Email"
    }, {
      "name" : "password",
      "type" : "password",
      "text" : "Password"
    }, {
      "name" : "passcode",
      "type" : "password",
      "text" : "Temporary Authentication Code (Get on at /passcode)"
    } ],
    "idpDiscoveryEnabled" : false,
    "branding" : {
      "companyName" : "Test Company",
      "productLogo" : "VGVzdFByb2R1Y3RMb2dv",
      "squareLogo" : "VGVzdFNxdWFyZUxvZ28=",
      "footerLegalText" : "Test footer legal text",
      "footerLinks" : {
        "Support" : "http://support.example.com"
      },
      "banner" : {
        "logo" : "VGVzdFByb2R1Y3RMb2dv",
        "text" : "Announcement",
        "textColor" : "#000000",
        "backgroundColor" : "#89cff0",
        "link" : "http://announce.example.com"
      },
      "consent" : {
        "text" : "Some Policy",
        "link" : "http://policy.example.com"
      }
    },
    "accountChooserEnabled" : false,
    "userConfig" : {
      "defaultGroups" : [ "openid", "password.write", "uaa.user", "approvals.me", "profile", "roles", "user_attributes", "uaa.offline_token" ],
      "maxUsers" : -1,
      "checkOriginEnabled" : false,
      "allowOriginLoop" : true
    },
    "issuer" : "http://localhost:8080/uaa"
  },
  "name" : "The Twiglet Zone",
  "version" : 0,
  "created" : 1732091794692,
  "active" : true,
  "last_modified" : 1732091794692
}

Path Parameters

/identity-zones/{id}

Parameter	Description
id	Unique ID of the identity zone to retrieve

Request Headers

Name	Description
`Authorization`	Bearer token containing `zones.read` or `zones.write` or `uaa.admin`. If you use the zone-switching header, bear token containing `zones.<zone id>.admin` or `zones.<zone id>.read` can be used.
`X-Identity-Zone-Id`	May include this header to administer another zone if using `zones.<zoneId>.admin` or `uaa.admin` scope against the default UAA zone.
`X-Identity-Zone-Subdomain`	If using a `zones.<zoneId>.admin` scope/token, indicates what Identity Zone this request goes to by supplying a subdomain.

Response Fields

Path	Type	Description
`id`	`String`	Unique ID of the identity zone
`subdomain`	`String`	Unique subdomain for the running instance. May only contain legal characters for a subdomain name.
`name`	`String`	Human-readable zone name
`description`	`String`	Description of the zone
`version`	`Number`	Reserved for future use of E-Tag versioning
`active`	`Boolean`	Indicates whether the identity zone is active. Defaults to true.
`config.tokenPolicy.activeKeyId`	`String`	The ID for the key that is being used to sign tokens
`config.tokenPolicy.accessTokenValidity`	`Number`	Time in seconds between when a access token is issued and when it expires. Defaults to global `accessTokenValidity`
`config.tokenPolicy.refreshTokenValidity`	`Number`	Time in seconds between when a refresh token is issued and when it expires. Defaults to global `refreshTokenValidity`
`config.tokenPolicy.jwtRevocable`	`Boolean`	Set to true if JWT tokens should be stored in the token store, and thus made individually revocable. Opaque tokens are always stored and revocable.
`config.tokenPolicy.refreshTokenUnique`	`Boolean`	If true, uaa will only issue one refresh token per client_id/user_id combination. Defaults to `false`.
`config.tokenPolicy.refreshTokenRotate`	`Boolean`	If true, uaa will issue a new refresh token value in grant type refresh_token. Defaults to `false`.
`config.tokenPolicy.refreshTokenFormat`	`String`	The format for the refresh token. Allowed values are `jwt`, `opaque`. Defaults to `opaque`.
`config.clientSecretPolicy.minLength`	`Number`	Minimum number of characters required for secret to be considered valid (defaults to 0).
`config.clientSecretPolicy.maxLength`	`Number`	Maximum number of characters required for secret to be considered valid (defaults to 255).
`config.clientSecretPolicy.requireUpperCaseCharacter`	`Number`	Minimum number of uppercase characters required for secret to be considered valid (defaults to 0).
`config.clientSecretPolicy.requireLowerCaseCharacter`	`Number`	Minimum number of lowercase characters required for secret to be considered valid (defaults to 0).
`config.clientSecretPolicy.requireDigit`	`Number`	Minimum number of digits required for secret to be considered valid (defaults to 0).
`config.clientSecretPolicy.requireSpecialCharacter`	`Number`	Minimum number of special characters required for secret to be considered valid (defaults to 0).
`config.samlConfig.disableInResponseToCheck`	`Boolean`	If `true`, this zone will not validate the `InResponseToField` part of an incoming IDP assertion. Please see https://docs.spring.io/spring-security-saml/docs/current/reference/html/chapter-troubleshooting.html
`config.samlConfig.wantAssertionSigned`	`Boolean`	Exposed SAML metadata property. If `true`, all assertions received by the SAML provider must be signed. Defaults to `true`.
`config.samlConfig.requestSigned`	`Boolean`	Exposed SAML metadata property. If `true`, the service provider will sign all outgoing authentication requests. Defaults to `true`.
`config.samlConfig.entityID`	`String`	Unique ID of the SAML2 entity
`config.samlConfig.certificate`	`String`	Exposed SAML metadata property. The certificate used to verify the authenticity all communications.
`config.samlConfig.activeKeyId`	`String`	The ID of the key that should be used for signing metadata and assertions.
`config.samlConfig.keys.*.certificate`	`String`	Exposed SAML metadata property. The certificate used to verify the authenticity all communications.
`config.links.logout.redirectUrl`	`String`	Logout redirect url
`config.links.homeRedirect`	`String`	Overrides the UAA home page and issues a redirect to this URL when the browser requests `/` and `/home`.
`config.links.logout.redirectParameterName`	`String`	Changes the name of the redirect parameter
`config.links.logout.disableRedirectParameter`	`Boolean`	Deprecated, no longer affects zone behavior. Whether or not to allow the redirect parameter on logout
`config.links.logout.whitelist`	`Array`	List of allowed whitelist redirects
`config.links.selfService.selfServiceLinksEnabled`	`Boolean`	Whether or not users are allowed to sign up or reset their passwords via the UI
`config.links.selfService.signup`	`Null`	Where users are directed upon clicking the account creation link
`config.links.selfService.passwd`	`Null`	Where users are directed upon clicking the password reset link
`config.prompts[]`	`Array`	List of fields that users are prompted for to login. Defaults to username, password, and passcode.
`config.prompts[].name`	`String`	Name of field
`config.prompts[].type`	`String`	What kind of field this is (e.g. text or password)
`config.prompts[].text`	`String`	Actual text displayed on prompt for field
`config.defaultIdentityProvider`	`String`	This value can be set to the origin key of an identity provider. If set, the user will be directed to this identity provider automatically if no other identity provider is discovered or selected via login_hint.
`config.idpDiscoveryEnabled`	`Boolean`	IDP Discovery should be set to true if you have configured more than one identity provider for UAA. The discovery relies on email domain being set for each additional provider
`config.accountChooserEnabled`	`Boolean`	This flag enables the account choosing functionality. If idpDiscoveryEnabled is set to true in the config the IDP is chosen by discovery. Otherwise, the user can enter the IDP by providing the origin.
`config.issuer`	`String`	Issuer of this zone. Must be a valid URL.
`config.branding.companyName`	`String`	This name is used on the UAA Pages and in account management related communication in UAA
`config.branding.productLogo`	`String`	This is a base64Url encoded PNG image which will be used as the logo on all UAA pages like Login, Sign Up etc.
`config.branding.squareLogo`	`String`	This is a base64 encoded PNG image which will be used as the favicon for the UAA pages
`config.branding.footerLegalText`	`String`	This text appears on the footer of all UAA pages
`config.branding.footerLinks.*`	`String`	These links (Map) appear on the footer of all UAA pages. You may choose to add multiple urls for things like Support, Terms of Service etc.
`config.branding.banner.text`	`String`	This is text displayed in a banner at the top of the UAA login page
`config.branding.banner.logo`	`String`	This is base64 encoded PNG data displayed in a banner at the top of the UAA login page, overrides banner text
`config.branding.banner.link`	`String`	The UAA login banner will be a link pointing to this url
`config.branding.banner.textColor`	`String`	Hexadecimal color code for banner text color, does not allow color names
`config.branding.banner.backgroundColor`	`String`	Hexadecimal color code for banner background color, does not allow color names
`config.branding.consent.text`	`String`	If set, a checkbox on the registration and invitation pages will appear with the phrase `I agree to` followed by this text. The checkbox must be selected before the user can continue.
`config.branding.consent.link`	`String`	If `config.branding.consent.text` is set, the text after `I agree to` will be hyperlinked to this location.
`config.corsPolicy.defaultConfiguration.allowedOrigins`	`Array`	`Access-Control-Allow-Origin header`. Indicates whether a resource can be shared based by returning the value of the Origin request header, "*", or "null" in the response.
`config.corsPolicy.defaultConfiguration.allowedOriginPatterns`	`Array`	Indicates whether a resource can be shared based by returning the value of the Origin patterns.
`config.corsPolicy.defaultConfiguration.allowedUris`	`Array`	The list of allowed URIs.
`config.corsPolicy.defaultConfiguration.allowedUriPatterns`	`Array`	The list of allowed URI patterns.
`config.corsPolicy.defaultConfiguration.allowedHeaders`	`Array`	`Access-Control-Allow-Headers` header. Indicates which header field names can be used during the actual response
`config.corsPolicy.defaultConfiguration.allowedMethods`	`Array`	`Access-Control-Allow-Methods` header. Indicates which method will be used in the actual request as part of the preflight request.
`config.corsPolicy.defaultConfiguration.allowedCredentials`	`Boolean`	`Access-Control-Allow-Credentials` header. Indicates whether the response to request can be exposed when the omit credentials flag is unset. When part of the response to a preflight request it indicates that the actual request can include user credentials..
`config.corsPolicy.defaultConfiguration.maxAge`	`Number`	`Access-Control-Max-Age` header. Indicates how long the results of a preflight request can be cached in a preflight result cache
`config.corsPolicy.xhrConfiguration.allowedOrigins`	`Array`	`Access-Control-Allow-Origin header`. Indicates whether a resource can be shared based by returning the value of the Origin request header, "*", or "null" in the response.
`config.corsPolicy.xhrConfiguration.allowedOriginPatterns`	`Array`	Indicates whether a resource can be shared based by returning the value of the Origin patterns.
`config.corsPolicy.xhrConfiguration.allowedUris`	`Array`	The list of allowed URIs.
`config.corsPolicy.xhrConfiguration.allowedUriPatterns`	`Array`	The list of allowed URI patterns.
`config.corsPolicy.xhrConfiguration.allowedHeaders`	`Array`	`Access-Control-Allow-Headers` header. Indicates which header field names can be used during the actual response
`config.corsPolicy.xhrConfiguration.allowedMethods`	`Array`	`Access-Control-Allow-Methods` header. Indicates which method will be used in the actual request as part of the preflight request.
`config.corsPolicy.xhrConfiguration.allowedCredentials`	`Boolean`	`Access-Control-Allow-Credentials` header. Indicates whether the response to request can be exposed when the omit credentials flag is unset. When part of the response to a preflight request it indicates that the actual request can include user credentials..
`config.corsPolicy.xhrConfiguration.maxAge`	`Number`	`Access-Control-Max-Age` header. Indicates how long the results of a preflight request can be cached in a preflight result cache
`config.userConfig.defaultGroups`	`Array`	Default groups each user in the zone inherits.
`config.userConfig.allowedGroups`	`Array`	Allowed groups in the zone. Defaults to null (all groups allowed)
`config.userConfig.maxUsers`	`Number`	Number of users in the zone. If more than 0, it limits the amount of users in the zone. (defaults to -1, no limit).
`config.userConfig.checkOriginEnabled`	`Boolean`	Flag for switching on the check if origin is valid when creating or updating users (defaults to false)
`config.userConfig.allowOriginLoop`	`Boolean`	Flag for switching off the loop over all origins in a zone (defaults to true)

Error Codes

Error Code	Description
400	Bad Request
401	Unauthorized - Invalid token
403	Forbidden - Insufficient scope
404	Not Found - Zone does not exist

Retrieving all identity zones

$ curl 'http://localhost/identity-zones' -i -X GET \
    -H 'Authorization: Bearer 3b5302fff78f4f52bfe2af51cd7833f9'

GET /identity-zones HTTP/1.1
Authorization: Bearer 3b5302fff78f4f52bfe2af51cd7833f9
Host: localhost

HTTP/1.1 200 OK
Content-Security-Policy: script-src 'self'
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 15581

[ {
  "id" : "twiglet-get-1",
  "subdomain" : "twiglet-get-1",
  "config" : {
    "clientSecretPolicy" : {
      "minLength" : -1,
      "maxLength" : -1,
      "requireUpperCaseCharacter" : -1,
      "requireLowerCaseCharacter" : -1,
      "requireDigit" : -1,
      "requireSpecialCharacter" : -1
    },
    "tokenPolicy" : {
      "accessTokenValidity" : 3600,
      "refreshTokenValidity" : 7200,
      "jwtRevocable" : false,
      "refreshTokenUnique" : false,
      "refreshTokenRotate" : false,
      "refreshTokenFormat" : "opaque",
      "activeKeyId" : "active-key-1"
    },
    "samlConfig" : {
      "requestSigned" : true,
      "wantAssertionSigned" : true,
      "activeKeyId" : "legacy-saml-key",
      "keys" : {
        "legacy-saml-key" : {
          "certificate" : "-----BEGIN CERTIFICATE-----\nMIICEjCCAXsCAg36MA0GCSqGSIb3DQEBBQUAMIGbMQswCQYDVQQGEwJKUDEOMAwG\nA1UECBMFVG9reW8xEDAOBgNVBAcTB0NodW8ta3UxETAPBgNVBAoTCEZyYW5rNERE\nMRgwFgYDVQQLEw9XZWJDZXJ0IFN1cHBvcnQxGDAWBgNVBAMTD0ZyYW5rNEREIFdl\nYiBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBmcmFuazRkZC5jb20wHhcNMTIw\nODIyMDUyNjU0WhcNMTcwODIxMDUyNjU0WjBKMQswCQYDVQQGEwJKUDEOMAwGA1UE\nCAwFVG9reW8xETAPBgNVBAoMCEZyYW5rNEREMRgwFgYDVQQDDA93d3cuZXhhbXBs\nZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAm/xmkHmEQrurE/0re/jeFRLl\n8ZPjBop7uLHhnia7lQG/5zDtZIUC3RVpqDSwBuw/NTweGyuP+o8AG98HxqxTBwID\nAQABMA0GCSqGSIb3DQEBBQUAA4GBABS2TLuBeTPmcaTaUW/LCB2NYOy8GMdzR1mx\n8iBIu2H6/E2tiY3RIevV2OW61qY2/XRQg7YPxx3ffeUugX9F4J/iPnnu1zAxxyBy\n2VguKv4SWjRFoRkIfIlHX0qVviMhSlNy2ioFLy7JcPZb+v3ftDGywUqcBiVDoea0\nHn+GmxZA\n-----END CERTIFICATE-----\n"
        }
      },
      "entityID" : "cloudfoundry-saml-login",
      "disableInResponseToCheck" : false,
      "certificate" : "-----BEGIN CERTIFICATE-----\nMIICEjCCAXsCAg36MA0GCSqGSIb3DQEBBQUAMIGbMQswCQYDVQQGEwJKUDEOMAwG\nA1UECBMFVG9reW8xEDAOBgNVBAcTB0NodW8ta3UxETAPBgNVBAoTCEZyYW5rNERE\nMRgwFgYDVQQLEw9XZWJDZXJ0IFN1cHBvcnQxGDAWBgNVBAMTD0ZyYW5rNEREIFdl\nYiBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBmcmFuazRkZC5jb20wHhcNMTIw\nODIyMDUyNjU0WhcNMTcwODIxMDUyNjU0WjBKMQswCQYDVQQGEwJKUDEOMAwGA1UE\nCAwFVG9reW8xETAPBgNVBAoMCEZyYW5rNEREMRgwFgYDVQQDDA93d3cuZXhhbXBs\nZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAm/xmkHmEQrurE/0re/jeFRLl\n8ZPjBop7uLHhnia7lQG/5zDtZIUC3RVpqDSwBuw/NTweGyuP+o8AG98HxqxTBwID\nAQABMA0GCSqGSIb3DQEBBQUAA4GBABS2TLuBeTPmcaTaUW/LCB2NYOy8GMdzR1mx\n8iBIu2H6/E2tiY3RIevV2OW61qY2/XRQg7YPxx3ffeUugX9F4J/iPnnu1zAxxyBy\n2VguKv4SWjRFoRkIfIlHX0qVviMhSlNy2ioFLy7JcPZb+v3ftDGywUqcBiVDoea0\nHn+GmxZA\n-----END CERTIFICATE-----\n"
    },
    "corsPolicy" : {
      "xhrConfiguration" : {
        "allowedOrigins" : [ ".*" ],
        "allowedOriginPatterns" : [ ],
        "allowedUris" : [ ".*" ],
        "allowedUriPatterns" : [ ],
        "allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
        "allowedMethods" : [ "GET" ],
        "allowedCredentials" : false,
        "maxAge" : 1728000
      },
      "defaultConfiguration" : {
        "allowedOrigins" : [ ".*" ],
        "allowedOriginPatterns" : [ ],
        "allowedUris" : [ ".*" ],
        "allowedUriPatterns" : [ ],
        "allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
        "allowedMethods" : [ "GET" ],
        "allowedCredentials" : false,
        "maxAge" : 1728000
      }
    },
    "links" : {
      "logout" : {
        "redirectUrl" : "/login",
        "redirectParameterName" : "redirect",
        "disableRedirectParameter" : false,
        "whitelist" : null
      },
      "homeRedirect" : "http://my.hosted.homepage.com/",
      "selfService" : {
        "selfServiceLinksEnabled" : true,
        "signup" : null,
        "passwd" : null
      }
    },
    "prompts" : [ {
      "name" : "username",
      "type" : "text",
      "text" : "Email"
    }, {
      "name" : "password",
      "type" : "password",
      "text" : "Password"
    }, {
      "name" : "passcode",
      "type" : "password",
      "text" : "Temporary Authentication Code (Get on at /passcode)"
    } ],
    "idpDiscoveryEnabled" : false,
    "branding" : {
      "companyName" : "Test Company",
      "productLogo" : "VGVzdFByb2R1Y3RMb2dv",
      "squareLogo" : "VGVzdFNxdWFyZUxvZ28=",
      "footerLegalText" : "Test footer legal text",
      "footerLinks" : {
        "Support" : "http://support.example.com"
      },
      "banner" : {
        "logo" : "VGVzdFByb2R1Y3RMb2dv",
        "text" : "Announcement",
        "textColor" : "#000000",
        "backgroundColor" : "#89cff0",
        "link" : "http://announce.example.com"
      },
      "consent" : {
        "text" : "Some Policy",
        "link" : "http://policy.example.com"
      }
    },
    "accountChooserEnabled" : false,
    "userConfig" : {
      "defaultGroups" : [ "openid", "password.write", "uaa.user", "approvals.me", "profile", "roles", "user_attributes", "uaa.offline_token" ],
      "maxUsers" : -1,
      "checkOriginEnabled" : false,
      "allowOriginLoop" : true
    },
    "issuer" : "http://localhost:8080/uaa"
  },
  "name" : "The Twiglet Zone",
  "version" : 0,
  "created" : 1732091794310,
  "active" : true,
  "last_modified" : 1732091794310
}, {
  "id" : "twiglet-get-2",
  "subdomain" : "twiglet-get-2",
  "config" : {
    "clientSecretPolicy" : {
      "minLength" : -1,
      "maxLength" : -1,
      "requireUpperCaseCharacter" : -1,
      "requireLowerCaseCharacter" : -1,
      "requireDigit" : -1,
      "requireSpecialCharacter" : -1
    },
    "tokenPolicy" : {
      "accessTokenValidity" : 3600,
      "refreshTokenValidity" : 7200,
      "jwtRevocable" : false,
      "refreshTokenUnique" : false,
      "refreshTokenRotate" : false,
      "refreshTokenFormat" : "opaque",
      "activeKeyId" : "active-key-1"
    },
    "samlConfig" : {
      "requestSigned" : true,
      "wantAssertionSigned" : true,
      "activeKeyId" : "legacy-saml-key",
      "keys" : {
        "legacy-saml-key" : {
          "certificate" : "-----BEGIN CERTIFICATE-----\nMIICEjCCAXsCAg36MA0GCSqGSIb3DQEBBQUAMIGbMQswCQYDVQQGEwJKUDEOMAwG\nA1UECBMFVG9reW8xEDAOBgNVBAcTB0NodW8ta3UxETAPBgNVBAoTCEZyYW5rNERE\nMRgwFgYDVQQLEw9XZWJDZXJ0IFN1cHBvcnQxGDAWBgNVBAMTD0ZyYW5rNEREIFdl\nYiBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBmcmFuazRkZC5jb20wHhcNMTIw\nODIyMDUyNjU0WhcNMTcwODIxMDUyNjU0WjBKMQswCQYDVQQGEwJKUDEOMAwGA1UE\nCAwFVG9reW8xETAPBgNVBAoMCEZyYW5rNEREMRgwFgYDVQQDDA93d3cuZXhhbXBs\nZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAm/xmkHmEQrurE/0re/jeFRLl\n8ZPjBop7uLHhnia7lQG/5zDtZIUC3RVpqDSwBuw/NTweGyuP+o8AG98HxqxTBwID\nAQABMA0GCSqGSIb3DQEBBQUAA4GBABS2TLuBeTPmcaTaUW/LCB2NYOy8GMdzR1mx\n8iBIu2H6/E2tiY3RIevV2OW61qY2/XRQg7YPxx3ffeUugX9F4J/iPnnu1zAxxyBy\n2VguKv4SWjRFoRkIfIlHX0qVviMhSlNy2ioFLy7JcPZb+v3ftDGywUqcBiVDoea0\nHn+GmxZA\n-----END CERTIFICATE-----\n"
        }
      },
      "entityID" : "cloudfoundry-saml-login",
      "disableInResponseToCheck" : false,
      "certificate" : "-----BEGIN CERTIFICATE-----\nMIICEjCCAXsCAg36MA0GCSqGSIb3DQEBBQUAMIGbMQswCQYDVQQGEwJKUDEOMAwG\nA1UECBMFVG9reW8xEDAOBgNVBAcTB0NodW8ta3UxETAPBgNVBAoTCEZyYW5rNERE\nMRgwFgYDVQQLEw9XZWJDZXJ0IFN1cHBvcnQxGDAWBgNVBAMTD0ZyYW5rNEREIFdl\nYiBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBmcmFuazRkZC5jb20wHhcNMTIw\nODIyMDUyNjU0WhcNMTcwODIxMDUyNjU0WjBKMQswCQYDVQQGEwJKUDEOMAwGA1UE\nCAwFVG9reW8xETAPBgNVBAoMCEZyYW5rNEREMRgwFgYDVQQDDA93d3cuZXhhbXBs\nZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAm/xmkHmEQrurE/0re/jeFRLl\n8ZPjBop7uLHhnia7lQG/5zDtZIUC3RVpqDSwBuw/NTweGyuP+o8AG98HxqxTBwID\nAQABMA0GCSqGSIb3DQEBBQUAA4GBABS2TLuBeTPmcaTaUW/LCB2NYOy8GMdzR1mx\n8iBIu2H6/E2tiY3RIevV2OW61qY2/XRQg7YPxx3ffeUugX9F4J/iPnnu1zAxxyBy\n2VguKv4SWjRFoRkIfIlHX0qVviMhSlNy2ioFLy7JcPZb+v3ftDGywUqcBiVDoea0\nHn+GmxZA\n-----END CERTIFICATE-----\n"
    },
    "corsPolicy" : {
      "xhrConfiguration" : {
        "allowedOrigins" : [ ".*" ],
        "allowedOriginPatterns" : [ ],
        "allowedUris" : [ ".*" ],
        "allowedUriPatterns" : [ ],
        "allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
        "allowedMethods" : [ "GET" ],
        "allowedCredentials" : false,
        "maxAge" : 1728000
      },
      "defaultConfiguration" : {
        "allowedOrigins" : [ ".*" ],
        "allowedOriginPatterns" : [ ],
        "allowedUris" : [ ".*" ],
        "allowedUriPatterns" : [ ],
        "allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
        "allowedMethods" : [ "GET" ],
        "allowedCredentials" : false,
        "maxAge" : 1728000
      }
    },
    "links" : {
      "logout" : {
        "redirectUrl" : "/login",
        "redirectParameterName" : "redirect",
        "disableRedirectParameter" : false,
        "whitelist" : null
      },
      "homeRedirect" : "http://my.hosted.homepage.com/",
      "selfService" : {
        "selfServiceLinksEnabled" : true,
        "signup" : null,
        "passwd" : null
      }
    },
    "prompts" : [ {
      "name" : "username",
      "type" : "text",
      "text" : "Email"
    }, {
      "name" : "password",
      "type" : "password",
      "text" : "Password"
    }, {
      "name" : "passcode",
      "type" : "password",
      "text" : "Temporary Authentication Code (Get on at /passcode)"
    } ],
    "idpDiscoveryEnabled" : false,
    "branding" : {
      "companyName" : "Test Company",
      "productLogo" : "VGVzdFByb2R1Y3RMb2dv",
      "squareLogo" : "VGVzdFNxdWFyZUxvZ28=",
      "footerLegalText" : "Test footer legal text",
      "footerLinks" : {
        "Support" : "http://support.example.com"
      },
      "banner" : {
        "logo" : "VGVzdFByb2R1Y3RMb2dv",
        "text" : "Announcement",
        "textColor" : "#000000",
        "backgroundColor" : "#89cff0",
        "link" : "http://announce.example.com"
      },
      "consent" : {
        "text" : "Some Policy",
        "link" : "http://policy.example.com"
      }
    },
    "accountChooserEnabled" : false,
    "userConfig" : {
      "defaultGroups" : [ "openid", "password.write", "uaa.user", "approvals.me", "profile", "roles", "user_attributes", "uaa.offline_token" ],
      "maxUsers" : -1,
      "checkOriginEnabled" : false,
      "allowOriginLoop" : true
    },
    "issuer" : "http://localhost:8080/uaa"
  },
  "name" : "The Twiglet Zone",
  "version" : 0,
  "created" : 1732091794347,
  "active" : true,
  "last_modified" : 1732091794347
}, {
  "id" : "uaa",
  "subdomain" : "",
  "config" : {
    "clientSecretPolicy" : {
      "minLength" : 0,
      "maxLength" : 255,
      "requireUpperCaseCharacter" : 0,
      "requireLowerCaseCharacter" : 0,
      "requireDigit" : 0,
      "requireSpecialCharacter" : 0
    },
    "tokenPolicy" : {
      "accessTokenValidity" : 43200,
      "refreshTokenValidity" : 2592000,
      "jwtRevocable" : false,
      "refreshTokenUnique" : false,
      "refreshTokenRotate" : false,
      "refreshTokenFormat" : "opaque",
      "activeKeyId" : null
    },
    "samlConfig" : {
      "requestSigned" : true,
      "wantAssertionSigned" : true,
      "activeKeyId" : "legacy-saml-key",
      "keys" : {
        "legacy-saml-key" : {
          "certificate" : "-----BEGIN CERTIFICATE-----\nMIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEO\nMAwGA1UECBMFYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEO\nMAwGA1UECxMFYXJ1YmExDjAMBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5h\ncnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2MjdaFw0xNjExMTkyMjI2MjdaMHwx\nCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAM\nBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAb\nBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GN\nADCBiQKBgQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39W\nqS9u0hnA+O7MCA/KlrAR4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOw\nznoD66DDCnQVpbCjtDYWX+x6imxn8HCYxhMol6ZnTbSsFW6VZjFMjQIDAQABo4Ha\nMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1syGDCBpwYDVR0jBIGfMIGc\ngBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3MQ4wDAYD\nVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYD\nVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJh\nQGFydWJhLmFyggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ\n0HOZbbHClXmGUjGs+GS+xC1FO/am2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxC\nKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3oePe84k8jm3A7EvH5wi5hvCkK\nRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=\n-----END CERTIFICATE-----\n"
        }
      },
      "disableInResponseToCheck" : false,
      "certificate" : "-----BEGIN CERTIFICATE-----\nMIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEO\nMAwGA1UECBMFYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEO\nMAwGA1UECxMFYXJ1YmExDjAMBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5h\ncnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2MjdaFw0xNjExMTkyMjI2MjdaMHwx\nCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAM\nBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAb\nBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GN\nADCBiQKBgQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39W\nqS9u0hnA+O7MCA/KlrAR4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOw\nznoD66DDCnQVpbCjtDYWX+x6imxn8HCYxhMol6ZnTbSsFW6VZjFMjQIDAQABo4Ha\nMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1syGDCBpwYDVR0jBIGfMIGc\ngBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3MQ4wDAYD\nVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYD\nVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJh\nQGFydWJhLmFyggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ\n0HOZbbHClXmGUjGs+GS+xC1FO/am2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxC\nKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3oePe84k8jm3A7EvH5wi5hvCkK\nRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=\n-----END CERTIFICATE-----\n"
    },
    "corsPolicy" : {
      "xhrConfiguration" : {
        "allowedOrigins" : [ ".*" ],
        "allowedOriginPatterns" : [ ],
        "allowedUris" : [ ".*" ],
        "allowedUriPatterns" : [ ],
        "allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
        "allowedMethods" : [ "GET" ],
        "allowedCredentials" : false,
        "maxAge" : 1728000
      },
      "defaultConfiguration" : {
        "allowedOrigins" : [ ".*" ],
        "allowedOriginPatterns" : [ ],
        "allowedUris" : [ ".*" ],
        "allowedUriPatterns" : [ ],
        "allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
        "allowedMethods" : [ "GET" ],
        "allowedCredentials" : false,
        "maxAge" : 1728000
      }
    },
    "links" : {
      "logout" : {
        "redirectUrl" : "/login",
        "redirectParameterName" : "redirect",
        "disableRedirectParameter" : false,
        "whitelist" : null
      },
      "selfService" : {
        "selfServiceLinksEnabled" : true,
        "signup" : null,
        "passwd" : null
      }
    },
    "prompts" : [ {
      "name" : "username",
      "type" : "text",
      "text" : "Email"
    }, {
      "name" : "password",
      "type" : "password",
      "text" : "Password"
    }, {
      "name" : "passcode",
      "type" : "password",
      "text" : "Temporary Authentication Code ( Get one at http://localhost:8080/uaa/passcode )"
    } ],
    "idpDiscoveryEnabled" : false,
    "accountChooserEnabled" : false,
    "userConfig" : {
      "defaultGroups" : [ "openid", "scim.me", "cloud_controller.read", "cloud_controller.write", "cloud_controller_service_permissions.read", "password.write", "scim.userids", "uaa.user", "approvals.me", "oauth.approvals", "profile", "roles", "user_attributes", "uaa.offline_token" ],
      "maxUsers" : -1,
      "checkOriginEnabled" : false,
      "allowOriginLoop" : true
    }
  },
  "name" : "uaa",
  "version" : 1,
  "description" : "The system zone for backwards compatibility",
  "created" : 946684800000,
  "active" : true,
  "last_modified" : 1732091794231
} ]

Request Headers

Name	Description
`Authorization`	Bearer token containing `zones.read` or `zones.write` or `uaa.admin`. If you use the zone-switching header, bear token containing `zones.<zone id>.admin` can be used.
`X-Identity-Zone-Id`	May include this header to administer another zone if using `zones.<zoneId>.admin` or `uaa.admin` scope against the default UAA zone.
`X-Identity-Zone-Subdomain`	If using a `zones.<zoneId>.admin` scope/token, indicates what Identity Zone this request goes to by supplying a subdomain.

Response Fields

Path	Type	Description
`[].id`	`String`	Unique ID of the identity zone
`[].subdomain`	`String`	Unique subdomain for the running instance. May only contain legal characters for a subdomain name.
`[].name`	`String`	Human-readable zone name
`[].description`	`String`	Description of the zone
`[].version`	`Number`	Reserved for future use of E-Tag versioning
`[].active`	`Boolean`	Indicates whether the identity zone is active. Defaults to true.
`[].config.tokenPolicy.activeKeyId`	`Varies`	The ID for the key that is being used to sign tokens
`[].config.tokenPolicy.accessTokenValidity`	`Number`	Time in seconds between when a access token is issued and when it expires. Defaults to global `accessTokenValidity`
`[].config.tokenPolicy.refreshTokenValidity`	`Number`	Time in seconds between when a refresh token is issued and when it expires. Defaults to global `refreshTokenValidity`
`[].config.tokenPolicy.jwtRevocable`	`Boolean`	Set to true if JWT tokens should be stored in the token store, and thus made individually revocable. Opaque tokens are always stored and revocable.
`[].config.tokenPolicy.refreshTokenUnique`	`Boolean`	If true, uaa will only issue one refresh token per client_id/user_id combination. Defaults to `false`.
`[].config.tokenPolicy.refreshTokenRotate`	`Boolean`	If true, uaa will issue a new refresh token value in grant type refresh_token. Defaults to `false`.
`[].config.tokenPolicy.refreshTokenFormat`	`String`	The format for the refresh token. Allowed values are `jwt`, `opaque`. Defaults to `opaque`.
`[].config.clientSecretPolicy.minLength`	`Number`	Minimum number of characters required for secret to be considered valid (defaults to 0).
`[].config.clientSecretPolicy.maxLength`	`Number`	Maximum number of characters required for secret to be considered valid (defaults to 255).
`[].config.clientSecretPolicy.requireUpperCaseCharacter`	`Number`	Minimum number of uppercase characters required for secret to be considered valid (defaults to 0).
`[].config.clientSecretPolicy.requireLowerCaseCharacter`	`Number`	Minimum number of lowercase characters required for secret to be considered valid (defaults to 0).
`[].config.clientSecretPolicy.requireDigit`	`Number`	Minimum number of digits required for secret to be considered valid (defaults to 0).
`[].config.clientSecretPolicy.requireSpecialCharacter`	`Number`	Minimum number of special characters required for secret to be considered valid (defaults to 0).
`[].config.samlConfig.disableInResponseToCheck`	`Boolean`	If `true`, this zone will not validate the `InResponseToField` part of an incoming IDP assertion. Please see https://docs.spring.io/spring-security-saml/docs/current/reference/html/chapter-troubleshooting.html
`[].config.samlConfig.wantAssertionSigned`	`Boolean`	Exposed SAML metadata property. If `true`, all assertions received by the SAML provider must be signed. Defaults to `true`.
`[].config.samlConfig.requestSigned`	`Boolean`	Exposed SAML metadata property. If `true`, the service provider will sign all outgoing authentication requests. Defaults to `true`.
`[].config.samlConfig.entityID`	`String`	Unique ID of the SAML2 entity
`[].config.samlConfig.certificate`	`String`	Exposed SAML metadata property. The certificate used to verify the authenticity all communications.
`[].config.samlConfig.activeKeyId`	`String`	The ID of the key that should be used for signing metadata and assertions.
`[].config.samlConfig.keys.*`	`Object`	Exposed SAML metadata property. The certificate used to verify the authenticity all communications.
`[].config.samlConfig.keys.*.certificate`	`String`	Exposed SAML metadata property. The certificate used to verify the authenticity all communications.
`[].config.links.logout.redirectUrl`	`String`	Logout redirect url
`[].config.links.homeRedirect`	`String`	Overrides the UAA home page and issues a redirect to this URL when the browser requests `/` and `/home`.
`[].config.links.logout.redirectParameterName`	`String`	Changes the name of the redirect parameter
`[].config.links.logout.disableRedirectParameter`	`Boolean`	Deprecated, no longer affects zone behavior. Whether or not to allow the redirect parameter on logout
`[].config.links.logout.whitelist`	`Array`	List of allowed whitelist redirects
`[].config.links.selfService.selfServiceLinksEnabled`	`Boolean`	Whether or not users are allowed to sign up or reset their passwords via the UI
`[].config.links.selfService.signup`	`Null`	Where users are directed upon clicking the account creation link
`[].config.links.selfService.passwd`	`Null`	Where users are directed upon clicking the password reset link
`[].config.branding.companyName`	`Varies`	This name is used on the UAA Pages and in account management related communication in UAA
`[].config.branding.productLogo`	`Varies`	This is a base64Url encoded PNG image which will be used as the logo on all UAA pages like Login, Sign Up etc.
`[].config.branding.squareLogo`	`Varies`	This is a base64 encoded PNG image which will be used as the favicon for the UAA pages
`[].config.branding.footerLegalText`	`Varies`	This text appears on the footer of all UAA pages
`[].config.branding.footerLinks`	`Object`	These links (Map) appear on the footer of all UAA pages. You may choose to add multiple urls for things like Support, Terms of Service etc.
`[].config.branding.consent.text`	`String`	If set, a checkbox on the registration and invitation pages will appear with the phrase `I agree to` followed by this text. The checkbox must be selected before the user can continue.
`[].config.branding.consent.link`	`String`	If `config.branding.consent.text` is set, the text after `I agree to` will be hyperlinked to this location.
`[].config.prompts[]`	`Array`	List of fields that users are prompted for to login. Defaults to username, password, and passcode.
`[].config.prompts[].name`	`String`	List of fields that users are prompted for to login. Defaults to username, password, and passcode.
`[].config.prompts[].type`	`String`	What kind of field this is (e.g. text or password)
`[].config.prompts[].text`	`String`	Actual text displayed on prompt for field
`[].config.idpDiscoveryEnabled`	`Boolean`	IDP Discovery should be set to true if you have configured more than one identity provider for UAA. The discovery relies on email domain being set for each additional provider
`[].config.accountChooserEnabled`	`Boolean`	This flag enables the account choosing functionality. If idpDiscoveryEnabled is set to true in the config the IDP is chosen by discovery. Otherwise, the user can enter the IDP by providing the origin.
`[].config.issuer`	`String`	Issuer of this zone. Must be a valid URL.
`[].config.branding.companyName`	`String`	This name is used on the UAA Pages and in account management related communication in UAA
`[].config.branding.productLogo`	`String`	This is a base64Url encoded PNG image which will be used as the logo on all UAA pages like Login, Sign Up etc.
`[].config.branding.squareLogo`	`String`	This is a base64 encoded PNG image which will be used as the favicon for the UAA pages
`[].config.branding.footerLegalText`	`String`	This text appears on the footer of all UAA pages
`[].config.branding.footerLinks.*`	`String`	These links (Map) appear on the footer of all UAA pages. You may choose to add multiple urls for things like Support, Terms of Service etc.
`[].config.branding.banner.text`	`String`	This is text displayed in a banner at the top of the UAA login page
`[].config.branding.banner.logo`	`String`	This is base64 encoded PNG data displayed in a banner at the top of the UAA login page, overrides banner text
`[].config.branding.banner.link`	`String`	The UAA login banner will be a link pointing to this url
`[].config.branding.banner.textColor`	`String`	Hexadecimal color code for banner text color, does not allow color names
`[].config.branding.banner.backgroundColor`	`String`	Hexadecimal color code for banner background color, does not allow color names
`[].config.corsPolicy.xhrConfiguration.allowedOrigins`	`Array`	`Access-Control-Allow-Origin header`. Indicates whether a resource can be shared based by returning the value of the Origin request header, "*", or "null" in the response.
`[].config.corsPolicy.xhrConfiguration.allowedOriginPatterns`	`Array`	Indicates whether a resource can be shared based by returning the value of the Origin patterns.
`[].config.corsPolicy.xhrConfiguration.allowedUris`	`Array`	The list of allowed URIs.
`[].config.corsPolicy.xhrConfiguration.allowedUriPatterns`	`Array`	The list of allowed URI patterns.
`[].config.corsPolicy.xhrConfiguration.allowedHeaders`	`Array`	`Access-Control-Allow-Headers` header. Indicates which header field names can be used during the actual response
`[].config.corsPolicy.xhrConfiguration.allowedMethods`	`Array`	`Access-Control-Allow-Methods` header. Indicates which method will be used in the actual request as part of the preflight request.
`[].config.corsPolicy.xhrConfiguration.allowedCredentials`	`Boolean`	`Access-Control-Allow-Credentials` header. Indicates whether the response to request can be exposed when the omit credentials flag is unset. When part of the response to a preflight request it indicates that the actual request can include user credentials..
`[].config.corsPolicy.xhrConfiguration.maxAge`	`Number`	`Access-Control-Max-Age` header. Indicates how long the results of a preflight request can be cached in a preflight result cache
`[].config.corsPolicy.defaultConfiguration.allowedOrigins`	`Array`	`Access-Control-Allow-Origin header`. Indicates whether a resource can be shared based by returning the value of the Origin request header, "*", or "null" in the response.
`[].config.corsPolicy.defaultConfiguration.allowedOriginPatterns`	`Array`	Indicates whether a resource can be shared based by returning the value of the Origin patterns.
`[].config.corsPolicy.defaultConfiguration.allowedUris`	`Array`	The list of allowed URIs.
`[].config.corsPolicy.defaultConfiguration.allowedUriPatterns`	`Array`	The list of allowed URI patterns.
`[].config.corsPolicy.defaultConfiguration.allowedHeaders`	`Array`	`Access-Control-Allow-Headers` header. Indicates which header field names can be used during the actual response
`[].config.corsPolicy.defaultConfiguration.allowedMethods`	`Array`	`Access-Control-Allow-Methods` header. Indicates which method will be used in the actual request as part of the preflight request.
`[].config.corsPolicy.defaultConfiguration.allowedCredentials`	`Boolean`	`Access-Control-Allow-Credentials` header. Indicates whether the response to request can be exposed when the omit credentials flag is unset. When part of the response to a preflight request it indicates that the actual request can include user credentials..
`[].config.corsPolicy.defaultConfiguration.maxAge`	`Number`	`Access-Control-Max-Age` header. Indicates how long the results of a preflight request can be cached in a preflight result cache
`[].config.userConfig.defaultGroups`	`Array`	Default groups each user in the zone inherits.
`[].config.userConfig.allowedGroups`	`Array`	Allowed groups in the zone. Defaults to null (all groups allowed)
`[].config.userConfig.maxUsers`	`Number`	Number of users in the zone. If more than 0, it limits the amount of users in the zone. (defaults to -1, no limit).
`[].config.userConfig.checkOriginEnabled`	`Boolean`	Flag for switching on the check if origin is valid when creating or updating users (defaults to false)
`[].config.userConfig.allowOriginLoop`	`Boolean`	Flag for switching off the loop over all origins in a zone (defaults to true)

Error Codes

Error Code	Description
400	Bad Request
401	Unauthorized - Invalid token
403	Forbidden - Insufficient scope

Updating an Identity Zone

$ curl 'http://localhost/identity-zones/twiglet-update' -i -X PUT \
    -H 'Content-Type: application/json' \
    -H 'Authorization: Bearer 6e86eb82962b4656b9fe049fe97fd162' \
    -d '{
  "subdomain" : "twiglet-update",
  "config" : {
    "clientSecretPolicy" : {
      "minLength" : -1,
      "maxLength" : -1,
      "requireUpperCaseCharacter" : -1,
      "requireLowerCaseCharacter" : -1,
      "requireDigit" : -1,
      "requireSpecialCharacter" : -1
    },
    "tokenPolicy" : {
      "accessTokenValidity" : -1,
      "refreshTokenValidity" : -1,
      "jwtRevocable" : false,
      "refreshTokenUnique" : false,
      "refreshTokenRotate" : false,
      "refreshTokenFormat" : "opaque",
      "activeKeyId" : "updatedKeyId",
      "keys" : {
        "updatedKeyId" : {
          "signingKey" : "upD4t3d.s1gNiNg.K3y/t3XT",
          "signingCert" : null,
          "signingAlg" : "HS256"
        }
      }
    },
    "samlConfig" : {
      "requestSigned" : true,
      "wantAssertionSigned" : true,
      "activeKeyId" : "legacy-saml-key",
      "keys" : {
        "legacy-saml-key" : {
          "key" : "-----BEGIN RSA PRIVATE KEY-----\nMIIBOwIBAAJBAJv8ZpB5hEK7qxP9K3v43hUS5fGT4waKe7ix4Z4mu5UBv+cw7WSF\nAt0Vaag0sAbsPzU8Hhsrj/qPABvfB8asUwcCAwEAAQJAG0r3ezH35WFG1tGGaUOr\nQA61cyaII53ZdgCR1IU8bx7AUevmkFtBf+aqMWusWVOWJvGu2r5VpHVAIl8nF6DS\nkQIhAMjEJ3zVYa2/Mo4ey+iU9J9Vd+WoyXDQD4EEtwmyG1PpAiEAxuZlvhDIbbce\n7o5BvOhnCZ2N7kYb1ZC57g3F+cbJyW8CIQCbsDGHBto2qJyFxbAO7uQ8Y0UVHa0J\nBO/g900SAcJbcQIgRtEljIShOB8pDjrsQPxmI1BLhnjD1EhRSubwhDw5AFUCIQCN\nA24pDtdOHydwtSB5+zFqFLfmVZplQM/g5kb4so70Yw==\n-----END RSA PRIVATE KEY-----\n",
          "passphrase" : "password",
          "certificate" : "-----BEGIN CERTIFICATE-----\nMIICEjCCAXsCAg36MA0GCSqGSIb3DQEBBQUAMIGbMQswCQYDVQQGEwJKUDEOMAwG\nA1UECBMFVG9reW8xEDAOBgNVBAcTB0NodW8ta3UxETAPBgNVBAoTCEZyYW5rNERE\nMRgwFgYDVQQLEw9XZWJDZXJ0IFN1cHBvcnQxGDAWBgNVBAMTD0ZyYW5rNEREIFdl\nYiBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBmcmFuazRkZC5jb20wHhcNMTIw\nODIyMDUyNjU0WhcNMTcwODIxMDUyNjU0WjBKMQswCQYDVQQGEwJKUDEOMAwGA1UE\nCAwFVG9reW8xETAPBgNVBAoMCEZyYW5rNEREMRgwFgYDVQQDDA93d3cuZXhhbXBs\nZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAm/xmkHmEQrurE/0re/jeFRLl\n8ZPjBop7uLHhnia7lQG/5zDtZIUC3RVpqDSwBuw/NTweGyuP+o8AG98HxqxTBwID\nAQABMA0GCSqGSIb3DQEBBQUAA4GBABS2TLuBeTPmcaTaUW/LCB2NYOy8GMdzR1mx\n8iBIu2H6/E2tiY3RIevV2OW61qY2/XRQg7YPxx3ffeUugX9F4J/iPnnu1zAxxyBy\n2VguKv4SWjRFoRkIfIlHX0qVviMhSlNy2ioFLy7JcPZb+v3ftDGywUqcBiVDoea0\nHn+GmxZA\n-----END CERTIFICATE-----\n"
        }
      },
      "entityID" : "cloudfoundry-saml-login",
      "disableInResponseToCheck" : false,
      "privateKeyPassword" : "password",
      "certificate" : "-----BEGIN CERTIFICATE-----\nMIICEjCCAXsCAg36MA0GCSqGSIb3DQEBBQUAMIGbMQswCQYDVQQGEwJKUDEOMAwG\nA1UECBMFVG9reW8xEDAOBgNVBAcTB0NodW8ta3UxETAPBgNVBAoTCEZyYW5rNERE\nMRgwFgYDVQQLEw9XZWJDZXJ0IFN1cHBvcnQxGDAWBgNVBAMTD0ZyYW5rNEREIFdl\nYiBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBmcmFuazRkZC5jb20wHhcNMTIw\nODIyMDUyNjU0WhcNMTcwODIxMDUyNjU0WjBKMQswCQYDVQQGEwJKUDEOMAwGA1UE\nCAwFVG9reW8xETAPBgNVBAoMCEZyYW5rNEREMRgwFgYDVQQDDA93d3cuZXhhbXBs\nZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAm/xmkHmEQrurE/0re/jeFRLl\n8ZPjBop7uLHhnia7lQG/5zDtZIUC3RVpqDSwBuw/NTweGyuP+o8AG98HxqxTBwID\nAQABMA0GCSqGSIb3DQEBBQUAA4GBABS2TLuBeTPmcaTaUW/LCB2NYOy8GMdzR1mx\n8iBIu2H6/E2tiY3RIevV2OW61qY2/XRQg7YPxx3ffeUugX9F4J/iPnnu1zAxxyBy\n2VguKv4SWjRFoRkIfIlHX0qVviMhSlNy2ioFLy7JcPZb+v3ftDGywUqcBiVDoea0\nHn+GmxZA\n-----END CERTIFICATE-----\n",
      "privateKey" : "-----BEGIN RSA PRIVATE KEY-----\nMIIBOwIBAAJBAJv8ZpB5hEK7qxP9K3v43hUS5fGT4waKe7ix4Z4mu5UBv+cw7WSF\nAt0Vaag0sAbsPzU8Hhsrj/qPABvfB8asUwcCAwEAAQJAG0r3ezH35WFG1tGGaUOr\nQA61cyaII53ZdgCR1IU8bx7AUevmkFtBf+aqMWusWVOWJvGu2r5VpHVAIl8nF6DS\nkQIhAMjEJ3zVYa2/Mo4ey+iU9J9Vd+WoyXDQD4EEtwmyG1PpAiEAxuZlvhDIbbce\n7o5BvOhnCZ2N7kYb1ZC57g3F+cbJyW8CIQCbsDGHBto2qJyFxbAO7uQ8Y0UVHa0J\nBO/g900SAcJbcQIgRtEljIShOB8pDjrsQPxmI1BLhnjD1EhRSubwhDw5AFUCIQCN\nA24pDtdOHydwtSB5+zFqFLfmVZplQM/g5kb4so70Yw==\n-----END RSA PRIVATE KEY-----\n"
    },
    "corsPolicy" : {
      "xhrConfiguration" : {
        "allowedOrigins" : [ ".*" ],
        "allowedOriginPatterns" : [ ],
        "allowedUris" : [ ".*" ],
        "allowedUriPatterns" : [ ],
        "allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
        "allowedMethods" : [ "GET" ],
        "allowedCredentials" : false,
        "maxAge" : 1728000
      },
      "defaultConfiguration" : {
        "allowedOrigins" : [ ".*" ],
        "allowedOriginPatterns" : [ ],
        "allowedUris" : [ ".*" ],
        "allowedUriPatterns" : [ ],
        "allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
        "allowedMethods" : [ "GET" ],
        "allowedCredentials" : false,
        "maxAge" : 1728000
      }
    },
    "links" : {
      "logout" : {
        "redirectUrl" : "/login",
        "redirectParameterName" : "redirect",
        "disableRedirectParameter" : false,
        "whitelist" : null
      },
      "homeRedirect" : "http://my.hosted.homepage.com/",
      "selfService" : {
        "selfServiceLinksEnabled" : true,
        "signup" : null,
        "passwd" : null
      }
    },
    "prompts" : [ {
      "name" : "username",
      "type" : "text",
      "text" : "Email"
    }, {
      "name" : "password",
      "type" : "password",
      "text" : "Password"
    }, {
      "name" : "passcode",
      "type" : "password",
      "text" : "Temporary Authentication Code (Get on at /passcode)"
    } ],
    "idpDiscoveryEnabled" : false,
    "branding" : {
      "companyName" : "Test Company",
      "productLogo" : "VGVzdFByb2R1Y3RMb2dv",
      "squareLogo" : "VGVzdFNxdWFyZUxvZ28=",
      "footerLegalText" : "Test footer legal text",
      "footerLinks" : {
        "Support" : "http://support.example.com"
      },
      "banner" : {
        "logo" : "VGVzdFByb2R1Y3RMb2dv",
        "text" : "Announcement",
        "textColor" : "#000000",
        "backgroundColor" : "#89cff0",
        "link" : "http://announce.example.com"
      },
      "consent" : {
        "text" : "Some Policy",
        "link" : "http://policy.example.com"
      }
    },
    "accountChooserEnabled" : false,
    "userConfig" : {
      "defaultGroups" : [ "openid", "password.write", "uaa.user", "approvals.me", "profile", "roles", "user_attributes", "uaa.offline_token" ],
      "maxUsers" : -1,
      "checkOriginEnabled" : false,
      "allowOriginLoop" : true
    },
    "issuer" : "http://localhost:8080/uaa"
  },
  "name" : "The Updated Twiglet Zone",
  "version" : 0,
  "description" : "Like the Twilight Zone but not tastier.",
  "created" : 1732091794585,
  "active" : true,
  "last_modified" : 1732091794585
}'

PUT /identity-zones/twiglet-update HTTP/1.1
Content-Type: application/json
Authorization: Bearer 6e86eb82962b4656b9fe049fe97fd162
Content-Length: 6455
Host: localhost

{
  "subdomain" : "twiglet-update",
  "config" : {
    "clientSecretPolicy" : {
      "minLength" : -1,
      "maxLength" : -1,
      "requireUpperCaseCharacter" : -1,
      "requireLowerCaseCharacter" : -1,
      "requireDigit" : -1,
      "requireSpecialCharacter" : -1
    },
    "tokenPolicy" : {
      "accessTokenValidity" : -1,
      "refreshTokenValidity" : -1,
      "jwtRevocable" : false,
      "refreshTokenUnique" : false,
      "refreshTokenRotate" : false,
      "refreshTokenFormat" : "opaque",
      "activeKeyId" : "updatedKeyId",
      "keys" : {
        "updatedKeyId" : {
          "signingKey" : "upD4t3d.s1gNiNg.K3y/t3XT",
          "signingCert" : null,
          "signingAlg" : "HS256"
        }
      }
    },
    "samlConfig" : {
      "requestSigned" : true,
      "wantAssertionSigned" : true,
      "activeKeyId" : "legacy-saml-key",
      "keys" : {
        "legacy-saml-key" : {
          "key" : "-----BEGIN RSA PRIVATE KEY-----\nMIIBOwIBAAJBAJv8ZpB5hEK7qxP9K3v43hUS5fGT4waKe7ix4Z4mu5UBv+cw7WSF\nAt0Vaag0sAbsPzU8Hhsrj/qPABvfB8asUwcCAwEAAQJAG0r3ezH35WFG1tGGaUOr\nQA61cyaII53ZdgCR1IU8bx7AUevmkFtBf+aqMWusWVOWJvGu2r5VpHVAIl8nF6DS\nkQIhAMjEJ3zVYa2/Mo4ey+iU9J9Vd+WoyXDQD4EEtwmyG1PpAiEAxuZlvhDIbbce\n7o5BvOhnCZ2N7kYb1ZC57g3F+cbJyW8CIQCbsDGHBto2qJyFxbAO7uQ8Y0UVHa0J\nBO/g900SAcJbcQIgRtEljIShOB8pDjrsQPxmI1BLhnjD1EhRSubwhDw5AFUCIQCN\nA24pDtdOHydwtSB5+zFqFLfmVZplQM/g5kb4so70Yw==\n-----END RSA PRIVATE KEY-----\n",
          "passphrase" : "password",
          "certificate" : "-----BEGIN CERTIFICATE-----\nMIICEjCCAXsCAg36MA0GCSqGSIb3DQEBBQUAMIGbMQswCQYDVQQGEwJKUDEOMAwG\nA1UECBMFVG9reW8xEDAOBgNVBAcTB0NodW8ta3UxETAPBgNVBAoTCEZyYW5rNERE\nMRgwFgYDVQQLEw9XZWJDZXJ0IFN1cHBvcnQxGDAWBgNVBAMTD0ZyYW5rNEREIFdl\nYiBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBmcmFuazRkZC5jb20wHhcNMTIw\nODIyMDUyNjU0WhcNMTcwODIxMDUyNjU0WjBKMQswCQYDVQQGEwJKUDEOMAwGA1UE\nCAwFVG9reW8xETAPBgNVBAoMCEZyYW5rNEREMRgwFgYDVQQDDA93d3cuZXhhbXBs\nZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAm/xmkHmEQrurE/0re/jeFRLl\n8ZPjBop7uLHhnia7lQG/5zDtZIUC3RVpqDSwBuw/NTweGyuP+o8AG98HxqxTBwID\nAQABMA0GCSqGSIb3DQEBBQUAA4GBABS2TLuBeTPmcaTaUW/LCB2NYOy8GMdzR1mx\n8iBIu2H6/E2tiY3RIevV2OW61qY2/XRQg7YPxx3ffeUugX9F4J/iPnnu1zAxxyBy\n2VguKv4SWjRFoRkIfIlHX0qVviMhSlNy2ioFLy7JcPZb+v3ftDGywUqcBiVDoea0\nHn+GmxZA\n-----END CERTIFICATE-----\n"
        }
      },
      "entityID" : "cloudfoundry-saml-login",
      "disableInResponseToCheck" : false,
      "privateKeyPassword" : "password",
      "certificate" : "-----BEGIN CERTIFICATE-----\nMIICEjCCAXsCAg36MA0GCSqGSIb3DQEBBQUAMIGbMQswCQYDVQQGEwJKUDEOMAwG\nA1UECBMFVG9reW8xEDAOBgNVBAcTB0NodW8ta3UxETAPBgNVBAoTCEZyYW5rNERE\nMRgwFgYDVQQLEw9XZWJDZXJ0IFN1cHBvcnQxGDAWBgNVBAMTD0ZyYW5rNEREIFdl\nYiBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBmcmFuazRkZC5jb20wHhcNMTIw\nODIyMDUyNjU0WhcNMTcwODIxMDUyNjU0WjBKMQswCQYDVQQGEwJKUDEOMAwGA1UE\nCAwFVG9reW8xETAPBgNVBAoMCEZyYW5rNEREMRgwFgYDVQQDDA93d3cuZXhhbXBs\nZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAm/xmkHmEQrurE/0re/jeFRLl\n8ZPjBop7uLHhnia7lQG/5zDtZIUC3RVpqDSwBuw/NTweGyuP+o8AG98HxqxTBwID\nAQABMA0GCSqGSIb3DQEBBQUAA4GBABS2TLuBeTPmcaTaUW/LCB2NYOy8GMdzR1mx\n8iBIu2H6/E2tiY3RIevV2OW61qY2/XRQg7YPxx3ffeUugX9F4J/iPnnu1zAxxyBy\n2VguKv4SWjRFoRkIfIlHX0qVviMhSlNy2ioFLy7JcPZb+v3ftDGywUqcBiVDoea0\nHn+GmxZA\n-----END CERTIFICATE-----\n",
      "privateKey" : "-----BEGIN RSA PRIVATE KEY-----\nMIIBOwIBAAJBAJv8ZpB5hEK7qxP9K3v43hUS5fGT4waKe7ix4Z4mu5UBv+cw7WSF\nAt0Vaag0sAbsPzU8Hhsrj/qPABvfB8asUwcCAwEAAQJAG0r3ezH35WFG1tGGaUOr\nQA61cyaII53ZdgCR1IU8bx7AUevmkFtBf+aqMWusWVOWJvGu2r5VpHVAIl8nF6DS\nkQIhAMjEJ3zVYa2/Mo4ey+iU9J9Vd+WoyXDQD4EEtwmyG1PpAiEAxuZlvhDIbbce\n7o5BvOhnCZ2N7kYb1ZC57g3F+cbJyW8CIQCbsDGHBto2qJyFxbAO7uQ8Y0UVHa0J\nBO/g900SAcJbcQIgRtEljIShOB8pDjrsQPxmI1BLhnjD1EhRSubwhDw5AFUCIQCN\nA24pDtdOHydwtSB5+zFqFLfmVZplQM/g5kb4so70Yw==\n-----END RSA PRIVATE KEY-----\n"
    },
    "corsPolicy" : {
      "xhrConfiguration" : {
        "allowedOrigins" : [ ".*" ],
        "allowedOriginPatterns" : [ ],
        "allowedUris" : [ ".*" ],
        "allowedUriPatterns" : [ ],
        "allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
        "allowedMethods" : [ "GET" ],
        "allowedCredentials" : false,
        "maxAge" : 1728000
      },
      "defaultConfiguration" : {
        "allowedOrigins" : [ ".*" ],
        "allowedOriginPatterns" : [ ],
        "allowedUris" : [ ".*" ],
        "allowedUriPatterns" : [ ],
        "allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
        "allowedMethods" : [ "GET" ],
        "allowedCredentials" : false,
        "maxAge" : 1728000
      }
    },
    "links" : {
      "logout" : {
        "redirectUrl" : "/login",
        "redirectParameterName" : "redirect",
        "disableRedirectParameter" : false,
        "whitelist" : null
      },
      "homeRedirect" : "http://my.hosted.homepage.com/",
      "selfService" : {
        "selfServiceLinksEnabled" : true,
        "signup" : null,
        "passwd" : null
      }
    },
    "prompts" : [ {
      "name" : "username",
      "type" : "text",
      "text" : "Email"
    }, {
      "name" : "password",
      "type" : "password",
      "text" : "Password"
    }, {
      "name" : "passcode",
      "type" : "password",
      "text" : "Temporary Authentication Code (Get on at /passcode)"
    } ],
    "idpDiscoveryEnabled" : false,
    "branding" : {
      "companyName" : "Test Company",
      "productLogo" : "VGVzdFByb2R1Y3RMb2dv",
      "squareLogo" : "VGVzdFNxdWFyZUxvZ28=",
      "footerLegalText" : "Test footer legal text",
      "footerLinks" : {
        "Support" : "http://support.example.com"
      },
      "banner" : {
        "logo" : "VGVzdFByb2R1Y3RMb2dv",
        "text" : "Announcement",
        "textColor" : "#000000",
        "backgroundColor" : "#89cff0",
        "link" : "http://announce.example.com"
      },
      "consent" : {
        "text" : "Some Policy",
        "link" : "http://policy.example.com"
      }
    },
    "accountChooserEnabled" : false,
    "userConfig" : {
      "defaultGroups" : [ "openid", "password.write", "uaa.user", "approvals.me", "profile", "roles", "user_attributes", "uaa.offline_token" ],
      "maxUsers" : -1,
      "checkOriginEnabled" : false,
      "allowOriginLoop" : true
    },
    "issuer" : "http://localhost:8080/uaa"
  },
  "name" : "The Updated Twiglet Zone",
  "version" : 0,
  "description" : "Like the Twilight Zone but not tastier.",
  "created" : 1732091794585,
  "active" : true,
  "last_modified" : 1732091794585
}

HTTP/1.1 200 OK
Content-Security-Policy: script-src 'self'
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 5164

{
  "id" : "twiglet-update",
  "subdomain" : "twiglet-update",
  "config" : {
    "clientSecretPolicy" : {
      "minLength" : -1,
      "maxLength" : -1,
      "requireUpperCaseCharacter" : -1,
      "requireLowerCaseCharacter" : -1,
      "requireDigit" : -1,
      "requireSpecialCharacter" : -1
    },
    "tokenPolicy" : {
      "accessTokenValidity" : -1,
      "refreshTokenValidity" : -1,
      "jwtRevocable" : false,
      "refreshTokenUnique" : false,
      "refreshTokenRotate" : false,
      "refreshTokenFormat" : "opaque",
      "activeKeyId" : "updatedKeyId"
    },
    "samlConfig" : {
      "requestSigned" : true,
      "wantAssertionSigned" : true,
      "activeKeyId" : "legacy-saml-key",
      "keys" : {
        "legacy-saml-key" : {
          "certificate" : "-----BEGIN CERTIFICATE-----\nMIICEjCCAXsCAg36MA0GCSqGSIb3DQEBBQUAMIGbMQswCQYDVQQGEwJKUDEOMAwG\nA1UECBMFVG9reW8xEDAOBgNVBAcTB0NodW8ta3UxETAPBgNVBAoTCEZyYW5rNERE\nMRgwFgYDVQQLEw9XZWJDZXJ0IFN1cHBvcnQxGDAWBgNVBAMTD0ZyYW5rNEREIFdl\nYiBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBmcmFuazRkZC5jb20wHhcNMTIw\nODIyMDUyNjU0WhcNMTcwODIxMDUyNjU0WjBKMQswCQYDVQQGEwJKUDEOMAwGA1UE\nCAwFVG9reW8xETAPBgNVBAoMCEZyYW5rNEREMRgwFgYDVQQDDA93d3cuZXhhbXBs\nZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAm/xmkHmEQrurE/0re/jeFRLl\n8ZPjBop7uLHhnia7lQG/5zDtZIUC3RVpqDSwBuw/NTweGyuP+o8AG98HxqxTBwID\nAQABMA0GCSqGSIb3DQEBBQUAA4GBABS2TLuBeTPmcaTaUW/LCB2NYOy8GMdzR1mx\n8iBIu2H6/E2tiY3RIevV2OW61qY2/XRQg7YPxx3ffeUugX9F4J/iPnnu1zAxxyBy\n2VguKv4SWjRFoRkIfIlHX0qVviMhSlNy2ioFLy7JcPZb+v3ftDGywUqcBiVDoea0\nHn+GmxZA\n-----END CERTIFICATE-----\n"
        }
      },
      "entityID" : "cloudfoundry-saml-login",
      "disableInResponseToCheck" : false,
      "certificate" : "-----BEGIN CERTIFICATE-----\nMIICEjCCAXsCAg36MA0GCSqGSIb3DQEBBQUAMIGbMQswCQYDVQQGEwJKUDEOMAwG\nA1UECBMFVG9reW8xEDAOBgNVBAcTB0NodW8ta3UxETAPBgNVBAoTCEZyYW5rNERE\nMRgwFgYDVQQLEw9XZWJDZXJ0IFN1cHBvcnQxGDAWBgNVBAMTD0ZyYW5rNEREIFdl\nYiBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBmcmFuazRkZC5jb20wHhcNMTIw\nODIyMDUyNjU0WhcNMTcwODIxMDUyNjU0WjBKMQswCQYDVQQGEwJKUDEOMAwGA1UE\nCAwFVG9reW8xETAPBgNVBAoMCEZyYW5rNEREMRgwFgYDVQQDDA93d3cuZXhhbXBs\nZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAm/xmkHmEQrurE/0re/jeFRLl\n8ZPjBop7uLHhnia7lQG/5zDtZIUC3RVpqDSwBuw/NTweGyuP+o8AG98HxqxTBwID\nAQABMA0GCSqGSIb3DQEBBQUAA4GBABS2TLuBeTPmcaTaUW/LCB2NYOy8GMdzR1mx\n8iBIu2H6/E2tiY3RIevV2OW61qY2/XRQg7YPxx3ffeUugX9F4J/iPnnu1zAxxyBy\n2VguKv4SWjRFoRkIfIlHX0qVviMhSlNy2ioFLy7JcPZb+v3ftDGywUqcBiVDoea0\nHn+GmxZA\n-----END CERTIFICATE-----\n"
    },
    "corsPolicy" : {
      "xhrConfiguration" : {
        "allowedOrigins" : [ ".*" ],
        "allowedOriginPatterns" : [ ],
        "allowedUris" : [ ".*" ],
        "allowedUriPatterns" : [ ],
        "allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
        "allowedMethods" : [ "GET" ],
        "allowedCredentials" : false,
        "maxAge" : 1728000
      },
      "defaultConfiguration" : {
        "allowedOrigins" : [ ".*" ],
        "allowedOriginPatterns" : [ ],
        "allowedUris" : [ ".*" ],
        "allowedUriPatterns" : [ ],
        "allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
        "allowedMethods" : [ "GET" ],
        "allowedCredentials" : false,
        "maxAge" : 1728000
      }
    },
    "links" : {
      "logout" : {
        "redirectUrl" : "/login",
        "redirectParameterName" : "redirect",
        "disableRedirectParameter" : false,
        "whitelist" : null
      },
      "homeRedirect" : "http://my.hosted.homepage.com/",
      "selfService" : {
        "selfServiceLinksEnabled" : true,
        "signup" : null,
        "passwd" : null
      }
    },
    "prompts" : [ {
      "name" : "username",
      "type" : "text",
      "text" : "Email"
    }, {
      "name" : "password",
      "type" : "password",
      "text" : "Password"
    }, {
      "name" : "passcode",
      "type" : "password",
      "text" : "Temporary Authentication Code (Get on at /passcode)"
    } ],
    "idpDiscoveryEnabled" : false,
    "branding" : {
      "companyName" : "Test Company",
      "productLogo" : "VGVzdFByb2R1Y3RMb2dv",
      "squareLogo" : "VGVzdFNxdWFyZUxvZ28=",
      "footerLegalText" : "Test footer legal text",
      "footerLinks" : {
        "Support" : "http://support.example.com"
      },
      "banner" : {
        "logo" : "VGVzdFByb2R1Y3RMb2dv",
        "text" : "Announcement",
        "textColor" : "#000000",
        "backgroundColor" : "#89cff0",
        "link" : "http://announce.example.com"
      },
      "consent" : {
        "text" : "Some Policy",
        "link" : "http://policy.example.com"
      }
    },
    "accountChooserEnabled" : false,
    "userConfig" : {
      "defaultGroups" : [ "openid", "password.write", "uaa.user", "approvals.me", "profile", "roles", "user_attributes", "uaa.offline_token" ],
      "maxUsers" : -1,
      "checkOriginEnabled" : false,
      "allowOriginLoop" : true
    },
    "issuer" : "http://localhost:8080/uaa"
  },
  "name" : "The Updated Twiglet Zone",
  "version" : 1,
  "description" : "Like the Twilight Zone but not tastier.",
  "created" : 1732091794574,
  "active" : true,
  "last_modified" : 1732091794597
}

Path Parameters

/identity-zones/{id}

Parameter	Description
id	Unique ID of the identity zone to update

Request Headers

Name	Description
`Authorization`	Bearer token containing `zones.write` or `uaa.admin`. If you use the zone-switching header, bear token containing `zones.<zone id>.admin` can be used.
`X-Identity-Zone-Id`	May include this header to administer another zone if using `zones.<zoneId>.admin` or `uaa.admin` scope against the default UAA zone.
`X-Identity-Zone-Subdomain`	If using a `zones.<zoneId>.admin` scope/token, indicates what Identity Zone this request goes to by supplying a subdomain.

Request Fields

Path	Type	Constraints	Description
subdomain	String	Required	Unique subdomain for the running instance. May only contain legal characters for a subdomain name.
name	String	Required	Human-readable zone name
description	String	Optional	Description of the zone
version	Number	Optional	Reserved for future use of E-Tag versioning
active	Boolean	Optional	Indicates whether the identity zone is active. Defaults to true.
config.tokenPolicy.activeKeyId	String	Required if `config.tokenPolicy.keys` are set	The ID for the key that is being used to sign tokens
config.tokenPolicy.keys.*.signingKey	String	Key to be used for signing	Keys which will be used to sign the token. If null value is specified for keys, then existing value will be retained.
config.tokenPolicy.keys.*.signingAlg	String	Optional. Can only be used in conjunction with `keys.<key-id>.signingKey` and `keys.<key-id>.signingCert`	Algorithm parameter according to RFC7518
config.tokenPolicy.keys.*.signingCert	Null	Optional. Can only be used in conjunction with `keys.<key-id>.signingKey` and `keys.<key-id>.signingCert`	PEM encoded X.509 to be used in x5c, e.g. RFC7517
config.tokenPolicy.accessTokenValidity	Number	Optional	Time in seconds between when a access token is issued and when it expires. Defaults to global `accessTokenValidity`
config.tokenPolicy.refreshTokenValidity	Number	Optional	Time in seconds between when a refresh token is issued and when it expires. Defaults to global `refreshTokenValidity`
config.tokenPolicy.jwtRevocable	Boolean	Optional	Set to true if JWT tokens should be stored in the token store, and thus made individually revocable. Opaque tokens are always stored and revocable.
config.tokenPolicy.refreshTokenUnique	Boolean	Optional	If true, uaa will only issue one refresh token per client_id/user_id combination. Defaults to `false`.
config.tokenPolicy.refreshTokenRotate	Boolean	Optional	If true, uaa will issue a new refresh token value in grant type refresh_token. Defaults to `false`.
config.tokenPolicy.refreshTokenFormat	String	Optional	The format for the refresh token. Allowed values are `jwt`, `opaque`. Defaults to `opaque`.
config.clientSecretPolicy.minLength	Number	Required when `clientSecretPolicy` in the config is not null	Minimum number of characters required for secret to be considered valid (defaults to 0).
config.clientSecretPolicy.maxLength	Number	Required when `clientSecretPolicy` in the config is not null	Maximum number of characters required for secret to be considered valid (defaults to 255).
config.clientSecretPolicy.requireUpperCaseCharacter	Number	Required when `clientSecretPolicy` in the config is not null	Minimum number of uppercase characters required for secret to be considered valid (defaults to 0).
config.clientSecretPolicy.requireLowerCaseCharacter	Number	Required when `clientSecretPolicy` in the config is not null	Minimum number of lowercase characters required for secret to be considered valid (defaults to 0).
config.clientSecretPolicy.requireDigit	Number	Required when `clientSecretPolicy` in the config is not null	Minimum number of digits required for secret to be considered valid (defaults to 0).
config.clientSecretPolicy.requireSpecialCharacter	Number	Required when `clientSecretPolicy` in the config is not null	Minimum number of special characters required for secret to be considered valid (defaults to 0).
config.samlConfig.disableInResponseToCheck	Boolean	Optional	If `true`, this zone will not validate the `InResponseToField` part of an incoming IDP assertion. Please see https://docs.spring.io/spring-security-saml/docs/current/reference/html/chapter-troubleshooting.html
config.samlConfig.wantAssertionSigned	Boolean	Optional	Exposed SAML metadata property. If `true`, all assertions received by the SAML provider must be signed. Defaults to `true`.
config.samlConfig.requestSigned	Boolean	Optional	Exposed SAML metadata property. If `true`, the service provider will sign all outgoing authentication requests. Defaults to `true`.
config.samlConfig.entityID	String	Optional	Unique ID of the SAML2 entity
config.samlConfig.certificate	String	Deprecated	Exposed SAML metadata property. The certificate used to verify the authenticity all communications.
config.samlConfig.privateKey	String	Deprecated	Exposed SAML metadata property. The SAML provider's private key.
config.samlConfig.privateKeyPassword	String	Deprecated	Exposed SAML metadata property. The SAML provider's private key password. Reserved for future use.
config.samlConfig.activeKeyId	String	Required if a list of keys defined in `keys` map	The ID of the key that should be used for signing metadata and assertions.
config.samlConfig.keys.*.key	String	Optional. Can only be used in conjunction with `keys.<key-id>.passphrase` and `keys.<key-id>.certificate`	Exposed SAML metadata property. The SAML provider's private key.
config.samlConfig.keys.*.passphrase	String	Optional. Can only be used in conjunction with `keys.<key-id>.key` and `keys.<key-id>.certificate`	Exposed SAML metadata property. The SAML provider's private key password. Reserved for future use.
config.samlConfig.keys.*.certificate	String	Optional. Can only be used in conjunction with `keys.<key-id>.key` and `keys.<key-id>.passphrase`	Exposed SAML metadata property. The certificate used to verify the authenticity all communications.
config.links.logout.redirectUrl	String	Optional	Logout redirect url
config.links.homeRedirect	String	Optional	Overrides the UAA home page and issues a redirect to this URL when the browser requests `/` and `/home`.
config.links.logout.redirectParameterName	String	Optional	Changes the name of the redirect parameter
config.links.logout.disableRedirectParameter	Boolean	Optional	Deprecated, no longer affects zone behavior. Whether or not to allow the redirect parameter on logout
config.links.logout.whitelist	Array	Optional	List of allowed whitelist redirects
config.links.selfService.selfServiceLinksEnabled	Boolean	Optional	Whether or not users are allowed to sign up or reset their passwords via the UI
config.links.selfService.signup	Null	Optional	Where users are directed upon clicking the account creation link
config.links.selfService.passwd	Null	Optional	Where users are directed upon clicking the password reset link
config.prompts[]	Array	Optional	List of fields that users are prompted for to login. Defaults to username, password, and passcode.
config.prompts[].name	String	Optional	Name of field
config.prompts[].type	String	Optional	What kind of field this is (e.g. text or password)
config.prompts[].text	String	Optional	Actual text displayed on prompt for field
config.idpDiscoveryEnabled	Boolean	Optional	IDP Discovery should be set to true if you have configured more than one identity provider for UAA. The discovery relies on email domain being set for each additional provider
config.accountChooserEnabled	Boolean	Optional	This flag enables the account choosing functionality. If idpDiscoveryEnabled is set to true in the config the IDP is chosen by discovery. Otherwise, the user can enter the IDP by providing the origin.
config.issuer	String	Optional	Issuer of this zone. Must be a valid URL.
config.branding.companyName	String	Optional	This name is used on the UAA Pages and in account management related communication in UAA
config.branding.productLogo	String	Optional	This is a base64Url encoded PNG image which will be used as the logo on all UAA pages like Login, Sign Up etc.
config.branding.squareLogo	String	Optional	This is a base64 encoded PNG image which will be used as the favicon for the UAA pages
config.branding.footerLegalText	String	Optional	This text appears on the footer of all UAA pages
config.branding.footerLinks.*	String	Optional	These links (Map) appear on the footer of all UAA pages. You may choose to add multiple urls for things like Support, Terms of Service etc.
config.branding.banner.text	String	Optional	This is text displayed in a banner at the top of the UAA login page
config.branding.banner.logo	String	Optional	This is base64 encoded PNG data displayed in a banner at the top of the UAA login page, overrides banner text
config.branding.banner.link	String	Optional	The UAA login banner will be a link pointing to this url
config.branding.banner.textColor	String	Optional	Hexadecimal color code for banner text color, does not allow color names
config.branding.banner.backgroundColor	String	Optional	Hexadecimal color code for banner background color, does not allow color names
config.branding.consent.text	String	Optional. Must be set if configuring consent.	If set, a checkbox on the registration and invitation pages will appear with the phrase `I agree to` followed by this text. The checkbox must be selected before the user can continue.
config.branding.consent.link	String	Optional. Can be null if configuring consent.	If `config.branding.consent.text` is set, the text after `I agree to` will be hyperlinked to this location.
config.corsPolicy.xhrConfiguration.allowedOrigins	Array	Optional	`Access-Control-Allow-Origin header`. Indicates whether a resource can be shared based by returning the value of the Origin request header, "*", or "null" in the response.
config.corsPolicy.xhrConfiguration.allowedOriginPatterns	Array	Optional	Indicates whether a resource can be shared based by returning the value of the Origin patterns.
config.corsPolicy.xhrConfiguration.allowedUris	Array	Optional	The list of allowed URIs.
config.corsPolicy.xhrConfiguration.allowedUriPatterns	Array	Optional	The list of allowed URI patterns.
config.corsPolicy.xhrConfiguration.allowedHeaders	Array	Optional	`Access-Control-Allow-Headers` header. Indicates which header field names can be used during the actual response
config.corsPolicy.xhrConfiguration.allowedMethods	Array	Optional	`Access-Control-Allow-Methods` header. Indicates which method will be used in the actual request as part of the preflight request.
config.corsPolicy.xhrConfiguration.allowedCredentials	Boolean	Optional	`Access-Control-Allow-Credentials` header. Indicates whether the response to request can be exposed when the omit credentials flag is unset. When part of the response to a preflight request it indicates that the actual request can include user credentials..
config.corsPolicy.xhrConfiguration.maxAge	Number	Optional	`Access-Control-Max-Age` header. Indicates how long the results of a preflight request can be cached in a preflight result cache
config.corsPolicy.defaultConfiguration.allowedOrigins	Array	Optional	`Access-Control-Allow-Origin header`. Indicates whether a resource can be shared based by returning the value of the Origin request header, "*", or "null" in the response.
config.corsPolicy.defaultConfiguration.allowedOriginPatterns	Array	Optional	Indicates whether a resource can be shared based by returning the value of the Origin patterns.
config.corsPolicy.defaultConfiguration.allowedUris	Array	Optional	The list of allowed URIs.
config.corsPolicy.defaultConfiguration.allowedUriPatterns	Array	Optional	The list of allowed URI patterns.
config.corsPolicy.defaultConfiguration.allowedHeaders	Array	Optional	`Access-Control-Allow-Headers` header. Indicates which header field names can be used during the actual response
config.corsPolicy.defaultConfiguration.allowedMethods	Array	Optional	`Access-Control-Allow-Methods` header. Indicates which method will be used in the actual request as part of the preflight request.
config.corsPolicy.defaultConfiguration.allowedCredentials	Boolean	Optional	`Access-Control-Allow-Credentials` header. Indicates whether the response to request can be exposed when the omit credentials flag is unset. When part of the response to a preflight request it indicates that the actual request can include user credentials..
config.corsPolicy.defaultConfiguration.maxAge	Number	Optional	`Access-Control-Max-Age` header. Indicates how long the results of a preflight request can be cached in a preflight result cache
config.userConfig.defaultGroups	Array	Optional	Default groups each user in the zone inherits.
config.userConfig.allowedGroups	Array	Optional	Allowed groups in the zone. Defaults to null (all groups allowed)
config.userConfig.maxUsers	Number	Optional number, default -1, no limit.	Number of users in the zone. If more than 0, it limits the amount of users in the zone. (defaults to -1, no limit).
config.userConfig.checkOriginEnabled	Boolean	Optional	Flag for switching on the check if origin is valid when creating or updating users (defaults to false)
config.userConfig.allowOriginLoop	Boolean	Optional	Flag for switching off the loop over all origins in a zone (defaults to true)

Response Fields

Path	Type	Description
`id`	`String`	Unique ID of the identity zone
`subdomain`	`String`	Unique subdomain for the running instance. May only contain legal characters for a subdomain name.
`name`	`String`	Human-readable zone name
`description`	`String`	Description of the zone
`version`	`Number`	Reserved for future use of E-Tag versioning
`active`	`Boolean`	Indicates whether the identity zone is active. Defaults to true.
`config.tokenPolicy.activeKeyId`	`String`	The ID for the key that is being used to sign tokens
`config.tokenPolicy.accessTokenValidity`	`Number`	Time in seconds between when a access token is issued and when it expires. Defaults to global `accessTokenValidity`
`config.tokenPolicy.refreshTokenValidity`	`Number`	Time in seconds between when a refresh token is issued and when it expires. Defaults to global `refreshTokenValidity`
`config.tokenPolicy.jwtRevocable`	`Boolean`	Set to true if JWT tokens should be stored in the token store, and thus made individually revocable. Opaque tokens are always stored and revocable.
`config.tokenPolicy.refreshTokenUnique`	`Boolean`	If true, uaa will only issue one refresh token per client_id/user_id combination. Defaults to `false`.
`config.tokenPolicy.refreshTokenRotate`	`Boolean`	If true, uaa will issue a new refresh token value in grant type refresh_token. Defaults to `false`.
`config.tokenPolicy.refreshTokenFormat`	`String`	The format for the refresh token. Allowed values are `jwt`, `opaque`. Defaults to `opaque`.
`config.clientSecretPolicy.minLength`	`Number`	Minimum number of characters required for secret to be considered valid (defaults to 0).
`config.clientSecretPolicy.maxLength`	`Number`	Maximum number of characters required for secret to be considered valid (defaults to 255).
`config.clientSecretPolicy.requireUpperCaseCharacter`	`Number`	Minimum number of uppercase characters required for secret to be considered valid (defaults to 0).
`config.clientSecretPolicy.requireLowerCaseCharacter`	`Number`	Minimum number of lowercase characters required for secret to be considered valid (defaults to 0).
`config.clientSecretPolicy.requireDigit`	`Number`	Minimum number of digits required for secret to be considered valid (defaults to 0).
`config.clientSecretPolicy.requireSpecialCharacter`	`Number`	Minimum number of special characters required for secret to be considered valid (defaults to 0).
`config.samlConfig.disableInResponseToCheck`	`Boolean`	If `true`, this zone will not validate the `InResponseToField` part of an incoming IDP assertion. Please see https://docs.spring.io/spring-security-saml/docs/current/reference/html/chapter-troubleshooting.html
`config.samlConfig.wantAssertionSigned`	`Boolean`	Exposed SAML metadata property. If `true`, all assertions received by the SAML provider must be signed. Defaults to `true`.
`config.samlConfig.requestSigned`	`Boolean`	Exposed SAML metadata property. If `true`, the service provider will sign all outgoing authentication requests. Defaults to `true`.
`config.samlConfig.entityID`	`String`	Unique ID of the SAML2 entity
`config.samlConfig.certificate`	`String`	Exposed SAML metadata property. The certificate used to verify the authenticity all communications.
`config.samlConfig.activeKeyId`	`String`	The ID of the key that should be used for signing metadata and assertions.
`config.samlConfig.keys.*.certificate`	`String`	Exposed SAML metadata property. The certificate used to verify the authenticity all communications.
`config.links.logout.redirectUrl`	`String`	Logout redirect url
`config.links.homeRedirect`	`String`	Overrides the UAA home page and issues a redirect to this URL when the browser requests `/` and `/home`.
`config.links.logout.redirectParameterName`	`String`	Changes the name of the redirect parameter
`config.links.logout.disableRedirectParameter`	`Boolean`	Deprecated, no longer affects zone behavior. Whether or not to allow the redirect parameter on logout
`config.links.logout.whitelist`	`Array`	List of allowed whitelist redirects
`config.links.selfService.selfServiceLinksEnabled`	`Boolean`	Whether or not users are allowed to sign up or reset their passwords via the UI
`config.links.selfService.signup`	`Null`	Where users are directed upon clicking the account creation link
`config.links.selfService.passwd`	`Null`	Where users are directed upon clicking the password reset link
`config.prompts[]`	`Array`	List of fields that users are prompted for to login. Defaults to username, password, and passcode.
`config.prompts[].name`	`String`	Name of field
`config.prompts[].type`	`String`	What kind of field this is (e.g. text or password)
`config.prompts[].text`	`String`	Actual text displayed on prompt for field
`config.defaultIdentityProvider`	`String`	This value can be set to the origin key of an identity provider. If set, the user will be directed to this identity provider automatically if no other identity provider is discovered or selected via login_hint.
`config.idpDiscoveryEnabled`	`Boolean`	IDP Discovery should be set to true if you have configured more than one identity provider for UAA. The discovery relies on email domain being set for each additional provider
`config.accountChooserEnabled`	`Boolean`	This flag enables the account choosing functionality. If idpDiscoveryEnabled is set to true in the config the IDP is chosen by discovery. Otherwise, the user can enter the IDP by providing the origin.
`config.issuer`	`String`	Issuer of this zone. Must be a valid URL.
`config.branding.companyName`	`String`	This name is used on the UAA Pages and in account management related communication in UAA
`config.branding.productLogo`	`String`	This is a base64Url encoded PNG image which will be used as the logo on all UAA pages like Login, Sign Up etc.
`config.branding.squareLogo`	`String`	This is a base64 encoded PNG image which will be used as the favicon for the UAA pages
`config.branding.footerLegalText`	`String`	This text appears on the footer of all UAA pages
`config.branding.footerLinks.*`	`String`	These links (Map) appear on the footer of all UAA pages. You may choose to add multiple urls for things like Support, Terms of Service etc.
`config.branding.banner.text`	`String`	This is text displayed in a banner at the top of the UAA login page
`config.branding.banner.logo`	`String`	This is base64 encoded PNG data displayed in a banner at the top of the UAA login page, overrides banner text
`config.branding.banner.link`	`String`	The UAA login banner will be a link pointing to this url
`config.branding.banner.textColor`	`String`	Hexadecimal color code for banner text color, does not allow color names
`config.branding.banner.backgroundColor`	`String`	Hexadecimal color code for banner background color, does not allow color names
`config.branding.consent.text`	`String`	If set, a checkbox on the registration and invitation pages will appear with the phrase `I agree to` followed by this text. The checkbox must be selected before the user can continue.
`config.branding.consent.link`	`String`	If `config.branding.consent.text` is set, the text after `I agree to` will be hyperlinked to this location.
`config.corsPolicy.defaultConfiguration.allowedOrigins`	`Array`	`Access-Control-Allow-Origin header`. Indicates whether a resource can be shared based by returning the value of the Origin request header, "*", or "null" in the response.
`config.corsPolicy.defaultConfiguration.allowedOriginPatterns`	`Array`	Indicates whether a resource can be shared based by returning the value of the Origin patterns.
`config.corsPolicy.defaultConfiguration.allowedUris`	`Array`	The list of allowed URIs.
`config.corsPolicy.defaultConfiguration.allowedUriPatterns`	`Array`	The list of allowed URI patterns.
`config.corsPolicy.defaultConfiguration.allowedHeaders`	`Array`	`Access-Control-Allow-Headers` header. Indicates which header field names can be used during the actual response
`config.corsPolicy.defaultConfiguration.allowedMethods`	`Array`	`Access-Control-Allow-Methods` header. Indicates which method will be used in the actual request as part of the preflight request.
`config.corsPolicy.defaultConfiguration.allowedCredentials`	`Boolean`	`Access-Control-Allow-Credentials` header. Indicates whether the response to request can be exposed when the omit credentials flag is unset. When part of the response to a preflight request it indicates that the actual request can include user credentials..
`config.corsPolicy.defaultConfiguration.maxAge`	`Number`	`Access-Control-Max-Age` header. Indicates how long the results of a preflight request can be cached in a preflight result cache
`config.corsPolicy.xhrConfiguration.allowedOrigins`	`Array`	`Access-Control-Allow-Origin header`. Indicates whether a resource can be shared based by returning the value of the Origin request header, "*", or "null" in the response.
`config.corsPolicy.xhrConfiguration.allowedOriginPatterns`	`Array`	Indicates whether a resource can be shared based by returning the value of the Origin patterns.
`config.corsPolicy.xhrConfiguration.allowedUris`	`Array`	The list of allowed URIs.
`config.corsPolicy.xhrConfiguration.allowedUriPatterns`	`Array`	The list of allowed URI patterns.
`config.corsPolicy.xhrConfiguration.allowedHeaders`	`Array`	`Access-Control-Allow-Headers` header. Indicates which header field names can be used during the actual response
`config.corsPolicy.xhrConfiguration.allowedMethods`	`Array`	`Access-Control-Allow-Methods` header. Indicates which method will be used in the actual request as part of the preflight request.
`config.corsPolicy.xhrConfiguration.allowedCredentials`	`Boolean`	`Access-Control-Allow-Credentials` header. Indicates whether the response to request can be exposed when the omit credentials flag is unset. When part of the response to a preflight request it indicates that the actual request can include user credentials..
`config.corsPolicy.xhrConfiguration.maxAge`	`Number`	`Access-Control-Max-Age` header. Indicates how long the results of a preflight request can be cached in a preflight result cache
`config.userConfig.defaultGroups`	`Array`	Default groups each user in the zone inherits.
`config.userConfig.allowedGroups`	`Array`	Allowed groups in the zone. Defaults to null (all groups allowed)
`config.userConfig.maxUsers`	`Number`	Number of users in the zone. If more than 0, it limits the amount of users in the zone. (defaults to -1, no limit).
`config.userConfig.checkOriginEnabled`	`Boolean`	Flag for switching on the check if origin is valid when creating or updating users (defaults to false)
`config.userConfig.allowOriginLoop`	`Boolean`	Flag for switching off the loop over all origins in a zone (defaults to true)

Error Codes

Error Code	Description
400	Bad Request
401	Unauthorized - Invalid token
403	Forbidden - Insufficient scope (zone admins can only update own zone)
404	Not Found - Update to nonexistent zone
422	Unprocessable Entity - Invalid zone details

Deleting an Identity Zone

$ curl 'http://localhost/identity-zones/twiglet-delete' -i -X DELETE \
    -H 'Content-Type: application/json' \
    -H 'Authorization: Bearer 3c1d970d95c84abbb831455e24e6bd50'

DELETE /identity-zones/twiglet-delete HTTP/1.1
Content-Type: application/json
Authorization: Bearer 3c1d970d95c84abbb831455e24e6bd50
Host: localhost

HTTP/1.1 200 OK
Content-Security-Policy: script-src 'self'
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 5099

{
  "id" : "twiglet-delete",
  "subdomain" : "twiglet-delete",
  "config" : {
    "clientSecretPolicy" : {
      "minLength" : -1,
      "maxLength" : -1,
      "requireUpperCaseCharacter" : -1,
      "requireLowerCaseCharacter" : -1,
      "requireDigit" : -1,
      "requireSpecialCharacter" : -1
    },
    "tokenPolicy" : {
      "accessTokenValidity" : 3600,
      "refreshTokenValidity" : 7200,
      "jwtRevocable" : false,
      "refreshTokenUnique" : false,
      "refreshTokenRotate" : false,
      "refreshTokenFormat" : "opaque",
      "activeKeyId" : "active-key-1"
    },
    "samlConfig" : {
      "requestSigned" : true,
      "wantAssertionSigned" : true,
      "activeKeyId" : "legacy-saml-key",
      "keys" : {
        "legacy-saml-key" : {
          "certificate" : "-----BEGIN CERTIFICATE-----\nMIICEjCCAXsCAg36MA0GCSqGSIb3DQEBBQUAMIGbMQswCQYDVQQGEwJKUDEOMAwG\nA1UECBMFVG9reW8xEDAOBgNVBAcTB0NodW8ta3UxETAPBgNVBAoTCEZyYW5rNERE\nMRgwFgYDVQQLEw9XZWJDZXJ0IFN1cHBvcnQxGDAWBgNVBAMTD0ZyYW5rNEREIFdl\nYiBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBmcmFuazRkZC5jb20wHhcNMTIw\nODIyMDUyNjU0WhcNMTcwODIxMDUyNjU0WjBKMQswCQYDVQQGEwJKUDEOMAwGA1UE\nCAwFVG9reW8xETAPBgNVBAoMCEZyYW5rNEREMRgwFgYDVQQDDA93d3cuZXhhbXBs\nZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAm/xmkHmEQrurE/0re/jeFRLl\n8ZPjBop7uLHhnia7lQG/5zDtZIUC3RVpqDSwBuw/NTweGyuP+o8AG98HxqxTBwID\nAQABMA0GCSqGSIb3DQEBBQUAA4GBABS2TLuBeTPmcaTaUW/LCB2NYOy8GMdzR1mx\n8iBIu2H6/E2tiY3RIevV2OW61qY2/XRQg7YPxx3ffeUugX9F4J/iPnnu1zAxxyBy\n2VguKv4SWjRFoRkIfIlHX0qVviMhSlNy2ioFLy7JcPZb+v3ftDGywUqcBiVDoea0\nHn+GmxZA\n-----END CERTIFICATE-----\n"
        }
      },
      "entityID" : "cloudfoundry-saml-login",
      "disableInResponseToCheck" : false,
      "certificate" : "-----BEGIN CERTIFICATE-----\nMIICEjCCAXsCAg36MA0GCSqGSIb3DQEBBQUAMIGbMQswCQYDVQQGEwJKUDEOMAwG\nA1UECBMFVG9reW8xEDAOBgNVBAcTB0NodW8ta3UxETAPBgNVBAoTCEZyYW5rNERE\nMRgwFgYDVQQLEw9XZWJDZXJ0IFN1cHBvcnQxGDAWBgNVBAMTD0ZyYW5rNEREIFdl\nYiBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBmcmFuazRkZC5jb20wHhcNMTIw\nODIyMDUyNjU0WhcNMTcwODIxMDUyNjU0WjBKMQswCQYDVQQGEwJKUDEOMAwGA1UE\nCAwFVG9reW8xETAPBgNVBAoMCEZyYW5rNEREMRgwFgYDVQQDDA93d3cuZXhhbXBs\nZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAm/xmkHmEQrurE/0re/jeFRLl\n8ZPjBop7uLHhnia7lQG/5zDtZIUC3RVpqDSwBuw/NTweGyuP+o8AG98HxqxTBwID\nAQABMA0GCSqGSIb3DQEBBQUAA4GBABS2TLuBeTPmcaTaUW/LCB2NYOy8GMdzR1mx\n8iBIu2H6/E2tiY3RIevV2OW61qY2/XRQg7YPxx3ffeUugX9F4J/iPnnu1zAxxyBy\n2VguKv4SWjRFoRkIfIlHX0qVviMhSlNy2ioFLy7JcPZb+v3ftDGywUqcBiVDoea0\nHn+GmxZA\n-----END CERTIFICATE-----\n"
    },
    "corsPolicy" : {
      "xhrConfiguration" : {
        "allowedOrigins" : [ ".*" ],
        "allowedOriginPatterns" : [ ],
        "allowedUris" : [ ".*" ],
        "allowedUriPatterns" : [ ],
        "allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
        "allowedMethods" : [ "GET" ],
        "allowedCredentials" : false,
        "maxAge" : 1728000
      },
      "defaultConfiguration" : {
        "allowedOrigins" : [ ".*" ],
        "allowedOriginPatterns" : [ ],
        "allowedUris" : [ ".*" ],
        "allowedUriPatterns" : [ ],
        "allowedHeaders" : [ "Accept", "Authorization", "Content-Type" ],
        "allowedMethods" : [ "GET" ],
        "allowedCredentials" : false,
        "maxAge" : 1728000
      }
    },
    "links" : {
      "logout" : {
        "redirectUrl" : "/login",
        "redirectParameterName" : "redirect",
        "disableRedirectParameter" : false,
        "whitelist" : null
      },
      "homeRedirect" : "http://my.hosted.homepage.com/",
      "selfService" : {
        "selfServiceLinksEnabled" : true,
        "signup" : null,
        "passwd" : null
      }
    },
    "prompts" : [ {
      "name" : "username",
      "type" : "text",
      "text" : "Email"
    }, {
      "name" : "password",
      "type" : "password",
      "text" : "Password"
    }, {
      "name" : "passcode",
      "type" : "password",
      "text" : "Temporary Authentication Code (Get on at /passcode)"
    } ],
    "idpDiscoveryEnabled" : false,
    "branding" : {
      "companyName" : "Test Company",
      "productLogo" : "VGVzdFByb2R1Y3RMb2dv",
      "squareLogo" : "VGVzdFNxdWFyZUxvZ28=",
      "footerLegalText" : "Test footer legal text",
      "footerLinks" : {
        "Support" : "http://support.example.com"
      },
      "banner" : {
        "logo" : "VGVzdFByb2R1Y3RMb2dv",
        "text" : "Announcement",
        "textColor" : "#000000",
        "backgroundColor" : "#89cff0",
        "link" : "http://announce.example.com"
      },
      "consent" : {
        "text" : "Some Policy",
        "link" : "http://policy.example.com"
      }
    },
    "accountChooserEnabled" : false,
    "userConfig" : {
      "defaultGroups" : [ "openid", "password.write", "uaa.user", "approvals.me", "profile", "roles", "user_attributes", "uaa.offline_token" ],
      "maxUsers" : -1,
      "checkOriginEnabled" : false,
      "allowOriginLoop" : true
    },
    "issuer" : "http://localhost:8080/uaa"
  },
  "name" : "The Twiglet Zone",
  "version" : 0,
  "created" : 1732091794469,
  "active" : true,
  "last_modified" : 1732091794469
}

Path Parameters

/identity-zones/{id}

Parameter	Description
id	Unique ID of the identity zone to delete

Request Headers

Name	Description
`Authorization`	Bearer token containing `zones.write` or `uaa.admin`. If you use the zone-switching header, bear token containing `zones.<zone id>.admin` can be used.
`X-Identity-Zone-Id`	May include this header to administer another zone if using `zones.<zoneId>.admin` or `uaa.admin` scope against the default UAA zone.
`X-Identity-Zone-Subdomain`	If using a `zones.<zoneId>.admin` scope/token, indicates what Identity Zone this request goes to by supplying a subdomain.

Response Fields

Path	Type	Description
`id`	`String`	Unique ID of the identity zone
`subdomain`	`String`	Unique subdomain for the running instance. May only contain legal characters for a subdomain name.
`name`	`String`	Human-readable zone name
`description`	`String`	Description of the zone
`version`	`Number`	Reserved for future use of E-Tag versioning
`active`	`Boolean`	Indicates whether the identity zone is active. Defaults to true.
`config.tokenPolicy.activeKeyId`	`String`	The ID for the key that is being used to sign tokens
`config.tokenPolicy.accessTokenValidity`	`Number`	Time in seconds between when a access token is issued and when it expires. Defaults to global `accessTokenValidity`
`config.tokenPolicy.refreshTokenValidity`	`Number`	Time in seconds between when a refresh token is issued and when it expires. Defaults to global `refreshTokenValidity`
`config.tokenPolicy.jwtRevocable`	`Boolean`	Set to true if JWT tokens should be stored in the token store, and thus made individually revocable. Opaque tokens are always stored and revocable.
`config.tokenPolicy.refreshTokenUnique`	`Boolean`	If true, uaa will only issue one refresh token per client_id/user_id combination. Defaults to `false`.
`config.tokenPolicy.refreshTokenRotate`	`Boolean`	If true, uaa will issue a new refresh token value in grant type refresh_token. Defaults to `false`.
`config.tokenPolicy.refreshTokenFormat`	`String`	The format for the refresh token. Allowed values are `jwt`, `opaque`. Defaults to `opaque`.
`config.clientSecretPolicy.minLength`	`Number`	Minimum number of characters required for secret to be considered valid (defaults to 0).
`config.clientSecretPolicy.maxLength`	`Number`	Maximum number of characters required for secret to be considered valid (defaults to 255).
`config.clientSecretPolicy.requireUpperCaseCharacter`	`Number`	Minimum number of uppercase characters required for secret to be considered valid (defaults to 0).
`config.clientSecretPolicy.requireLowerCaseCharacter`	`Number`	Minimum number of lowercase characters required for secret to be considered valid (defaults to 0).
`config.clientSecretPolicy.requireDigit`	`Number`	Minimum number of digits required for secret to be considered valid (defaults to 0).
`config.clientSecretPolicy.requireSpecialCharacter`	`Number`	Minimum number of special characters required for secret to be considered valid (defaults to 0).
`config.samlConfig.disableInResponseToCheck`	`Boolean`	If `true`, this zone will not validate the `InResponseToField` part of an incoming IDP assertion. Please see https://docs.spring.io/spring-security-saml/docs/current/reference/html/chapter-troubleshooting.html
`config.samlConfig.wantAssertionSigned`	`Boolean`	Exposed SAML metadata property. If `true`, all assertions received by the SAML provider must be signed. Defaults to `true`.
`config.samlConfig.requestSigned`	`Boolean`	Exposed SAML metadata property. If `true`, the service provider will sign all outgoing authentication requests. Defaults to `true`.
`config.samlConfig.entityID`	`String`	Unique ID of the SAML2 entity
`config.samlConfig.certificate`	`String`	Exposed SAML metadata property. The certificate used to verify the authenticity all communications.
`config.samlConfig.activeKeyId`	`String`	The ID of the key that should be used for signing metadata and assertions.
`config.samlConfig.keys.*.certificate`	`String`	Exposed SAML metadata property. The certificate used to verify the authenticity all communications.
`config.links.logout.redirectUrl`	`String`	Logout redirect url
`config.links.homeRedirect`	`String`	Overrides the UAA home page and issues a redirect to this URL when the browser requests `/` and `/home`.
`config.links.logout.redirectParameterName`	`String`	Changes the name of the redirect parameter
`config.links.logout.disableRedirectParameter`	`Boolean`	Deprecated, no longer affects zone behavior. Whether or not to allow the redirect parameter on logout
`config.links.logout.whitelist`	`Array`	List of allowed whitelist redirects
`config.links.selfService.selfServiceLinksEnabled`	`Boolean`	Whether or not users are allowed to sign up or reset their passwords via the UI
`config.links.selfService.signup`	`Null`	Where users are directed upon clicking the account creation link
`config.links.selfService.passwd`	`Null`	Where users are directed upon clicking the password reset link
`config.prompts[]`	`Array`	List of fields that users are prompted for to login. Defaults to username, password, and passcode.
`config.prompts[].name`	`String`	Name of field
`config.prompts[].type`	`String`	What kind of field this is (e.g. text or password)
`config.prompts[].text`	`String`	Actual text displayed on prompt for field
`config.defaultIdentityProvider`	`String`	This value can be set to the origin key of an identity provider. If set, the user will be directed to this identity provider automatically if no other identity provider is discovered or selected via login_hint.
`config.idpDiscoveryEnabled`	`Boolean`	IDP Discovery should be set to true if you have configured more than one identity provider for UAA. The discovery relies on email domain being set for each additional provider
`config.accountChooserEnabled`	`Boolean`	This flag enables the account choosing functionality. If idpDiscoveryEnabled is set to true in the config the IDP is chosen by discovery. Otherwise, the user can enter the IDP by providing the origin.
`config.issuer`	`String`	Issuer of this zone. Must be a valid URL.
`config.branding.companyName`	`String`	This name is used on the UAA Pages and in account management related communication in UAA
`config.branding.productLogo`	`String`	This is a base64Url encoded PNG image which will be used as the logo on all UAA pages like Login, Sign Up etc.
`config.branding.squareLogo`	`String`	This is a base64 encoded PNG image which will be used as the favicon for the UAA pages
`config.branding.footerLegalText`	`String`	This text appears on the footer of all UAA pages
`config.branding.footerLinks.*`	`String`	These links (Map) appear on the footer of all UAA pages. You may choose to add multiple urls for things like Support, Terms of Service etc.
`config.branding.banner.text`	`String`	This is text displayed in a banner at the top of the UAA login page
`config.branding.banner.logo`	`String`	This is base64 encoded PNG data displayed in a banner at the top of the UAA login page, overrides banner text
`config.branding.banner.link`	`String`	The UAA login banner will be a link pointing to this url
`config.branding.banner.textColor`	`String`	Hexadecimal color code for banner text color, does not allow color names
`config.branding.banner.backgroundColor`	`String`	Hexadecimal color code for banner background color, does not allow color names
`config.branding.consent.text`	`String`	If set, a checkbox on the registration and invitation pages will appear with the phrase `I agree to` followed by this text. The checkbox must be selected before the user can continue.
`config.branding.consent.link`	`String`	If `config.branding.consent.text` is set, the text after `I agree to` will be hyperlinked to this location.
`config.corsPolicy.defaultConfiguration.allowedOrigins`	`Array`	`Access-Control-Allow-Origin header`. Indicates whether a resource can be shared based by returning the value of the Origin request header, "*", or "null" in the response.
`config.corsPolicy.defaultConfiguration.allowedOriginPatterns`	`Array`	Indicates whether a resource can be shared based by returning the value of the Origin patterns.
`config.corsPolicy.defaultConfiguration.allowedUris`	`Array`	The list of allowed URIs.
`config.corsPolicy.defaultConfiguration.allowedUriPatterns`	`Array`	The list of allowed URI patterns.
`config.corsPolicy.defaultConfiguration.allowedHeaders`	`Array`	`Access-Control-Allow-Headers` header. Indicates which header field names can be used during the actual response
`config.corsPolicy.defaultConfiguration.allowedMethods`	`Array`	`Access-Control-Allow-Methods` header. Indicates which method will be used in the actual request as part of the preflight request.
`config.corsPolicy.defaultConfiguration.allowedCredentials`	`Boolean`	`Access-Control-Allow-Credentials` header. Indicates whether the response to request can be exposed when the omit credentials flag is unset. When part of the response to a preflight request it indicates that the actual request can include user credentials..
`config.corsPolicy.defaultConfiguration.maxAge`	`Number`	`Access-Control-Max-Age` header. Indicates how long the results of a preflight request can be cached in a preflight result cache
`config.corsPolicy.xhrConfiguration.allowedOrigins`	`Array`	`Access-Control-Allow-Origin header`. Indicates whether a resource can be shared based by returning the value of the Origin request header, "*", or "null" in the response.
`config.corsPolicy.xhrConfiguration.allowedOriginPatterns`	`Array`	Indicates whether a resource can be shared based by returning the value of the Origin patterns.
`config.corsPolicy.xhrConfiguration.allowedUris`	`Array`	The list of allowed URIs.
`config.corsPolicy.xhrConfiguration.allowedUriPatterns`	`Array`	The list of allowed URI patterns.
`config.corsPolicy.xhrConfiguration.allowedHeaders`	`Array`	`Access-Control-Allow-Headers` header. Indicates which header field names can be used during the actual response
`config.corsPolicy.xhrConfiguration.allowedMethods`	`Array`	`Access-Control-Allow-Methods` header. Indicates which method will be used in the actual request as part of the preflight request.
`config.corsPolicy.xhrConfiguration.allowedCredentials`	`Boolean`	`Access-Control-Allow-Credentials` header. Indicates whether the response to request can be exposed when the omit credentials flag is unset. When part of the response to a preflight request it indicates that the actual request can include user credentials..
`config.corsPolicy.xhrConfiguration.maxAge`	`Number`	`Access-Control-Max-Age` header. Indicates how long the results of a preflight request can be cached in a preflight result cache
`config.userConfig.defaultGroups`	`Array`	Default groups each user in the zone inherits.
`config.userConfig.allowedGroups`	`Array`	Allowed groups in the zone. Defaults to null (all groups allowed)
`config.userConfig.maxUsers`	`Number`	Number of users in the zone. If more than 0, it limits the amount of users in the zone. (defaults to -1, no limit).
`config.userConfig.checkOriginEnabled`	`Boolean`	Flag for switching on the check if origin is valid when creating or updating users (defaults to false)
`config.userConfig.allowOriginLoop`	`Boolean`	Flag for switching off the loop over all origins in a zone (defaults to true)

Error Codes

Error Code	Description
400	Bad Request
401	Unauthorized - Invalid token
403	Forbidden - Insufficient scope (zone admins can only delete their own zone)
404	Not Found - Zone does not exist
422	Unprocessable Entity - at least one IdP with alias exists in the zone

Identity Providers

Create

SAML

$ curl 'http://localhost/identity-providers?rawConfig=true' -i -X POST \
    -H 'Content-Type: application/json' \
    -H 'Authorization: Bearer 074d0ce23c5b43db8919372b59ff88fd' \
    -d '{
  "type" : "saml",
  "config" : {
    "emailDomain" : null,
    "providerDescription" : null,
    "externalGroupsWhitelist" : [ ],
    "attributeMappings" : {
      "email_verified" : "emailVerified",
      "external_groups" : [ "roles" ],
      "user.attribute.department" : "department",
      "phone_number" : "telephone",
      "given_name" : "first_name",
      "family_name" : "last_name",
      "email" : "emailAddress"
    },
    "addShadowUserOnLogin" : true,
    "storeCustomAttributes" : true,
    "metaDataLocation" : "<?xml version=\"1.0\" encoding=\"UTF-8\"?><md:EntityDescriptor xmlns:md=\"urn:oasis:names:tc:SAML:2.0:metadata\" entityID=\"http://www.okta.com/SAML\"><md:IDPSSODescriptor WantAuthnRequestsSigned=\"true\" protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:protocol\"><md:KeyDescriptor use=\"signing\"><ds:KeyInfo xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\"><ds:X509Data><ds:X509Certificate>MIICmTCCAgKgAwIBAgIGAUPATqmEMA0GCSqGSIb3DQEBBQUAMIGPMQswCQYDVQQGEwJVUzETMBEG\nA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU\nMBIGA1UECwwLU1NPUHJvdmlkZXIxEDAOBgNVBAMMB1Bpdm90YWwxHDAaBgkqhkiG9w0BCQEWDWlu\nZm9Ab2t0YS5jb20wHhcNMTQwMTIzMTgxMjM3WhcNNDQwMTIzMTgxMzM3WjCBjzELMAkGA1UEBhMC\nVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoM\nBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRAwDgYDVQQDDAdQaXZvdGFsMRwwGgYJKoZIhvcN\nAQkBFg1pbmZvQG9rdGEuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCeil67/TLOiTZU\nWWgW2XEGgFZ94bVO90v5J1XmcHMwL8v5Z/8qjdZLpGdwI7Ph0CyXMMNklpaR/Ljb8fsls3amdT5O\nBw92Zo8ulcpjw2wuezTwL0eC0wY/GQDAZiXL59npE6U+fH1lbJIq92hx0HJSru/0O1q3+A/+jjZL\n3tL/SwIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAI5BoWZoH6Mz9vhypZPOJCEKa/K+biZQsA4Zqsuk\nvvphhSERhqk/Nv76Vkl8uvJwwHbQrR9KJx4L3PRkGCG24rix71jEuXVGZUsDNM3CUKnARx4MEab6\nGFHNkZ6DmoT/PFagngecHu+EwmuDtaG0rEkFrARwe+d8Ru0BN558abFb</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" Location=\"https://pivotal.oktapreview.com/app/pivotal_pivotalcfstaging_1/k2lw4l5bPODCMIIDBRYZ/sso/saml\"/><md:SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\" Location=\"https://pivotal.oktapreview.com/app/pivotal_pivotalcfstaging_1/k2lw4l5bPODCMIIDBRYZ/sso/saml\"/></md:IDPSSODescriptor></md:EntityDescriptor>\n",
    "nameID" : "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
    "assertionConsumerIndex" : 0,
    "metadataTrustCheck" : false,
    "showSamlLink" : false,
    "linkText" : "IDPEndpointsMockTests Saml Provider:SAML",
    "iconUrl" : null,
    "groupMappingMode" : "EXPLICITLY_MAPPED",
    "skipSslValidation" : false,
    "authnContext" : null,
    "socketFactoryClassName" : null
  },
  "originKey" : "SAML",
  "name" : "SAML name",
  "active" : true,
  "aliasId" : null,
  "aliasZid" : null
}'

POST /identity-providers?rawConfig=true HTTP/1.1
Content-Type: application/json
Authorization: Bearer 074d0ce23c5b43db8919372b59ff88fd
Content-Length: 3031
Host: localhost

{
  "type" : "saml",
  "config" : {
    "emailDomain" : null,
    "providerDescription" : null,
    "externalGroupsWhitelist" : [ ],
    "attributeMappings" : {
      "email_verified" : "emailVerified",
      "external_groups" : [ "roles" ],
      "user.attribute.department" : "department",
      "phone_number" : "telephone",
      "given_name" : "first_name",
      "family_name" : "last_name",
      "email" : "emailAddress"
    },
    "addShadowUserOnLogin" : true,
    "storeCustomAttributes" : true,
    "metaDataLocation" : "<?xml version=\"1.0\" encoding=\"UTF-8\"?><md:EntityDescriptor xmlns:md=\"urn:oasis:names:tc:SAML:2.0:metadata\" entityID=\"http://www.okta.com/SAML\"><md:IDPSSODescriptor WantAuthnRequestsSigned=\"true\" protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:protocol\"><md:KeyDescriptor use=\"signing\"><ds:KeyInfo xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\"><ds:X509Data><ds:X509Certificate>MIICmTCCAgKgAwIBAgIGAUPATqmEMA0GCSqGSIb3DQEBBQUAMIGPMQswCQYDVQQGEwJVUzETMBEG\nA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU\nMBIGA1UECwwLU1NPUHJvdmlkZXIxEDAOBgNVBAMMB1Bpdm90YWwxHDAaBgkqhkiG9w0BCQEWDWlu\nZm9Ab2t0YS5jb20wHhcNMTQwMTIzMTgxMjM3WhcNNDQwMTIzMTgxMzM3WjCBjzELMAkGA1UEBhMC\nVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoM\nBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRAwDgYDVQQDDAdQaXZvdGFsMRwwGgYJKoZIhvcN\nAQkBFg1pbmZvQG9rdGEuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCeil67/TLOiTZU\nWWgW2XEGgFZ94bVO90v5J1XmcHMwL8v5Z/8qjdZLpGdwI7Ph0CyXMMNklpaR/Ljb8fsls3amdT5O\nBw92Zo8ulcpjw2wuezTwL0eC0wY/GQDAZiXL59npE6U+fH1lbJIq92hx0HJSru/0O1q3+A/+jjZL\n3tL/SwIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAI5BoWZoH6Mz9vhypZPOJCEKa/K+biZQsA4Zqsuk\nvvphhSERhqk/Nv76Vkl8uvJwwHbQrR9KJx4L3PRkGCG24rix71jEuXVGZUsDNM3CUKnARx4MEab6\nGFHNkZ6DmoT/PFagngecHu+EwmuDtaG0rEkFrARwe+d8Ru0BN558abFb</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" Location=\"https://pivotal.oktapreview.com/app/pivotal_pivotalcfstaging_1/k2lw4l5bPODCMIIDBRYZ/sso/saml\"/><md:SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\" Location=\"https://pivotal.oktapreview.com/app/pivotal_pivotalcfstaging_1/k2lw4l5bPODCMIIDBRYZ/sso/saml\"/></md:IDPSSODescriptor></md:EntityDescriptor>\n",
    "nameID" : "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
    "assertionConsumerIndex" : 0,
    "metadataTrustCheck" : false,
    "showSamlLink" : false,
    "linkText" : "IDPEndpointsMockTests Saml Provider:SAML",
    "iconUrl" : null,
    "groupMappingMode" : "EXPLICITLY_MAPPED",
    "skipSslValidation" : false,
    "authnContext" : null,
    "socketFactoryClassName" : null
  },
  "originKey" : "SAML",
  "name" : "SAML name",
  "active" : true,
  "aliasId" : null,
  "aliasZid" : null
}

HTTP/1.1 201 Created
Content-Security-Policy: script-src 'self'
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 3280

{
  "type" : "saml",
  "config" : {
    "emailDomain" : null,
    "additionalConfiguration" : null,
    "providerDescription" : null,
    "externalGroupsWhitelist" : [ ],
    "attributeMappings" : {
      "email_verified" : "emailVerified",
      "external_groups" : [ "roles" ],
      "user.attribute.department" : "department",
      "phone_number" : "telephone",
      "given_name" : "first_name",
      "family_name" : "last_name",
      "email" : "emailAddress"
    },
    "addShadowUserOnLogin" : true,
    "storeCustomAttributes" : true,
    "metaDataLocation" : "<?xml version=\"1.0\" encoding=\"UTF-8\"?><md:EntityDescriptor xmlns:md=\"urn:oasis:names:tc:SAML:2.0:metadata\" entityID=\"http://www.okta.com/SAML\"><md:IDPSSODescriptor WantAuthnRequestsSigned=\"true\" protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:protocol\"><md:KeyDescriptor use=\"signing\"><ds:KeyInfo xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\"><ds:X509Data><ds:X509Certificate>MIICmTCCAgKgAwIBAgIGAUPATqmEMA0GCSqGSIb3DQEBBQUAMIGPMQswCQYDVQQGEwJVUzETMBEG\nA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU\nMBIGA1UECwwLU1NPUHJvdmlkZXIxEDAOBgNVBAMMB1Bpdm90YWwxHDAaBgkqhkiG9w0BCQEWDWlu\nZm9Ab2t0YS5jb20wHhcNMTQwMTIzMTgxMjM3WhcNNDQwMTIzMTgxMzM3WjCBjzELMAkGA1UEBhMC\nVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoM\nBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRAwDgYDVQQDDAdQaXZvdGFsMRwwGgYJKoZIhvcN\nAQkBFg1pbmZvQG9rdGEuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCeil67/TLOiTZU\nWWgW2XEGgFZ94bVO90v5J1XmcHMwL8v5Z/8qjdZLpGdwI7Ph0CyXMMNklpaR/Ljb8fsls3amdT5O\nBw92Zo8ulcpjw2wuezTwL0eC0wY/GQDAZiXL59npE6U+fH1lbJIq92hx0HJSru/0O1q3+A/+jjZL\n3tL/SwIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAI5BoWZoH6Mz9vhypZPOJCEKa/K+biZQsA4Zqsuk\nvvphhSERhqk/Nv76Vkl8uvJwwHbQrR9KJx4L3PRkGCG24rix71jEuXVGZUsDNM3CUKnARx4MEab6\nGFHNkZ6DmoT/PFagngecHu+EwmuDtaG0rEkFrARwe+d8Ru0BN558abFb</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" Location=\"https://pivotal.oktapreview.com/app/pivotal_pivotalcfstaging_1/k2lw4l5bPODCMIIDBRYZ/sso/saml\"/><md:SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\" Location=\"https://pivotal.oktapreview.com/app/pivotal_pivotalcfstaging_1/k2lw4l5bPODCMIIDBRYZ/sso/saml\"/></md:IDPSSODescriptor></md:EntityDescriptor>\n",
    "idpEntityAlias" : "SAML",
    "zoneId" : "uaa",
    "nameID" : "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
    "assertionConsumerIndex" : 0,
    "metadataTrustCheck" : false,
    "showSamlLink" : false,
    "linkText" : "IDPEndpointsMockTests Saml Provider:SAML",
    "iconUrl" : null,
    "groupMappingMode" : "EXPLICITLY_MAPPED",
    "skipSslValidation" : false,
    "authnContext" : null,
    "socketFactoryClassName" : null
  },
  "id" : "68935ecc-8d76-483a-88fc-7c2fa6e5add5",
  "originKey" : "SAML",
  "name" : "SAML name",
  "version" : 0,
  "created" : 1732091788197,
  "last_modified" : 1732091788197,
  "active" : true,
  "identityZoneId" : "uaa",
  "aliasId" : null,
  "aliasZid" : null
}

$ curl 'http://localhost/identity-providers?rawConfig=true' -i -X POST \
    -H 'Content-Type: application/json' \
    -H 'Authorization: Bearer 074d0ce23c5b43db8919372b59ff88fd' \
    -d '{
  "type" : "saml",
  "config" : {
    "emailDomain" : null,
    "providerDescription" : null,
    "externalGroupsWhitelist" : [ ],
    "attributeMappings" : { },
    "addShadowUserOnLogin" : true,
    "storeCustomAttributes" : true,
    "metaDataLocation" : "<?xml version=\"1.0\"?>\n<md:EntityDescriptor xmlns:md=\"urn:oasis:names:tc:SAML:2.0:metadata\" xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\" entityID=\"http://example.com/saml2/idp/metadata.php\" ID=\"_7a1d882b1a0cb702f97968d831d70eecce036d6d0c249ae65cca0e91f5656d58\"><ds:Signature>\n  <ds:SignedInfo><ds:CanonicalizationMethod Algorithm=\"http://www.w3.org/2001/10/xml-exc-c14n#\"/>\n    <ds:SignatureMethod Algorithm=\"http://www.w3.org/2001/04/xmldsig-more#rsa-sha256\"/>\n  <ds:Reference URI=\"#_7a1d882b1a0cb702f97968d831d70eecce036d6d0c249ae65cca0e91f5656d58\"><ds:Transforms><ds:Transform Algorithm=\"http://www.w3.org/2000/09/xmldsig#enveloped-signature\"/><ds:Transform Algorithm=\"http://www.w3.org/2001/10/xml-exc-c14n#\"/></ds:Transforms><ds:DigestMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#sha256\"/><ds:DigestValue>HOSWDJYkLvErI1gVynUVmufFVDCKPqExLnnnMjXgoJQ=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>ryMe0PXC+vR/c0nSEhSJsTaF0lHiuZ6PguqCbul7RC9WKLmFS9DD7Dgp3WHQ2zWpRimCTHxw/VO9hyCTxAcW9zxW4OdpD4YorqcmXtLkpasBCVuFLbQ8oylnjrem4kpGflfnuk3bW1mp6AXy52jwALDm8MsTwLK+O74YkeVTPP5bki/PK0N4jHnhYhvhHKUyT8Gug0v2o4KA/1ik83e9vcYEFc/9WGpXFeDMF6pXsJQqC/+eWoLfZJDNrwSsSlg+oD+ZF91YccN9i9lJoaIPcVvPWDfEv7vL79LgnmPBeYxm/fWb4/ANMxvCLIP1R3Ixrz5oFoIX2NP1+uZOpoRWbg==</ds:SignatureValue>\n<ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIEEzCCAvugAwIBAgIJAIc1qzLrv+5nMA0GCSqGSIb3DQEBCwUAMIGfMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ08xFDASBgNVBAcMC0Nhc3RsZSBSb2NrMRwwGgYDVQQKDBNTYW1sIFRlc3RpbmcgU2VydmVyMQswCQYDVQQLDAJJVDEgMB4GA1UEAwwXc2ltcGxlc2FtbHBocC5jZmFwcHMuaW8xIDAeBgkqhkiG9w0BCQEWEWZoYW5pa0BwaXZvdGFsLmlvMB4XDTE1MDIyMzIyNDUwM1oXDTI1MDIyMjIyNDUwM1owgZ8xCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDTzEUMBIGA1UEBwwLQ2FzdGxlIFJvY2sxHDAaBgNVBAoME1NhbWwgVGVzdGluZyBTZXJ2ZXIxCzAJBgNVBAsMAklUMSAwHgYDVQQDDBdzaW1wbGVzYW1scGhwLmNmYXBwcy5pbzEgMB4GCSqGSIb3DQEJARYRZmhhbmlrQHBpdm90YWwuaW8wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC4cn62E1xLqpN34PmbrKBbkOXFjzWgJ9b+pXuaRft6A339uuIQeoeH5qeSKRVTl32L0gdz2ZivLwZXW+cqvftVW1tvEHvzJFyxeTW3fCUeCQsebLnA2qRa07RkxTo6Nf244mWWRDodcoHEfDUSbxfTZ6IExSojSIU2RnD6WllYWFdD1GFpBJOmQB8rAc8wJIBdHFdQnX8Ttl7hZ6rtgqEYMzYVMuJ2F2r1HSU1zSAvwpdYP6rRGFRJEfdA9mm3WKfNLSc5cljz0X/TXy0vVlAV95l9qcfFzPmrkNIst9FZSwpvB49LyAVke04FQPPwLgVH4gphiJH3jvZ7I+J5lS8VAgMBAAGjUDBOMB0GA1UdDgQWBBTTyP6Cc5HlBJ5+ucVCwGc5ogKNGzAfBgNVHSMEGDAWgBTTyP6Cc5HlBJ5+ucVCwGc5ogKNGzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAvMS4EQeP/ipV4jOG5lO6/tYCb/iJeAduOnRhkJk0DbX329lDLZhTTL/x/w/9muCVcvLrzEp6PN+VWfw5E5FWtZN0yhGtP9R+vZnrV+oc2zGD+no1/ySFOe3EiJCO5dehxKjYEmBRv5sU/LZFKZpozKN/BMEa6CqLuxbzb7ykxVr7EVFXwltPxzE9TmL9OACNNyF5eJHWMRMllarUvkcXlh4pux4ks9e6zV9DQBy2zds9f1I3qxg0eX6JnGrXi/ZiCT+lJgVe3ZFXiejiLAiKB04sXW3ti0LW3lx13Y1YlQ4/tlpgTgfIJxKV6nyPiLoK0nywbMd+vpAirDt2Oc+hk</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature>\n  <md:IDPSSODescriptor protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:protocol\">\n    <md:KeyDescriptor use=\"signing\">\n      <ds:KeyInfo xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\">\n        <ds:X509Data>\n          <ds:X509Certificate>MIIEEzCCAvugAwIBAgIJAIc1qzLrv+5nMA0GCSqGSIb3DQEBCwUAMIGfMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ08xFDASBgNVBAcMC0Nhc3RsZSBSb2NrMRwwGgYDVQQKDBNTYW1sIFRlc3RpbmcgU2VydmVyMQswCQYDVQQLDAJJVDEgMB4GA1UEAwwXc2ltcGxlc2FtbHBocC5jZmFwcHMuaW8xIDAeBgkqhkiG9w0BCQEWEWZoYW5pa0BwaXZvdGFsLmlvMB4XDTE1MDIyMzIyNDUwM1oXDTI1MDIyMjIyNDUwM1owgZ8xCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDTzEUMBIGA1UEBwwLQ2FzdGxlIFJvY2sxHDAaBgNVBAoME1NhbWwgVGVzdGluZyBTZXJ2ZXIxCzAJBgNVBAsMAklUMSAwHgYDVQQDDBdzaW1wbGVzYW1scGhwLmNmYXBwcy5pbzEgMB4GCSqGSIb3DQEJARYRZmhhbmlrQHBpdm90YWwuaW8wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC4cn62E1xLqpN34PmbrKBbkOXFjzWgJ9b+pXuaRft6A339uuIQeoeH5qeSKRVTl32L0gdz2ZivLwZXW+cqvftVW1tvEHvzJFyxeTW3fCUeCQsebLnA2qRa07RkxTo6Nf244mWWRDodcoHEfDUSbxfTZ6IExSojSIU2RnD6WllYWFdD1GFpBJOmQB8rAc8wJIBdHFdQnX8Ttl7hZ6rtgqEYMzYVMuJ2F2r1HSU1zSAvwpdYP6rRGFRJEfdA9mm3WKfNLSc5cljz0X/TXy0vVlAV95l9qcfFzPmrkNIst9FZSwpvB49LyAVke04FQPPwLgVH4gphiJH3jvZ7I+J5lS8VAgMBAAGjUDBOMB0GA1UdDgQWBBTTyP6Cc5HlBJ5+ucVCwGc5ogKNGzAfBgNVHSMEGDAWgBTTyP6Cc5HlBJ5+ucVCwGc5ogKNGzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAvMS4EQeP/ipV4jOG5lO6/tYCb/iJeAduOnRhkJk0DbX329lDLZhTTL/x/w/9muCVcvLrzEp6PN+VWfw5E5FWtZN0yhGtP9R+vZnrV+oc2zGD+no1/ySFOe3EiJCO5dehxKjYEmBRv5sU/LZFKZpozKN/BMEa6CqLuxbzb7ykxVr7EVFXwltPxzE9TmL9OACNNyF5eJHWMRMllarUvkcXlh4pux4ks9e6zV9DQBy2zds9f1I3qxg0eX6JnGrXi/ZiCT+lJgVe3ZFXiejiLAiKB04sXW3ti0LW3lx13Y1YlQ4/tlpgTgfIJxKV6nyPiLoK0nywbMd+vpAirDt2Oc+hk</ds:X509Certificate>\n        </ds:X509Data>\n      </ds:KeyInfo>\n    </md:KeyDescriptor>\n    <md:KeyDescriptor use=\"encryption\">\n      <ds:KeyInfo xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\">\n        <ds:X509Data>\n          <ds:X509Certificate>MIIEEzCCAvugAwIBAgIJAIc1qzLrv+5nMA0GCSqGSIb3DQEBCwUAMIGfMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ08xFDASBgNVBAcMC0Nhc3RsZSBSb2NrMRwwGgYDVQQKDBNTYW1sIFRlc3RpbmcgU2VydmVyMQswCQYDVQQLDAJJVDEgMB4GA1UEAwwXc2ltcGxlc2FtbHBocC5jZmFwcHMuaW8xIDAeBgkqhkiG9w0BCQEWEWZoYW5pa0BwaXZvdGFsLmlvMB4XDTE1MDIyMzIyNDUwM1oXDTI1MDIyMjIyNDUwM1owgZ8xCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDTzEUMBIGA1UEBwwLQ2FzdGxlIFJvY2sxHDAaBgNVBAoME1NhbWwgVGVzdGluZyBTZXJ2ZXIxCzAJBgNVBAsMAklUMSAwHgYDVQQDDBdzaW1wbGVzYW1scGhwLmNmYXBwcy5pbzEgMB4GCSqGSIb3DQEJARYRZmhhbmlrQHBpdm90YWwuaW8wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC4cn62E1xLqpN34PmbrKBbkOXFjzWgJ9b+pXuaRft6A339uuIQeoeH5qeSKRVTl32L0gdz2ZivLwZXW+cqvftVW1tvEHvzJFyxeTW3fCUeCQsebLnA2qRa07RkxTo6Nf244mWWRDodcoHEfDUSbxfTZ6IExSojSIU2RnD6WllYWFdD1GFpBJOmQB8rAc8wJIBdHFdQnX8Ttl7hZ6rtgqEYMzYVMuJ2F2r1HSU1zSAvwpdYP6rRGFRJEfdA9mm3WKfNLSc5cljz0X/TXy0vVlAV95l9qcfFzPmrkNIst9FZSwpvB49LyAVke04FQPPwLgVH4gphiJH3jvZ7I+J5lS8VAgMBAAGjUDBOMB0GA1UdDgQWBBTTyP6Cc5HlBJ5+ucVCwGc5ogKNGzAfBgNVHSMEGDAWgBTTyP6Cc5HlBJ5+ucVCwGc5ogKNGzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAvMS4EQeP/ipV4jOG5lO6/tYCb/iJeAduOnRhkJk0DbX329lDLZhTTL/x/w/9muCVcvLrzEp6PN+VWfw5E5FWtZN0yhGtP9R+vZnrV+oc2zGD+no1/ySFOe3EiJCO5dehxKjYEmBRv5sU/LZFKZpozKN/BMEa6CqLuxbzb7ykxVr7EVFXwltPxzE9TmL9OACNNyF5eJHWMRMllarUvkcXlh4pux4ks9e6zV9DQBy2zds9f1I3qxg0eX6JnGrXi/ZiCT+lJgVe3ZFXiejiLAiKB04sXW3ti0LW3lx13Y1YlQ4/tlpgTgfIJxKV6nyPiLoK0nywbMd+vpAirDt2Oc+hk</ds:X509Certificate>\n        </ds:X509Data>\n      </ds:KeyInfo>\n    </md:KeyDescriptor>\n    <md:SingleLogoutService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\" Location=\"http://example.com/saml2/idp/SingleLogoutService.php\"/>\n    <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>\n    <md:SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\" Location=\"http://example.com/saml2/idp/SSOService.php\"/>\n  </md:IDPSSODescriptor>\n  <md:ContactPerson contactType=\"technical\">\n    <md:GivenName>Filip</md:GivenName>\n    <md:SurName>Hanik</md:SurName>\n    <md:EmailAddress>[email protected]</md:EmailAddress>\n  </md:ContactPerson>\n</md:EntityDescriptor>\n",
    "nameID" : "urn:oasis:names:tc:SAML:1.1:nameid-format:transient",
    "assertionConsumerIndex" : 0,
    "metadataTrustCheck" : false,
    "showSamlLink" : false,
    "linkText" : "IDPEndpointsMockTests Saml Provider:SAML",
    "iconUrl" : null,
    "groupMappingMode" : "EXPLICITLY_MAPPED",
    "skipSslValidation" : false,
    "authnContext" : null,
    "socketFactoryClassName" : null
  },
  "originKey" : "SAMLMetadataUrl",
  "name" : "SAML name",
  "active" : true,
  "aliasId" : null,
  "aliasZid" : null
}'

POST /identity-providers?rawConfig=true HTTP/1.1
Content-Type: application/json
Authorization: Bearer 074d0ce23c5b43db8919372b59ff88fd
Content-Length: 7658
Host: localhost

{
  "type" : "saml",
  "config" : {
    "emailDomain" : null,
    "providerDescription" : null,
    "externalGroupsWhitelist" : [ ],
    "attributeMappings" : { },
    "addShadowUserOnLogin" : true,
    "storeCustomAttributes" : true,
    "metaDataLocation" : "<?xml version=\"1.0\"?>\n<md:EntityDescriptor xmlns:md=\"urn:oasis:names:tc:SAML:2.0:metadata\" xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\" entityID=\"http://example.com/saml2/idp/metadata.php\" ID=\"_7a1d882b1a0cb702f97968d831d70eecce036d6d0c249ae65cca0e91f5656d58\"><ds:Signature>\n  <ds:SignedInfo><ds:CanonicalizationMethod Algorithm=\"http://www.w3.org/2001/10/xml-exc-c14n#\"/>\n    <ds:SignatureMethod Algorithm=\"http://www.w3.org/2001/04/xmldsig-more#rsa-sha256\"/>\n  <ds:Reference URI=\"#_7a1d882b1a0cb702f97968d831d70eecce036d6d0c249ae65cca0e91f5656d58\"><ds:Transforms><ds:Transform Algorithm=\"http://www.w3.org/2000/09/xmldsig#enveloped-signature\"/><ds:Transform Algorithm=\"http://www.w3.org/2001/10/xml-exc-c14n#\"/></ds:Transforms><ds:DigestMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#sha256\"/><ds:DigestValue>HOSWDJYkLvErI1gVynUVmufFVDCKPqExLnnnMjXgoJQ=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>ryMe0PXC+vR/c0nSEhSJsTaF0lHiuZ6PguqCbul7RC9WKLmFS9DD7Dgp3WHQ2zWpRimCTHxw/VO9hyCTxAcW9zxW4OdpD4YorqcmXtLkpasBCVuFLbQ8oylnjrem4kpGflfnuk3bW1mp6AXy52jwALDm8MsTwLK+O74YkeVTPP5bki/PK0N4jHnhYhvhHKUyT8Gug0v2o4KA/1ik83e9vcYEFc/9WGpXFeDMF6pXsJQqC/+eWoLfZJDNrwSsSlg+oD+ZF91YccN9i9lJoaIPcVvPWDfEv7vL79LgnmPBeYxm/fWb4/ANMxvCLIP1R3Ixrz5oFoIX2NP1+uZOpoRWbg==</ds:SignatureValue>\n<ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIEEzCCAvugAwIBAgIJAIc1qzLrv+5nMA0GCSqGSIb3DQEBCwUAMIGfMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ08xFDASBgNVBAcMC0Nhc3RsZSBSb2NrMRwwGgYDVQQKDBNTYW1sIFRlc3RpbmcgU2VydmVyMQswCQYDVQQLDAJJVDEgMB4GA1UEAwwXc2ltcGxlc2FtbHBocC5jZmFwcHMuaW8xIDAeBgkqhkiG9w0BCQEWEWZoYW5pa0BwaXZvdGFsLmlvMB4XDTE1MDIyMzIyNDUwM1oXDTI1MDIyMjIyNDUwM1owgZ8xCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDTzEUMBIGA1UEBwwLQ2FzdGxlIFJvY2sxHDAaBgNVBAoME1NhbWwgVGVzdGluZyBTZXJ2ZXIxCzAJBgNVBAsMAklUMSAwHgYDVQQDDBdzaW1wbGVzYW1scGhwLmNmYXBwcy5pbzEgMB4GCSqGSIb3DQEJARYRZmhhbmlrQHBpdm90YWwuaW8wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC4cn62E1xLqpN34PmbrKBbkOXFjzWgJ9b+pXuaRft6A339uuIQeoeH5qeSKRVTl32L0gdz2ZivLwZXW+cqvftVW1tvEHvzJFyxeTW3fCUeCQsebLnA2qRa07RkxTo6Nf244mWWRDodcoHEfDUSbxfTZ6IExSojSIU2RnD6WllYWFdD1GFpBJOmQB8rAc8wJIBdHFdQnX8Ttl7hZ6rtgqEYMzYVMuJ2F2r1HSU1zSAvwpdYP6rRGFRJEfdA9mm3WKfNLSc5cljz0X/TXy0vVlAV95l9qcfFzPmrkNIst9FZSwpvB49LyAVke04FQPPwLgVH4gphiJH3jvZ7I+J5lS8VAgMBAAGjUDBOMB0GA1UdDgQWBBTTyP6Cc5HlBJ5+ucVCwGc5ogKNGzAfBgNVHSMEGDAWgBTTyP6Cc5HlBJ5+ucVCwGc5ogKNGzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAvMS4EQeP/ipV4jOG5lO6/tYCb/iJeAduOnRhkJk0DbX329lDLZhTTL/x/w/9muCVcvLrzEp6PN+VWfw5E5FWtZN0yhGtP9R+vZnrV+oc2zGD+no1/ySFOe3EiJCO5dehxKjYEmBRv5sU/LZFKZpozKN/BMEa6CqLuxbzb7ykxVr7EVFXwltPxzE9TmL9OACNNyF5eJHWMRMllarUvkcXlh4pux4ks9e6zV9DQBy2zds9f1I3qxg0eX6JnGrXi/ZiCT+lJgVe3ZFXiejiLAiKB04sXW3ti0LW3lx13Y1YlQ4/tlpgTgfIJxKV6nyPiLoK0nywbMd+vpAirDt2Oc+hk</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature>\n  <md:IDPSSODescriptor protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:protocol\">\n    <md:KeyDescriptor use=\"signing\">\n      <ds:KeyInfo xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\">\n        <ds:X509Data>\n          <ds:X509Certificate>MIIEEzCCAvugAwIBAgIJAIc1qzLrv+5nMA0GCSqGSIb3DQEBCwUAMIGfMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ08xFDASBgNVBAcMC0Nhc3RsZSBSb2NrMRwwGgYDVQQKDBNTYW1sIFRlc3RpbmcgU2VydmVyMQswCQYDVQQLDAJJVDEgMB4GA1UEAwwXc2ltcGxlc2FtbHBocC5jZmFwcHMuaW8xIDAeBgkqhkiG9w0BCQEWEWZoYW5pa0BwaXZvdGFsLmlvMB4XDTE1MDIyMzIyNDUwM1oXDTI1MDIyMjIyNDUwM1owgZ8xCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDTzEUMBIGA1UEBwwLQ2FzdGxlIFJvY2sxHDAaBgNVBAoME1NhbWwgVGVzdGluZyBTZXJ2ZXIxCzAJBgNVBAsMAklUMSAwHgYDVQQDDBdzaW1wbGVzYW1scGhwLmNmYXBwcy5pbzEgMB4GCSqGSIb3DQEJARYRZmhhbmlrQHBpdm90YWwuaW8wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC4cn62E1xLqpN34PmbrKBbkOXFjzWgJ9b+pXuaRft6A339uuIQeoeH5qeSKRVTl32L0gdz2ZivLwZXW+cqvftVW1tvEHvzJFyxeTW3fCUeCQsebLnA2qRa07RkxTo6Nf244mWWRDodcoHEfDUSbxfTZ6IExSojSIU2RnD6WllYWFdD1GFpBJOmQB8rAc8wJIBdHFdQnX8Ttl7hZ6rtgqEYMzYVMuJ2F2r1HSU1zSAvwpdYP6rRGFRJEfdA9mm3WKfNLSc5cljz0X/TXy0vVlAV95l9qcfFzPmrkNIst9FZSwpvB49LyAVke04FQPPwLgVH4gphiJH3jvZ7I+J5lS8VAgMBAAGjUDBOMB0GA1UdDgQWBBTTyP6Cc5HlBJ5+ucVCwGc5ogKNGzAfBgNVHSMEGDAWgBTTyP6Cc5HlBJ5+ucVCwGc5ogKNGzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAvMS4EQeP/ipV4jOG5lO6/tYCb/iJeAduOnRhkJk0DbX329lDLZhTTL/x/w/9muCVcvLrzEp6PN+VWfw5E5FWtZN0yhGtP9R+vZnrV+oc2zGD+no1/ySFOe3EiJCO5dehxKjYEmBRv5sU/LZFKZpozKN/BMEa6CqLuxbzb7ykxVr7EVFXwltPxzE9TmL9OACNNyF5eJHWMRMllarUvkcXlh4pux4ks9e6zV9DQBy2zds9f1I3qxg0eX6JnGrXi/ZiCT+lJgVe3ZFXiejiLAiKB04sXW3ti0LW3lx13Y1YlQ4/tlpgTgfIJxKV6nyPiLoK0nywbMd+vpAirDt2Oc+hk</ds:X509Certificate>\n        </ds:X509Data>\n      </ds:KeyInfo>\n    </md:KeyDescriptor>\n    <md:KeyDescriptor use=\"encryption\">\n      <ds:KeyInfo xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\">\n        <ds:X509Data>\n          <ds:X509Certificate>MIIEEzCCAvugAwIBAgIJAIc1qzLrv+5nMA0GCSqGSIb3DQEBCwUAMIGfMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ08xFDASBgNVBAcMC0Nhc3RsZSBSb2NrMRwwGgYDVQQKDBNTYW1sIFRlc3RpbmcgU2VydmVyMQswCQYDVQQLDAJJVDEgMB4GA1UEAwwXc2ltcGxlc2FtbHBocC5jZmFwcHMuaW8xIDAeBgkqhkiG9w0BCQEWEWZoYW5pa0BwaXZvdGFsLmlvMB4XDTE1MDIyMzIyNDUwM1oXDTI1MDIyMjIyNDUwM1owgZ8xCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDTzEUMBIGA1UEBwwLQ2FzdGxlIFJvY2sxHDAaBgNVBAoME1NhbWwgVGVzdGluZyBTZXJ2ZXIxCzAJBgNVBAsMAklUMSAwHgYDVQQDDBdzaW1wbGVzYW1scGhwLmNmYXBwcy5pbzEgMB4GCSqGSIb3DQEJARYRZmhhbmlrQHBpdm90YWwuaW8wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC4cn62E1xLqpN34PmbrKBbkOXFjzWgJ9b+pXuaRft6A339uuIQeoeH5qeSKRVTl32L0gdz2ZivLwZXW+cqvftVW1tvEHvzJFyxeTW3fCUeCQsebLnA2qRa07RkxTo6Nf244mWWRDodcoHEfDUSbxfTZ6IExSojSIU2RnD6WllYWFdD1GFpBJOmQB8rAc8wJIBdHFdQnX8Ttl7hZ6rtgqEYMzYVMuJ2F2r1HSU1zSAvwpdYP6rRGFRJEfdA9mm3WKfNLSc5cljz0X/TXy0vVlAV95l9qcfFzPmrkNIst9FZSwpvB49LyAVke04FQPPwLgVH4gphiJH3jvZ7I+J5lS8VAgMBAAGjUDBOMB0GA1UdDgQWBBTTyP6Cc5HlBJ5+ucVCwGc5ogKNGzAfBgNVHSMEGDAWgBTTyP6Cc5HlBJ5+ucVCwGc5ogKNGzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAvMS4EQeP/ipV4jOG5lO6/tYCb/iJeAduOnRhkJk0DbX329lDLZhTTL/x/w/9muCVcvLrzEp6PN+VWfw5E5FWtZN0yhGtP9R+vZnrV+oc2zGD+no1/ySFOe3EiJCO5dehxKjYEmBRv5sU/LZFKZpozKN/BMEa6CqLuxbzb7ykxVr7EVFXwltPxzE9TmL9OACNNyF5eJHWMRMllarUvkcXlh4pux4ks9e6zV9DQBy2zds9f1I3qxg0eX6JnGrXi/ZiCT+lJgVe3ZFXiejiLAiKB04sXW3ti0LW3lx13Y1YlQ4/tlpgTgfIJxKV6nyPiLoK0nywbMd+vpAirDt2Oc+hk</ds:X509Certificate>\n        </ds:X509Data>\n      </ds:KeyInfo>\n    </md:KeyDescriptor>\n    <md:SingleLogoutService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\" Location=\"http://example.com/saml2/idp/SingleLogoutService.php\"/>\n    <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>\n    <md:SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\" Location=\"http://example.com/saml2/idp/SSOService.php\"/>\n  </md:IDPSSODescriptor>\n  <md:ContactPerson contactType=\"technical\">\n    <md:GivenName>Filip</md:GivenName>\n    <md:SurName>Hanik</md:SurName>\n    <md:EmailAddress>[email protected]</md:EmailAddress>\n  </md:ContactPerson>\n</md:EntityDescriptor>\n",
    "nameID" : "urn:oasis:names:tc:SAML:1.1:nameid-format:transient",
    "assertionConsumerIndex" : 0,
    "metadataTrustCheck" : false,
    "showSamlLink" : false,
    "linkText" : "IDPEndpointsMockTests Saml Provider:SAML",
    "iconUrl" : null,
    "groupMappingMode" : "EXPLICITLY_MAPPED",
    "skipSslValidation" : false,
    "authnContext" : null,
    "socketFactoryClassName" : null
  },
  "originKey" : "SAMLMetadataUrl",
  "name" : "SAML name",
  "active" : true,
  "aliasId" : null,
  "aliasZid" : null
}

HTTP/1.1 201 Created
Content-Security-Policy: script-src 'self'
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 7918

{
  "type" : "saml",
  "config" : {
    "emailDomain" : null,
    "additionalConfiguration" : null,
    "providerDescription" : null,
    "externalGroupsWhitelist" : [ ],
    "attributeMappings" : { },
    "addShadowUserOnLogin" : true,
    "storeCustomAttributes" : true,
    "metaDataLocation" : "<?xml version=\"1.0\"?>\n<md:EntityDescriptor xmlns:md=\"urn:oasis:names:tc:SAML:2.0:metadata\" xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\" entityID=\"http://example.com/saml2/idp/metadata.php\" ID=\"_7a1d882b1a0cb702f97968d831d70eecce036d6d0c249ae65cca0e91f5656d58\"><ds:Signature>\n  <ds:SignedInfo><ds:CanonicalizationMethod Algorithm=\"http://www.w3.org/2001/10/xml-exc-c14n#\"/>\n    <ds:SignatureMethod Algorithm=\"http://www.w3.org/2001/04/xmldsig-more#rsa-sha256\"/>\n  <ds:Reference URI=\"#_7a1d882b1a0cb702f97968d831d70eecce036d6d0c249ae65cca0e91f5656d58\"><ds:Transforms><ds:Transform Algorithm=\"http://www.w3.org/2000/09/xmldsig#enveloped-signature\"/><ds:Transform Algorithm=\"http://www.w3.org/2001/10/xml-exc-c14n#\"/></ds:Transforms><ds:DigestMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#sha256\"/><ds:DigestValue>HOSWDJYkLvErI1gVynUVmufFVDCKPqExLnnnMjXgoJQ=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>ryMe0PXC+vR/c0nSEhSJsTaF0lHiuZ6PguqCbul7RC9WKLmFS9DD7Dgp3WHQ2zWpRimCTHxw/VO9hyCTxAcW9zxW4OdpD4YorqcmXtLkpasBCVuFLbQ8oylnjrem4kpGflfnuk3bW1mp6AXy52jwALDm8MsTwLK+O74YkeVTPP5bki/PK0N4jHnhYhvhHKUyT8Gug0v2o4KA/1ik83e9vcYEFc/9WGpXFeDMF6pXsJQqC/+eWoLfZJDNrwSsSlg+oD+ZF91YccN9i9lJoaIPcVvPWDfEv7vL79LgnmPBeYxm/fWb4/ANMxvCLIP1R3Ixrz5oFoIX2NP1+uZOpoRWbg==</ds:SignatureValue>\n<ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIEEzCCAvugAwIBAgIJAIc1qzLrv+5nMA0GCSqGSIb3DQEBCwUAMIGfMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ08xFDASBgNVBAcMC0Nhc3RsZSBSb2NrMRwwGgYDVQQKDBNTYW1sIFRlc3RpbmcgU2VydmVyMQswCQYDVQQLDAJJVDEgMB4GA1UEAwwXc2ltcGxlc2FtbHBocC5jZmFwcHMuaW8xIDAeBgkqhkiG9w0BCQEWEWZoYW5pa0BwaXZvdGFsLmlvMB4XDTE1MDIyMzIyNDUwM1oXDTI1MDIyMjIyNDUwM1owgZ8xCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDTzEUMBIGA1UEBwwLQ2FzdGxlIFJvY2sxHDAaBgNVBAoME1NhbWwgVGVzdGluZyBTZXJ2ZXIxCzAJBgNVBAsMAklUMSAwHgYDVQQDDBdzaW1wbGVzYW1scGhwLmNmYXBwcy5pbzEgMB4GCSqGSIb3DQEJARYRZmhhbmlrQHBpdm90YWwuaW8wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC4cn62E1xLqpN34PmbrKBbkOXFjzWgJ9b+pXuaRft6A339uuIQeoeH5qeSKRVTl32L0gdz2ZivLwZXW+cqvftVW1tvEHvzJFyxeTW3fCUeCQsebLnA2qRa07RkxTo6Nf244mWWRDodcoHEfDUSbxfTZ6IExSojSIU2RnD6WllYWFdD1GFpBJOmQB8rAc8wJIBdHFdQnX8Ttl7hZ6rtgqEYMzYVMuJ2F2r1HSU1zSAvwpdYP6rRGFRJEfdA9mm3WKfNLSc5cljz0X/TXy0vVlAV95l9qcfFzPmrkNIst9FZSwpvB49LyAVke04FQPPwLgVH4gphiJH3jvZ7I+J5lS8VAgMBAAGjUDBOMB0GA1UdDgQWBBTTyP6Cc5HlBJ5+ucVCwGc5ogKNGzAfBgNVHSMEGDAWgBTTyP6Cc5HlBJ5+ucVCwGc5ogKNGzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAvMS4EQeP/ipV4jOG5lO6/tYCb/iJeAduOnRhkJk0DbX329lDLZhTTL/x/w/9muCVcvLrzEp6PN+VWfw5E5FWtZN0yhGtP9R+vZnrV+oc2zGD+no1/ySFOe3EiJCO5dehxKjYEmBRv5sU/LZFKZpozKN/BMEa6CqLuxbzb7ykxVr7EVFXwltPxzE9TmL9OACNNyF5eJHWMRMllarUvkcXlh4pux4ks9e6zV9DQBy2zds9f1I3qxg0eX6JnGrXi/ZiCT+lJgVe3ZFXiejiLAiKB04sXW3ti0LW3lx13Y1YlQ4/tlpgTgfIJxKV6nyPiLoK0nywbMd+vpAirDt2Oc+hk</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature>\n  <md:IDPSSODescriptor protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:protocol\">\n    <md:KeyDescriptor use=\"signing\">\n      <ds:KeyInfo xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\">\n        <ds:X509Data>\n          <ds:X509Certificate>MIIEEzCCAvugAwIBAgIJAIc1qzLrv+5nMA0GCSqGSIb3DQEBCwUAMIGfMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ08xFDASBgNVBAcMC0Nhc3RsZSBSb2NrMRwwGgYDVQQKDBNTYW1sIFRlc3RpbmcgU2VydmVyMQswCQYDVQQLDAJJVDEgMB4GA1UEAwwXc2ltcGxlc2FtbHBocC5jZmFwcHMuaW8xIDAeBgkqhkiG9w0BCQEWEWZoYW5pa0BwaXZvdGFsLmlvMB4XDTE1MDIyMzIyNDUwM1oXDTI1MDIyMjIyNDUwM1owgZ8xCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDTzEUMBIGA1UEBwwLQ2FzdGxlIFJvY2sxHDAaBgNVBAoME1NhbWwgVGVzdGluZyBTZXJ2ZXIxCzAJBgNVBAsMAklUMSAwHgYDVQQDDBdzaW1wbGVzYW1scGhwLmNmYXBwcy5pbzEgMB4GCSqGSIb3DQEJARYRZmhhbmlrQHBpdm90YWwuaW8wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC4cn62E1xLqpN34PmbrKBbkOXFjzWgJ9b+pXuaRft6A339uuIQeoeH5qeSKRVTl32L0gdz2ZivLwZXW+cqvftVW1tvEHvzJFyxeTW3fCUeCQsebLnA2qRa07RkxTo6Nf244mWWRDodcoHEfDUSbxfTZ6IExSojSIU2RnD6WllYWFdD1GFpBJOmQB8rAc8wJIBdHFdQnX8Ttl7hZ6rtgqEYMzYVMuJ2F2r1HSU1zSAvwpdYP6rRGFRJEfdA9mm3WKfNLSc5cljz0X/TXy0vVlAV95l9qcfFzPmrkNIst9FZSwpvB49LyAVke04FQPPwLgVH4gphiJH3jvZ7I+J5lS8VAgMBAAGjUDBOMB0GA1UdDgQWBBTTyP6Cc5HlBJ5+ucVCwGc5ogKNGzAfBgNVHSMEGDAWgBTTyP6Cc5HlBJ5+ucVCwGc5ogKNGzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAvMS4EQeP/ipV4jOG5lO6/tYCb/iJeAduOnRhkJk0DbX329lDLZhTTL/x/w/9muCVcvLrzEp6PN+VWfw5E5FWtZN0yhGtP9R+vZnrV+oc2zGD+no1/ySFOe3EiJCO5dehxKjYEmBRv5sU/LZFKZpozKN/BMEa6CqLuxbzb7ykxVr7EVFXwltPxzE9TmL9OACNNyF5eJHWMRMllarUvkcXlh4pux4ks9e6zV9DQBy2zds9f1I3qxg0eX6JnGrXi/ZiCT+lJgVe3ZFXiejiLAiKB04sXW3ti0LW3lx13Y1YlQ4/tlpgTgfIJxKV6nyPiLoK0nywbMd+vpAirDt2Oc+hk</ds:X509Certificate>\n        </ds:X509Data>\n      </ds:KeyInfo>\n    </md:KeyDescriptor>\n    <md:KeyDescriptor use=\"encryption\">\n      <ds:KeyInfo xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\">\n        <ds:X509Data>\n          <ds:X509Certificate>MIIEEzCCAvugAwIBAgIJAIc1qzLrv+5nMA0GCSqGSIb3DQEBCwUAMIGfMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ08xFDASBgNVBAcMC0Nhc3RsZSBSb2NrMRwwGgYDVQQKDBNTYW1sIFRlc3RpbmcgU2VydmVyMQswCQYDVQQLDAJJVDEgMB4GA1UEAwwXc2ltcGxlc2FtbHBocC5jZmFwcHMuaW8xIDAeBgkqhkiG9w0BCQEWEWZoYW5pa0BwaXZvdGFsLmlvMB4XDTE1MDIyMzIyNDUwM1oXDTI1MDIyMjIyNDUwM1owgZ8xCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDTzEUMBIGA1UEBwwLQ2FzdGxlIFJvY2sxHDAaBgNVBAoME1NhbWwgVGVzdGluZyBTZXJ2ZXIxCzAJBgNVBAsMAklUMSAwHgYDVQQDDBdzaW1wbGVzYW1scGhwLmNmYXBwcy5pbzEgMB4GCSqGSIb3DQEJARYRZmhhbmlrQHBpdm90YWwuaW8wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC4cn62E1xLqpN34PmbrKBbkOXFjzWgJ9b+pXuaRft6A339uuIQeoeH5qeSKRVTl32L0gdz2ZivLwZXW+cqvftVW1tvEHvzJFyxeTW3fCUeCQsebLnA2qRa07RkxTo6Nf244mWWRDodcoHEfDUSbxfTZ6IExSojSIU2RnD6WllYWFdD1GFpBJOmQB8rAc8wJIBdHFdQnX8Ttl7hZ6rtgqEYMzYVMuJ2F2r1HSU1zSAvwpdYP6rRGFRJEfdA9mm3WKfNLSc5cljz0X/TXy0vVlAV95l9qcfFzPmrkNIst9FZSwpvB49LyAVke04FQPPwLgVH4gphiJH3jvZ7I+J5lS8VAgMBAAGjUDBOMB0GA1UdDgQWBBTTyP6Cc5HlBJ5+ucVCwGc5ogKNGzAfBgNVHSMEGDAWgBTTyP6Cc5HlBJ5+ucVCwGc5ogKNGzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAvMS4EQeP/ipV4jOG5lO6/tYCb/iJeAduOnRhkJk0DbX329lDLZhTTL/x/w/9muCVcvLrzEp6PN+VWfw5E5FWtZN0yhGtP9R+vZnrV+oc2zGD+no1/ySFOe3EiJCO5dehxKjYEmBRv5sU/LZFKZpozKN/BMEa6CqLuxbzb7ykxVr7EVFXwltPxzE9TmL9OACNNyF5eJHWMRMllarUvkcXlh4pux4ks9e6zV9DQBy2zds9f1I3qxg0eX6JnGrXi/ZiCT+lJgVe3ZFXiejiLAiKB04sXW3ti0LW3lx13Y1YlQ4/tlpgTgfIJxKV6nyPiLoK0nywbMd+vpAirDt2Oc+hk</ds:X509Certificate>\n        </ds:X509Data>\n      </ds:KeyInfo>\n    </md:KeyDescriptor>\n    <md:SingleLogoutService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\" Location=\"http://example.com/saml2/idp/SingleLogoutService.php\"/>\n    <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>\n    <md:SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\" Location=\"http://example.com/saml2/idp/SSOService.php\"/>\n  </md:IDPSSODescriptor>\n  <md:ContactPerson contactType=\"technical\">\n    <md:GivenName>Filip</md:GivenName>\n    <md:SurName>Hanik</md:SurName>\n    <md:EmailAddress>[email protected]</md:EmailAddress>\n  </md:ContactPerson>\n</md:EntityDescriptor>\n",
    "idpEntityAlias" : "SAMLMetadataUrl",
    "zoneId" : "uaa",
    "nameID" : "urn:oasis:names:tc:SAML:1.1:nameid-format:transient",
    "assertionConsumerIndex" : 0,
    "metadataTrustCheck" : false,
    "showSamlLink" : false,
    "linkText" : "IDPEndpointsMockTests Saml Provider:SAML",
    "iconUrl" : null,
    "groupMappingMode" : "EXPLICITLY_MAPPED",
    "skipSslValidation" : false,
    "authnContext" : null,
    "socketFactoryClassName" : null
  },
  "id" : "2c5ce8ce-de04-4173-ab5f-947d6997c047",
  "originKey" : "SAMLMetadataUrl",
  "name" : "SAML name",
  "version" : 0,
  "created" : 1732091788288,
  "last_modified" : 1732091788288,
  "active" : true,
  "identityZoneId" : "uaa",
  "aliasId" : null,
  "aliasZid" : null
}

Request Headers

Name	Description
`Authorization`	Bearer token containing `zones.<zone id>.admin` or `uaa.admin` or `idps.write` (only in the same zone that you are a user of)
`X-Identity-Zone-Id`	May include this header to administer another zone if using `zones.<zoneId>.admin` or `uaa.admin` scope against the default UAA zone.
`X-Identity-Zone-Subdomain`	If using a `zones.<zoneId>.admin` scope/token, indicates what Identity Zone this request goes to by supplying a subdomain.

Request Parameters

Parameter	Type	Constraints	Description
rawConfig	Boolean	Optional (defaults to `false`)	UAA 3.4.0 Flag indicating whether the response should use raw, unescaped JSON for the `config` field of the IDP, rather than the default behavior of encoding the JSON as a string.

Request Fields

Path	Type	Constraints	Description
name	String	Required	Human-readable name for this provider
config.providerDescription	String	Optional	Human readable name/description of this provider
config.emailDomain	Array	Optional	List of email domains associated with the provider for the purpose of associating users to the correct origin upon invitation. If empty list, no invitations are accepted. Wildcards supported.
active	Boolean	Optional	Defaults to true.
config.addShadowUserOnLogin	Boolean	Optional (defaults to `true`)	Determines whether users should be allowed to authenticate without having a user pre-populated in the users database (if true), or whether shadow users must be created before login by an administrator (if false).
config.storeCustomAttributes	Boolean	Optional (defaults to `true`)	Set to true, to store custom user attributes to be fetched from the /userinfo endpoint
type	String	Required	`saml`
originKey	String	Required	A unique alias for the SAML provider
config.skipSslValidation	Boolean	Optional (defaults to `false`)	Set to true, to skip SSL validation when fetching metadata.
config.storeCustomAttributes	Boolean	Optional (defaults to `true`)	Set to true, to store custom user attributes to be fetched from the /userinfo endpoint
config.metaDataLocation	String	Required	SAML Metadata - either an XML string or a URL that will deliver XML content
config.nameID	String	Optional	The name ID to use for the username, default is "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified".
config.assertionConsumerIndex	Number	Optional	SAML assertion consumer index, default is 0
config.metadataTrustCheck	Boolean	Optional	Should metadata be validated, defaults to false
config.showSamlLink	Boolean	Optional	Should the SAML login link be displayed on the login page, defaults to false
config.linkText	String	Required if the `showSamlLink` is set to true	The link text for the SAML IDP on the login page
config.groupMappingMode	String	Optional (defaults to `"EXPLICITLY_MAPPED"`)	Either `EXPLICITLY_MAPPED` in order to map external groups to OAuth scopes using the group mappings, or `AS_SCOPES` to use SAML group names as scopes.
config.iconUrl	String	Optional	Reserved for future use
config.socketFactoryClassName	Null	Optional	Property is deprecated and value is ignored.
config.authnContext	Array	Optional	List of AuthnContextClassRef to include in the SAMLRequest. If not specified no AuthnContext will be requested.
config.attributeMappings.user_name	String	Optional (defaults to `"NameID"`)	Map `user_name` to the attribute for user name in the provider assertion or token. The default for SAML is `NameID`.
config.attributeMappings	Object	Optional	Map external attribute to UAA recognized mappings.
config.attributeMappings.email	String	Optional	Map `email` to the attribute for email in the provider assertion or token.
config.attributeMappings.given_name	String	Optional	Map `given_name` to the attribute for given name in the provider assertion or token.
config.attributeMappings.family_name	String	Optional	Map `family_name` to the attribute for family name in the provider assertion or token.
config.attributeMappings.phone_number	String	Optional	Map `phone_number` to the attribute for phone number in the provider assertion or token.
config.attributeMappings.email_verified	String	Optional	Maps the attribute on the assertion to the `email_verified` user record at the time of authentication. Default is false. Once set to true, record remains true for subsequent authentications.
config.attributeMappings.external_groups	Array	Optional	Map `external_groups` to the attribute for groups in the provider assertion.
config.attributeMappings['user.attribute.department']	String	Optional	Map external attribute to UAA recognized mappings. Mapping should be of the format `user.attribute.<attribute_name>`. `department` is used in the documentation as an example attribute.
aliasId	String	Optional	The ID of the alias IdP. Must be set to `null`.
aliasZid	String	Optional	The ID of the identity zone in which an alias of this IdP is maintained. Defaults to `null`. Only supported for identity providers of type "saml", "oidc1.0" and "oauth2.0". If set, the field must reference an existing identity zone that is different to the one referenced in `identityZoneId`. Alias identity providers can only be created from or to the "uaa" identity zone, i.e., one of `identityZoneId` or `aliasZid` must be set to "uaa". If set, an alias identity provider is created in the referenced zone and `aliasId` is set accordingly.

Response Fields

Path	Type	Description
`name`	`String`	Human-readable name for this provider
`config.providerDescription`	`String`	Human readable name/description of this provider
`config.emailDomain`	`Array`	List of email domains associated with the provider for the purpose of associating users to the correct origin upon invitation. If empty list, no invitations are accepted. Wildcards supported.
`active`	`Boolean`	Defaults to true.
`config.addShadowUserOnLogin`	`Boolean`	Determines whether users should be allowed to authenticate without having a user pre-populated in the users database (if true), or whether shadow users must be created before login by an administrator (if false).
`config.storeCustomAttributes`	`Boolean`	Set to true, to store custom user attributes to be fetched from the /userinfo endpoint
`type`	`String`	`saml`
`originKey`	`String`	A unique alias for the SAML provider
`config.skipSslValidation`	`Boolean`	Set to true, to skip SSL validation when fetching metadata.
`config.storeCustomAttributes`	`Boolean`	Set to true, to store custom user attributes to be fetched from the /userinfo endpoint
`config.metaDataLocation`	`String`	SAML Metadata - either an XML string or a URL that will deliver XML content
`config.nameID`	`String`	The name ID to use for the username, default is "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified".
`config.assertionConsumerIndex`	`Number`	SAML assertion consumer index, default is 0
`config.metadataTrustCheck`	`Boolean`	Should metadata be validated, defaults to false
`config.showSamlLink`	`Boolean`	Should the SAML login link be displayed on the login page, defaults to false
`config.linkText`	`String`	The link text for the SAML IDP on the login page
`config.groupMappingMode`	`String`	Either `EXPLICITLY_MAPPED` in order to map external groups to OAuth scopes using the group mappings, or `AS_SCOPES` to use SAML group names as scopes.
`config.iconUrl`	`String`	Reserved for future use
`config.socketFactoryClassName`	`Null`	Property is deprecated and value is ignored.
`config.authnContext`	`Array`	List of AuthnContextClassRef to include in the SAMLRequest. If not specified no AuthnContext will be requested.
`config.attributeMappings.user_name`	`String`	Map `user_name` to the attribute for user name in the provider assertion or token. The default for SAML is `NameID`.
`config.attributeMappings`	`Object`	Map external attribute to UAA recognized mappings.
`config.attributeMappings.email`	`String`	Map `email` to the attribute for email in the provider assertion or token.
`config.attributeMappings.given_name`	`String`	Map `given_name` to the attribute for given name in the provider assertion or token.
`config.attributeMappings.family_name`	`String`	Map `family_name` to the attribute for family name in the provider assertion or token.
`config.attributeMappings.phone_number`	`String`	Map `phone_number` to the attribute for phone number in the provider assertion or token.
`config.attributeMappings.email_verified`	`String`	Maps the attribute on the assertion to the `email_verified` user record at the time of authentication. Default is false. Once set to true, record remains true for subsequent authentications.
`config.attributeMappings.external_groups`	`Array`	Map `external_groups` to the attribute for groups in the provider assertion.
`config.attributeMappings['user.attribute.department']`	`String`	Map external attribute to UAA recognized mappings. Mapping should be of the format `user.attribute.<attribute_name>`. `department` is used in the documentation as an example attribute.
`version`	`Number`	Version of the identity provider data. Clients can use this to protect against conflicting updates
`id`	`String`	Unique identifier for this provider - GUID generated by the UAA
`config.additionalConfiguration`	`Object`	(Unused.)
`identityZoneId`	`String`	Set to the zone that this provider will be active in. Determined either by the Host header or the zone switch header.
`created`	`Number`	UAA sets the creation date
`last_modified`	`Number`	UAA sets the modification date
`config.idpEntityAlias`	`String`	This will be set to `originKey`
`config.zoneId`	`String`	This will be set to the ID of the zone where the provider is being created
`aliasId`	`String`	The ID of the alias IdP.
`aliasZid`	`String`	The ID of the identity zone in which an alias of this IdP is maintained.

Error Codes

Error Code	Description
403	Forbidden - Insufficient scope
409	Conflict - Provider with same origin and zone id exists
422	Unprocessable Entity - Invalid configuration
500	Internal Server Error

LDAP

LDAP supports several different configurations. The most common one is that authentication is done using a search and bind strategy. The available strategies for authentication are

Bind authentication - the UAA uses the user's credentials to construct a DN and attempt a BIND operation to the LDAP server
Search and Bind authentication - We take the username and password, search for the user DN, and attempt a bind operation to the LDAP server
Search and Compare authentication - We take the username and password, search for the user DN and the user password, and perform a comparison of the provided password with the LDAP password

Group integration also supports different strategies

No group integration - LDAP is only used for authentication
Map a group to a UAA scope - using external group mappings
LDAP groups contain scopes - an entry in the LDAP record contains UAA scope names

LDAP Simple Bind

$ curl 'http://localhost/identity-providers?rawConfig=true' -i -X POST \
    -H 'Content-Type: application/json' \
    -H 'X-Identity-Zone-Subdomain: qot2ezep' \
    -H 'Authorization: Bearer e1431e2d49ee47ad89f0995912779cbb' \
    -d '{
  "type" : "ldap",
  "config" : {
    "emailDomain" : null,
    "providerDescription" : null,
    "externalGroupsWhitelist" : [ ],
    "attributeMappings" : {
      "email_verified" : "emailVerified"
    },
    "addShadowUserOnLogin" : true,
    "storeCustomAttributes" : true,
    "ldapProfileFile" : "ldap/ldap-simple-bind.xml",
    "baseUrl" : "ldap://localhost:23389",
    "referral" : null,
    "skipSSLVerification" : false,
    "userDNPattern" : "cn={0},ou=Users,dc=test,dc=com",
    "userDNPatternDelimiter" : ";",
    "bindUserDn" : null,
    "userSearchBase" : null,
    "userSearchFilter" : null,
    "passwordAttributeName" : null,
    "passwordEncoder" : null,
    "localPasswordCompare" : null,
    "mailAttributeName" : "mail",
    "mailSubstitute" : null,
    "mailSubstituteOverridesLdap" : false,
    "ldapGroupFile" : "ldap/ldap-groups-null.xml",
    "groupSearchBase" : null,
    "groupSearchFilter" : null,
    "groupsIgnorePartialResults" : null,
    "autoAddGroups" : true,
    "groupSearchSubTree" : true,
    "maxGroupSearchDepth" : 10,
    "groupRoleAttribute" : null,
    "tlsConfiguration" : "none"
  },
  "originKey" : "ldap",
  "name" : "ldap name",
  "active" : true,
  "aliasId" : null,
  "aliasZid" : null
}'

POST /identity-providers?rawConfig=true HTTP/1.1
Content-Type: application/json
X-Identity-Zone-Subdomain: qot2ezep
Authorization: Bearer e1431e2d49ee47ad89f0995912779cbb
Content-Length: 1242
Host: localhost

{
  "type" : "ldap",
  "config" : {
    "emailDomain" : null,
    "providerDescription" : null,
    "externalGroupsWhitelist" : [ ],
    "attributeMappings" : {
      "email_verified" : "emailVerified"
    },
    "addShadowUserOnLogin" : true,
    "storeCustomAttributes" : true,
    "ldapProfileFile" : "ldap/ldap-simple-bind.xml",
    "baseUrl" : "ldap://localhost:23389",
    "referral" : null,
    "skipSSLVerification" : false,
    "userDNPattern" : "cn={0},ou=Users,dc=test,dc=com",
    "userDNPatternDelimiter" : ";",
    "bindUserDn" : null,
    "userSearchBase" : null,
    "userSearchFilter" : null,
    "passwordAttributeName" : null,
    "passwordEncoder" : null,
    "localPasswordCompare" : null,
    "mailAttributeName" : "mail",
    "mailSubstitute" : null,
    "mailSubstituteOverridesLdap" : false,
    "ldapGroupFile" : "ldap/ldap-groups-null.xml",
    "groupSearchBase" : null,
    "groupSearchFilter" : null,
    "groupsIgnorePartialResults" : null,
    "autoAddGroups" : true,
    "groupSearchSubTree" : true,
    "maxGroupSearchDepth" : 10,
    "groupRoleAttribute" : null,
    "tlsConfiguration" : "none"
  },
  "originKey" : "ldap",
  "name" : "ldap name",
  "active" : true,
  "aliasId" : null,
  "aliasZid" : null
}

HTTP/1.1 201 Created
Content-Security-Policy: script-src 'self'
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 1443

{
  "type" : "ldap",
  "config" : {
    "emailDomain" : null,
    "additionalConfiguration" : null,
    "providerDescription" : null,
    "externalGroupsWhitelist" : [ ],
    "attributeMappings" : {
      "email_verified" : "emailVerified"
    },
    "addShadowUserOnLogin" : true,
    "storeCustomAttributes" : true,
    "ldapProfileFile" : "ldap/ldap-simple-bind.xml",
    "baseUrl" : "ldap://localhost:23389",
    "referral" : null,
    "skipSSLVerification" : false,
    "userDNPattern" : "cn={0},ou=Users,dc=test,dc=com",
    "userDNPatternDelimiter" : ";",
    "bindUserDn" : null,
    "userSearchBase" : null,
    "userSearchFilter" : null,
    "passwordAttributeName" : null,
    "passwordEncoder" : null,
    "localPasswordCompare" : null,
    "mailAttributeName" : "mail",
    "mailSubstitute" : null,
    "mailSubstituteOverridesLdap" : false,
    "ldapGroupFile" : "ldap/ldap-groups-null.xml",
    "groupSearchBase" : null,
    "groupSearchFilter" : null,
    "groupsIgnorePartialResults" : null,
    "autoAddGroups" : true,
    "groupSearchSubTree" : true,
    "maxGroupSearchDepth" : 10,
    "groupRoleAttribute" : null,
    "tlsConfiguration" : "none"
  },
  "id" : "bc41ff9e-8e55-4d3b-9bd6-7be33a12f311",
  "originKey" : "ldap",
  "name" : "ldap name",
  "version" : 0,
  "created" : 1732091789983,
  "last_modified" : 1732091789983,
  "active" : true,
  "identityZoneId" : "qot2ezep",
  "aliasId" : null,
  "aliasZid" : null
}

Request Headers

Name	Description
`Authorization`	Bearer token containing `zones.<zone id>.admin` or `uaa.admin` or `idps.write` (only in the same zone that you are a user of)
`X-Identity-Zone-Id`	May include this header to administer another zone if using `zones.<zoneId>.admin` or `uaa.admin` scope against the default UAA zone.
`X-Identity-Zone-Subdomain`	If using a `zones.<zoneId>.admin` scope/token, indicates what Identity Zone this request goes to by supplying a subdomain.

Request Parameters

Parameter	Type	Constraints	Description
rawConfig	Boolean	Optional (defaults to `false`)	UAA 3.4.0 Flag indicating whether the response should use raw, unescaped JSON for the `config` field of the IDP, rather than the default behavior of encoding the JSON as a string.

Request Fields

Path	Type	Constraints	Description
name	String	Required	Human-readable name for this provider
config.providerDescription	String	Optional	Human readable name/description of this provider
config.emailDomain	Array	Optional	List of email domains associated with the provider for the purpose of associating users to the correct origin upon invitation. If empty list, no invitations are accepted. Wildcards supported.
active	Boolean	Optional	Defaults to true.
config.addShadowUserOnLogin	Boolean	Optional (defaults to `true`)	Determines whether users should be allowed to authenticate without having a user pre-populated in the users database (if true), or whether shadow users must be created before login by an administrator (if false).
config.storeCustomAttributes	Boolean	Optional (defaults to `true`)	Set to true, to store custom user attributes to be fetched from the /userinfo endpoint
type	String	Required	`ldap`
originKey	String	Required	Origin key must be `ldap` for an LDAP provider
config.ldapProfileFile	String	Required	The file to be used for configuring the LDAP authentication. Options are: `ldap/ldap-simple-bind.xml`, `ldap/ldap-search-and-bind.xml`, `ldap/ldap-search-and-compare.xml`
config.ldapGroupFile	String	Required	The file to be used for group integration. Options are: `ldap/ldap-groups-null.xml`, `ldap/ldap-groups-as-scopes.xml`, `ldap/ldap-groups-map-to-scopes.xml`
config.baseUrl	String	Required	The URL to the ldap server, must start with `ldap://` or `ldaps://`
config.mailAttributeName	String	Optional (defaults to `"mail"`)	The name of the LDAP attribute that contains the user's email address
config.mailSubstitute	String	Optional	Defines an email pattern containing a `{0}` to generate an email address for an LDAP user during authentication
config.mailSubstituteOverridesLdap	Boolean	Optional (defaults to `false`)	Set to true if you wish to override an LDAP user email address with a generated one
config.skipSSLVerification	Boolean	Optional (defaults to `false`)	Skips validation of the LDAP cert if set to true.
config.tlsConfiguration	String	Optional (defaults to `"none"`)	Sets the StartTLS options, valid values are `none`, `simple` or `external`
config.referral	String	Optional (defaults to `"follow"`)	Configures the UAA LDAP referral behavior. The following values are possible: follow → Referrals are followed ignore → Referrals are ignored and the partial result is returned throw → An error is thrown and the authentication is aborted Reference: http://docs.oracle.com/javase/jndi/tutorial/ldap/referral/jndi.html
config.attributeMappings	Object	Optional	Map external attribute to UAA recognized mappings.
config.attributeMappings.user_name	String	Optional (defaults to `"user_name"`)	Map `user_name` to the attribute for user name in the provider assertion or token. The default for LDAP is the User Name filter
config.attributeMappings.first_name	String	Optional (defaults to `"givenname"`)	Map `given_name` to the attribute for given name in the provider assertion or token.
config.attributeMappings.family_name	String	Optional (defaults to `"sn"`)	Map `family_name` to the attribute for family name in the provider assertion or token.
config.attributeMappings.phone_number	String	Optional (defaults to `"telephonenumber"`)	Map `phone_number` to the attribute for phone number in the provider assertion or token.
config.attributeMappings.email_verified	String	Optional	Maps the attribute on the assertion to the `email_verified` user record at the time of authentication. Default is false. Once set to true, record remains true for subsequent authentications.
aliasId	String	Optional	The ID of the alias IdP. Must be set to `null`, since alias identity providers are not supported for LDAP.
aliasZid	String	Optional	The ID of the identity zone in which an alias of this IdP is maintained. Must be set to `null`, since alias identity providers are not supported for LDAP.

Response Fields

Path	Type	Constraints	Description
name	String	Required	Human-readable name for this provider
config.providerDescription	String	Optional	Human readable name/description of this provider
config.emailDomain	Array	Optional	List of email domains associated with the provider for the purpose of associating users to the correct origin upon invitation. If empty list, no invitations are accepted. Wildcards supported.
active	Boolean	Optional	Defaults to true.
config.addShadowUserOnLogin	Boolean	Optional (defaults to `true`)	Determines whether users should be allowed to authenticate without having a user pre-populated in the users database (if true), or whether shadow users must be created before login by an administrator (if false).
config.storeCustomAttributes	Boolean	Optional (defaults to `true`)	Set to true, to store custom user attributes to be fetched from the /userinfo endpoint
type	String	Required	`ldap`
originKey	String	Required	Origin key must be `ldap` for an LDAP provider
config.ldapProfileFile	String	Required	The file to be used for configuring the LDAP authentication. Options are: `ldap/ldap-simple-bind.xml`, `ldap/ldap-search-and-bind.xml`, `ldap/ldap-search-and-compare.xml`
config.ldapGroupFile	String	Required	The file to be used for group integration. Options are: `ldap/ldap-groups-null.xml`, `ldap/ldap-groups-as-scopes.xml`, `ldap/ldap-groups-map-to-scopes.xml`
config.baseUrl	String	Required	The URL to the ldap server, must start with `ldap://` or `ldaps://`
config.mailAttributeName	String	Optional (defaults to `"mail"`)	The name of the LDAP attribute that contains the user's email address
config.mailSubstitute	String	Optional	Defines an email pattern containing a `{0}` to generate an email address for an LDAP user during authentication
config.mailSubstituteOverridesLdap	Boolean	Optional (defaults to `false`)	Set to true if you wish to override an LDAP user email address with a generated one
config.skipSSLVerification	Boolean	Optional (defaults to `false`)	Skips validation of the LDAP cert if set to true.
config.tlsConfiguration	String	Optional (defaults to `"none"`)	Sets the StartTLS options, valid values are `none`, `simple` or `external`
config.referral	String	Optional (defaults to `"follow"`)	Configures the UAA LDAP referral behavior. The following values are possible: follow → Referrals are followed ignore → Referrals are ignored and the partial result is returned throw → An error is thrown and the authentication is aborted Reference: http://docs.oracle.com/javase/jndi/tutorial/ldap/referral/jndi.html
config.attributeMappings	Object	Optional	Map external attribute to UAA recognized mappings.
config.attributeMappings.user_name	String	Optional (defaults to `"user_name"`)	Map `user_name` to the attribute for user name in the provider assertion or token. The default for LDAP is the User Name filter
config.attributeMappings.first_name	String	Optional (defaults to `"givenname"`)	Map `given_name` to the attribute for given name in the provider assertion or token.
config.attributeMappings.family_name	String	Optional (defaults to `"sn"`)	Map `family_name` to the attribute for family name in the provider assertion or token.
config.attributeMappings.phone_number	String	Optional (defaults to `"telephonenumber"`)	Map `phone_number` to the attribute for phone number in the provider assertion or token.
config.attributeMappings.email_verified	String	Optional	Maps the attribute on the assertion to the `email_verified` user record at the time of authentication. Default is false. Once set to true, record remains true for subsequent authentications.
aliasId	String	Optional	The ID of the alias IdP. Must be set to `null`, since alias identity providers are not supported for LDAP.
aliasZid	String	Optional	The ID of the identity zone in which an alias of this IdP is maintained. Must be set to `null`, since alias identity providers are not supported for LDAP.

Error Codes

Error Code	Description
401	Unauthorized - Missing or invalid token
403	Forbidden - Insufficient scope
409	Conflict - Provider with same origin and zone id exists
422	Unprocessable Entity - Invalid configuration
500	Internal Server Error

LDAP Search and Bind

$ curl 'http://localhost/identity-providers?rawConfig=true' -i -X POST \
    -H 'Content-Type: application/json' \
    -H 'X-Identity-Zone-Subdomain: srvcqnos' \
    -H 'Authorization: Bearer 21c9fb6fb2f148dd8ff0eebab23ee838' \
    -d '{
  "type" : "ldap",
  "config" : {
    "emailDomain" : null,
    "providerDescription" : null,
    "externalGroupsWhitelist" : [ ],
    "attributeMappings" : {
      "email_verified" : "emailVerified"
    },
    "addShadowUserOnLogin" : true,
    "storeCustomAttributes" : true,
    "ldapProfileFile" : "ldap/ldap-search-and-bind.xml",
    "baseUrl" : "ldap://localhost:23389",
    "referral" : null,
    "skipSSLVerification" : false,
    "userDNPattern" : null,
    "userDNPatternDelimiter" : null,
    "bindUserDn" : "cn=admin,ou=Users,dc=test,dc=com",
    "bindPassword" : "adminsecret",
    "userSearchBase" : "dc=test,dc=com",
    "userSearchFilter" : "cn={0}",
    "passwordAttributeName" : null,
    "passwordEncoder" : null,
    "localPasswordCompare" : null,
    "mailAttributeName" : "mail",
    "mailSubstitute" : "{0}@my.org",
    "mailSubstituteOverridesLdap" : false,
    "ldapGroupFile" : "ldap/ldap-groups-map-to-scopes.xml",
    "groupSearchBase" : "ou=scopes,dc=test,dc=com",
    "groupSearchFilter" : "member={0}",
    "groupsIgnorePartialResults" : null,
    "autoAddGroups" : true,
    "groupSearchSubTree" : true,
    "maxGroupSearchDepth" : 3,
    "groupRoleAttribute" : null,
    "tlsConfiguration" : "none"
  },
  "originKey" : "ldap",
  "name" : "ldap name",
  "active" : true,
  "aliasId" : null,
  "aliasZid" : null
}'

POST /identity-providers?rawConfig=true HTTP/1.1
Content-Type: application/json
X-Identity-Zone-Subdomain: srvcqnos
Authorization: Bearer 21c9fb6fb2f148dd8ff0eebab23ee838
Content-Length: 1347
Host: localhost

{
  "type" : "ldap",
  "config" : {
    "emailDomain" : null,
    "providerDescription" : null,
    "externalGroupsWhitelist" : [ ],
    "attributeMappings" : {
      "email_verified" : "emailVerified"
    },
    "addShadowUserOnLogin" : true,
    "storeCustomAttributes" : true,
    "ldapProfileFile" : "ldap/ldap-search-and-bind.xml",
    "baseUrl" : "ldap://localhost:23389",
    "referral" : null,
    "skipSSLVerification" : false,
    "userDNPattern" : null,
    "userDNPatternDelimiter" : null,
    "bindUserDn" : "cn=admin,ou=Users,dc=test,dc=com",
    "bindPassword" : "adminsecret",
    "userSearchBase" : "dc=test,dc=com",
    "userSearchFilter" : "cn={0}",
    "passwordAttributeName" : null,
    "passwordEncoder" : null,
    "localPasswordCompare" : null,
    "mailAttributeName" : "mail",
    "mailSubstitute" : "{0}@my.org",
    "mailSubstituteOverridesLdap" : false,
    "ldapGroupFile" : "ldap/ldap-groups-map-to-scopes.xml",
    "groupSearchBase" : "ou=scopes,dc=test,dc=com",
    "groupSearchFilter" : "member={0}",
    "groupsIgnorePartialResults" : null,
    "autoAddGroups" : true,
    "groupSearchSubTree" : true,
    "maxGroupSearchDepth" : 3,
    "groupRoleAttribute" : null,
    "tlsConfiguration" : "none"
  },
  "originKey" : "ldap",
  "name" : "ldap name",
  "active" : true,
  "aliasId" : null,
  "aliasZid" : null
}

HTTP/1.1 201 Created
Content-Security-Policy: script-src 'self'
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 1512

{
  "type" : "ldap",
  "config" : {
    "emailDomain" : null,
    "additionalConfiguration" : null,
    "providerDescription" : null,
    "externalGroupsWhitelist" : [ ],
    "attributeMappings" : {
      "email_verified" : "emailVerified"
    },
    "addShadowUserOnLogin" : true,
    "storeCustomAttributes" : true,
    "ldapProfileFile" : "ldap/ldap-search-and-bind.xml",
    "baseUrl" : "ldap://localhost:23389",
    "referral" : null,
    "skipSSLVerification" : false,
    "userDNPattern" : null,
    "userDNPatternDelimiter" : null,
    "bindUserDn" : "cn=admin,ou=Users,dc=test,dc=com",
    "userSearchBase" : "dc=test,dc=com",
    "userSearchFilter" : "cn={0}",
    "passwordAttributeName" : null,
    "passwordEncoder" : null,
    "localPasswordCompare" : null,
    "mailAttributeName" : "mail",
    "mailSubstitute" : "{0}@my.org",
    "mailSubstituteOverridesLdap" : false,
    "ldapGroupFile" : "ldap/ldap-groups-map-to-scopes.xml",
    "groupSearchBase" : "ou=scopes,dc=test,dc=com",
    "groupSearchFilter" : "member={0}",
    "groupsIgnorePartialResults" : null,
    "autoAddGroups" : true,
    "groupSearchSubTree" : true,
    "maxGroupSearchDepth" : 3,
    "groupRoleAttribute" : null,
    "tlsConfiguration" : "none"
  },
  "id" : "2395e776-bafd-425b-bb18-bcb268fdd4b0",
  "originKey" : "ldap",
  "name" : "ldap name",
  "version" : 0,
  "created" : 1732091788464,
  "last_modified" : 1732091788464,
  "active" : true,
  "identityZoneId" : "srvcqnos",
  "aliasId" : null,
  "aliasZid" : null
}

Request Headers

Name	Description
`Authorization`	Bearer token containing `zones.<zone id>.admin` or `uaa.admin` or `idps.write` (only in the same zone that you are a user of)
`X-Identity-Zone-Id`	May include this header to administer another zone if using `zones.<zoneId>.admin` or `uaa.admin` scope against the default UAA zone.
`X-Identity-Zone-Subdomain`	If using a `zones.<zoneId>.admin` scope/token, indicates what Identity Zone this request goes to by supplying a subdomain.

Request Parameters

Parameter	Type	Constraints	Description
rawConfig	Boolean	Optional (defaults to `false`)	UAA 3.4.0 Flag indicating whether the response should use raw, unescaped JSON for the `config` field of the IDP, rather than the default behavior of encoding the JSON as a string.

Request Fields

Path	Type	Constraints	Description
name	String	Required	Human-readable name for this provider
config.providerDescription	String	Optional	Human readable name/description of this provider
config.emailDomain	Array	Optional	List of email domains associated with the provider for the purpose of associating users to the correct origin upon invitation. If empty list, no invitations are accepted. Wildcards supported.
active	Boolean	Optional	Defaults to true.
config.addShadowUserOnLogin	Boolean	Optional (defaults to `true`)	Determines whether users should be allowed to authenticate without having a user pre-populated in the users database (if true), or whether shadow users must be created before login by an administrator (if false).
config.storeCustomAttributes	Boolean	Optional (defaults to `true`)	Set to true, to store custom user attributes to be fetched from the /userinfo endpoint
type	String	Required	`ldap`
originKey	String	Required	Origin key must be `ldap` for an LDAP provider
config.ldapProfileFile	String	Required	The file to be used for configuring the LDAP authentication. Options are: `ldap/ldap-simple-bind.xml`, `ldap/ldap-search-and-bind.xml`, `ldap/ldap-search-and-compare.xml`
config.ldapGroupFile	String	Required	The file to be used for group integration. Options are: `ldap/ldap-groups-null.xml`, `ldap/ldap-groups-as-scopes.xml`, `ldap/ldap-groups-map-to-scopes.xml`
config.baseUrl	String	Required	The URL to the ldap server, must start with `ldap://` or `ldaps://`
config.bindPassword	String	Required	Used with `search-and-bind` and `search-and-compare`. Password for the LDAP ID that performs a search of the LDAP tree for user information.
config.mailAttributeName	String	Optional (defaults to `"mail"`)	The name of the LDAP attribute that contains the user's email address
config.mailSubstitute	String	Optional	Defines an email pattern containing a `{0}` to generate an email address for an LDAP user during authentication
config.mailSubstituteOverridesLdap	Boolean	Optional (defaults to `false`)	Set to true if you wish to override an LDAP user email address with a generated one
config.skipSSLVerification	Boolean	Optional (defaults to `false`)	Skips validation of the LDAP cert if set to true.
config.tlsConfiguration	String	Optional (defaults to `"none"`)	Sets the StartTLS options, valid values are `none`, `simple` or `external`
config.referral	String	Optional (defaults to `"follow"`)	Configures the UAA LDAP referral behavior. The following values are possible: follow → Referrals are followed ignore → Referrals are ignored and the partial result is returned throw → An error is thrown and the authentication is aborted Reference: http://docs.oracle.com/javase/jndi/tutorial/ldap/referral/jndi.html
config.attributeMappings	Object	Optional	Map external attribute to UAA recognized mappings.
config.attributeMappings.user_name	String	Optional (defaults to `"user_name"`)	Map `user_name` to the attribute for user name in the provider assertion or token. The default for LDAP is the User Name filter
config.attributeMappings.first_name	String	Optional (defaults to `"givenname"`)	Map `given_name` to the attribute for given name in the provider assertion or token.
config.attributeMappings.family_name	String	Optional (defaults to `"sn"`)	Map `family_name` to the attribute for family name in the provider assertion or token.
config.attributeMappings.phone_number	String	Optional (defaults to `"telephonenumber"`)	Map `phone_number` to the attribute for phone number in the provider assertion or token.
config.attributeMappings.email_verified	String	Optional	Maps the attribute on the assertion to the `email_verified` user record at the time of authentication. Default is false. Once set to true, record remains true for subsequent authentications.
aliasId	String	Optional	The ID of the alias IdP. Must be set to `null`, since alias identity providers are not supported for LDAP.
aliasZid	String	Optional	The ID of the identity zone in which an alias of this IdP is maintained. Must be set to `null`, since alias identity providers are not supported for LDAP.
config.bindPassword	String	Required	Used with `search-and-bind` and `search-and-compare`. Password for the LDAP ID that performs a search of the LDAP tree for user information.

Response Fields

Path	Type	Constraints	Description
name	String	Required	Human-readable name for this provider
config.providerDescription	String	Optional	Human readable name/description of this provider
config.emailDomain	Array	Optional	List of email domains associated with the provider for the purpose of associating users to the correct origin upon invitation. If empty list, no invitations are accepted. Wildcards supported.
active	Boolean	Optional	Defaults to true.
config.addShadowUserOnLogin	Boolean	Optional (defaults to `true`)	Determines whether users should be allowed to authenticate without having a user pre-populated in the users database (if true), or whether shadow users must be created before login by an administrator (if false).
config.storeCustomAttributes	Boolean	Optional (defaults to `true`)	Set to true, to store custom user attributes to be fetched from the /userinfo endpoint
type	String	Required	`ldap`
originKey	String	Required	Origin key must be `ldap` for an LDAP provider
config.ldapProfileFile	String	Required	The file to be used for configuring the LDAP authentication. Options are: `ldap/ldap-simple-bind.xml`, `ldap/ldap-search-and-bind.xml`, `ldap/ldap-search-and-compare.xml`
config.ldapGroupFile	String	Required	The file to be used for group integration. Options are: `ldap/ldap-groups-null.xml`, `ldap/ldap-groups-as-scopes.xml`, `ldap/ldap-groups-map-to-scopes.xml`
config.baseUrl	String	Required	The URL to the ldap server, must start with `ldap://` or `ldaps://`
config.bindPassword	String	Required	Used with `search-and-bind` and `search-and-compare`. Password for the LDAP ID that performs a search of the LDAP tree for user information.
config.mailAttributeName	String	Optional (defaults to `"mail"`)	The name of the LDAP attribute that contains the user's email address
config.mailSubstitute	String	Optional	Defines an email pattern containing a `{0}` to generate an email address for an LDAP user during authentication
config.mailSubstituteOverridesLdap	Boolean	Optional (defaults to `false`)	Set to true if you wish to override an LDAP user email address with a generated one
config.skipSSLVerification	Boolean	Optional (defaults to `false`)	Skips validation of the LDAP cert if set to true.
config.tlsConfiguration	String	Optional (defaults to `"none"`)	Sets the StartTLS options, valid values are `none`, `simple` or `external`
config.referral	String	Optional (defaults to `"follow"`)	Configures the UAA LDAP referral behavior. The following values are possible: follow → Referrals are followed ignore → Referrals are ignored and the partial result is returned throw → An error is thrown and the authentication is aborted Reference: http://docs.oracle.com/javase/jndi/tutorial/ldap/referral/jndi.html
config.attributeMappings	Object	Optional	Map external attribute to UAA recognized mappings.
config.attributeMappings.user_name	String	Optional (defaults to `"user_name"`)	Map `user_name` to the attribute for user name in the provider assertion or token. The default for LDAP is the User Name filter
config.attributeMappings.first_name	String	Optional (defaults to `"givenname"`)	Map `given_name` to the attribute for given name in the provider assertion or token.
config.attributeMappings.family_name	String	Optional (defaults to `"sn"`)	Map `family_name` to the attribute for family name in the provider assertion or token.
config.attributeMappings.phone_number	String	Optional (defaults to `"telephonenumber"`)	Map `phone_number` to the attribute for phone number in the provider assertion or token.
config.attributeMappings.email_verified	String	Optional	Maps the attribute on the assertion to the `email_verified` user record at the time of authentication. Default is false. Once set to true, record remains true for subsequent authentications.
aliasId	String	Optional	The ID of the alias IdP. Must be set to `null`, since alias identity providers are not supported for LDAP.
aliasZid	String	Optional	The ID of the identity zone in which an alias of this IdP is maintained. Must be set to `null`, since alias identity providers are not supported for LDAP.
config.bindPassword	String	Required	Used with `search-and-bind` and `search-and-compare`. Password for the LDAP ID that performs a search of the LDAP tree for user information.

Error Codes

Error Code	Description
401	Unauthorized - Missing or invalid token
403	Forbidden - Insufficient scope
409	Conflict - Provider with same origin and zone id exists
422	Unprocessable Entity - Invalid configuration
500	Internal Server Error

LDAP Search and Compare

$ curl 'http://localhost/identity-providers?rawConfig=true' -i -X POST \
    -H 'Content-Type: application/json' \
    -H 'X-Identity-Zone-Subdomain: lpnlhreg' \
    -H 'Authorization: Bearer 7246419836124a5995eaeea21d2ed1a5' \
    -d '{
  "type" : "ldap",
  "config" : {
    "emailDomain" : null,
    "providerDescription" : null,
    "externalGroupsWhitelist" : [ ],
    "attributeMappings" : {
      "email_verified" : "emailVerified"
    },
    "addShadowUserOnLogin" : true,
    "storeCustomAttributes" : true,
    "ldapProfileFile" : "ldap/ldap-search-and-compare.xml",
    "baseUrl" : "ldap://localhost:23389",
    "referral" : null,
    "skipSSLVerification" : false,
    "userDNPattern" : null,
    "userDNPatternDelimiter" : null,
    "bindUserDn" : "cn=admin,ou=Users,dc=test,dc=com",
    "bindPassword" : "adminsecret",
    "userSearchBase" : "dc=test,dc=com",
    "userSearchFilter" : "cn={0}",
    "passwordAttributeName" : "userPassword",
    "passwordEncoder" : "org.cloudfoundry.identity.uaa.provider.ldap.DynamicPasswordComparator",
    "localPasswordCompare" : true,
    "mailAttributeName" : "mail",
    "mailSubstitute" : null,
    "mailSubstituteOverridesLdap" : false,
    "ldapGroupFile" : "ldap/ldap-groups-as-scopes.xml",
    "groupSearchBase" : "ou=scopes,dc=test,dc=com",
    "groupSearchFilter" : "member={0}",
    "groupsIgnorePartialResults" : null,
    "autoAddGroups" : true,
    "groupSearchSubTree" : true,
    "maxGroupSearchDepth" : 3,
    "groupRoleAttribute" : "description",
    "tlsConfiguration" : "none"
  },
  "originKey" : "ldap",
  "name" : "ldap name",
  "active" : true,
  "aliasId" : null,
  "aliasZid" : null
}'

POST /identity-providers?rawConfig=true HTTP/1.1
Content-Type: application/json
X-Identity-Zone-Subdomain: lpnlhreg
Authorization: Bearer 7246419836124a5995eaeea21d2ed1a5
Content-Length: 1424
Host: localhost

{
  "type" : "ldap",
  "config" : {
    "emailDomain" : null,
    "providerDescription" : null,
    "externalGroupsWhitelist" : [ ],
    "attributeMappings" : {
      "email_verified" : "emailVerified"
    },
    "addShadowUserOnLogin" : true,
    "storeCustomAttributes" : true,
    "ldapProfileFile" : "ldap/ldap-search-and-compare.xml",
    "baseUrl" : "ldap://localhost:23389",
    "referral" : null,
    "skipSSLVerification" : false,
    "userDNPattern" : null,
    "userDNPatternDelimiter" : null,
    "bindUserDn" : "cn=admin,ou=Users,dc=test,dc=com",
    "bindPassword" : "adminsecret",
    "userSearchBase" : "dc=test,dc=com",
    "userSearchFilter" : "cn={0}",
    "passwordAttributeName" : "userPassword",
    "passwordEncoder" : "org.cloudfoundry.identity.uaa.provider.ldap.DynamicPasswordComparator",
    "localPasswordCompare" : true,
    "mailAttributeName" : "mail",
    "mailSubstitute" : null,
    "mailSubstituteOverridesLdap" : false,
    "ldapGroupFile" : "ldap/ldap-groups-as-scopes.xml",
    "groupSearchBase" : "ou=scopes,dc=test,dc=com",
    "groupSearchFilter" : "member={0}",
    "groupsIgnorePartialResults" : null,
    "autoAddGroups" : true,
    "groupSearchSubTree" : true,
    "maxGroupSearchDepth" : 3,
    "groupRoleAttribute" : "description",
    "tlsConfiguration" : "none"
  },
  "originKey" : "ldap",
  "name" : "ldap name",
  "active" : true,
  "aliasId" : null,
  "aliasZid" : null
}

HTTP/1.1 201 Created
Content-Security-Policy: script-src 'self'
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 1589

{
  "type" : "ldap",
  "config" : {
    "emailDomain" : null,
    "additionalConfiguration" : null,
    "providerDescription" : null,
    "externalGroupsWhitelist" : [ ],
    "attributeMappings" : {
      "email_verified" : "emailVerified"
    },
    "addShadowUserOnLogin" : true,
    "storeCustomAttributes" : true,
    "ldapProfileFile" : "ldap/ldap-search-and-compare.xml",
    "baseUrl" : "ldap://localhost:23389",
    "referral" : null,
    "skipSSLVerification" : false,
    "userDNPattern" : null,
    "userDNPatternDelimiter" : null,
    "bindUserDn" : "cn=admin,ou=Users,dc=test,dc=com",
    "userSearchBase" : "dc=test,dc=com",
    "userSearchFilter" : "cn={0}",
    "passwordAttributeName" : "userPassword",
    "passwordEncoder" : "org.cloudfoundry.identity.uaa.provider.ldap.DynamicPasswordComparator",
    "localPasswordCompare" : true,
    "mailAttributeName" : "mail",
    "mailSubstitute" : null,
    "mailSubstituteOverridesLdap" : false,
    "ldapGroupFile" : "ldap/ldap-groups-as-scopes.xml",
    "groupSearchBase" : "ou=scopes,dc=test,dc=com",
    "groupSearchFilter" : "member={0}",
    "groupsIgnorePartialResults" : null,
    "autoAddGroups" : true,
    "groupSearchSubTree" : true,
    "maxGroupSearchDepth" : 3,
    "groupRoleAttribute" : "description",
    "tlsConfiguration" : "none"
  },
  "id" : "4da3527f-4eba-419d-aaa2-158095f69b0b",
  "originKey" : "ldap",
  "name" : "ldap name",
  "version" : 0,
  "created" : 1732091789416,
  "last_modified" : 1732091789416,
  "active" : true,
  "identityZoneId" : "lpnlhreg",
  "aliasId" : null,
  "aliasZid" : null
}

Request Headers

Name	Description
`Authorization`	Bearer token containing `zones.<zone id>.admin` or `uaa.admin` or `idps.write` (only in the same zone that you are a user of)
`X-Identity-Zone-Id`	May include this header to administer another zone if using `zones.<zoneId>.admin` or `uaa.admin` scope against the default UAA zone.
`X-Identity-Zone-Subdomain`	If using a `zones.<zoneId>.admin` scope/token, indicates what Identity Zone this request goes to by supplying a subdomain.

Request Parameters

Parameter	Type	Constraints	Description
rawConfig	Boolean	Optional (defaults to `false`)	UAA 3.4.0 Flag indicating whether the response should use raw, unescaped JSON for the `config` field of the IDP, rather than the default behavior of encoding the JSON as a string.

Request Fields

Path	Type	Constraints	Description
name	String	Required	Human-readable name for this provider
config.providerDescription	String	Optional	Human readable name/description of this provider
config.emailDomain	Array	Optional	List of email domains associated with the provider for the purpose of associating users to the correct origin upon invitation. If empty list, no invitations are accepted. Wildcards supported.
active	Boolean	Optional	Defaults to true.
config.addShadowUserOnLogin	Boolean	Optional (defaults to `true`)	Determines whether users should be allowed to authenticate without having a user pre-populated in the users database (if true), or whether shadow users must be created before login by an administrator (if false).
config.storeCustomAttributes	Boolean	Optional (defaults to `true`)	Set to true, to store custom user attributes to be fetched from the /userinfo endpoint
type	String	Required	`ldap`
originKey	String	Required	Origin key must be `ldap` for an LDAP provider
config.ldapProfileFile	String	Required	The file to be used for configuring the LDAP authentication. Options are: `ldap/ldap-simple-bind.xml`, `ldap/ldap-search-and-bind.xml`, `ldap/ldap-search-and-compare.xml`
config.ldapGroupFile	String	Required	The file to be used for group integration. Options are: `ldap/ldap-groups-null.xml`, `ldap/ldap-groups-as-scopes.xml`, `ldap/ldap-groups-map-to-scopes.xml`
config.baseUrl	String	Required	The URL to the ldap server, must start with `ldap://` or `ldaps://`
config.bindPassword	String	Required	Used with `search-and-bind` and `search-and-compare`. Password for the LDAP ID that performs a search of the LDAP tree for user information.
config.mailAttributeName	String	Optional (defaults to `"mail"`)	The name of the LDAP attribute that contains the user's email address
config.mailSubstitute	String	Optional	Defines an email pattern containing a `{0}` to generate an email address for an LDAP user during authentication
config.mailSubstituteOverridesLdap	Boolean	Optional (defaults to `false`)	Set to true if you wish to override an LDAP user email address with a generated one
config.skipSSLVerification	Boolean	Optional (defaults to `false`)	Skips validation of the LDAP cert if set to true.
config.tlsConfiguration	String	Optional (defaults to `"none"`)	Sets the StartTLS options, valid values are `none`, `simple` or `external`
config.referral	String	Optional (defaults to `"follow"`)	Configures the UAA LDAP referral behavior. The following values are possible: follow → Referrals are followed ignore → Referrals are ignored and the partial result is returned throw → An error is thrown and the authentication is aborted Reference: http://docs.oracle.com/javase/jndi/tutorial/ldap/referral/jndi.html
config.attributeMappings	Object	Optional	Map external attribute to UAA recognized mappings.
config.attributeMappings.user_name	String	Optional (defaults to `"user_name"`)	Map `user_name` to the attribute for user name in the provider assertion or token. The default for LDAP is the User Name filter
config.attributeMappings.first_name	String	Optional (defaults to `"givenname"`)	Map `given_name` to the attribute for given name in the provider assertion or token.
config.attributeMappings.family_name	String	Optional (defaults to `"sn"`)	Map `family_name` to the attribute for family name in the provider assertion or token.
config.attributeMappings.phone_number	String	Optional (defaults to `"telephonenumber"`)	Map `phone_number` to the attribute for phone number in the provider assertion or token.
config.attributeMappings.email_verified	String	Optional	Maps the attribute on the assertion to the `email_verified` user record at the time of authentication. Default is false. Once set to true, record remains true for subsequent authentications.
aliasId	String	Optional	The ID of the alias IdP. Must be set to `null`, since alias identity providers are not supported for LDAP.
aliasZid	String	Optional	The ID of the identity zone in which an alias of this IdP is maintained. Must be set to `null`, since alias identity providers are not supported for LDAP.

Response Fields

Path	Type	Constraints	Description
name	String	Required	Human-readable name for this provider
config.providerDescription	String	Optional	Human readable name/description of this provider
config.emailDomain	Array	Optional	List of email domains associated with the provider for the purpose of associating users to the correct origin upon invitation. If empty list, no invitations are accepted. Wildcards supported.
active	Boolean	Optional	Defaults to true.
config.addShadowUserOnLogin	Boolean	Optional (defaults to `true`)	Determines whether users should be allowed to authenticate without having a user pre-populated in the users database (if true), or whether shadow users must be created before login by an administrator (if false).
config.storeCustomAttributes	Boolean	Optional (defaults to `true`)	Set to true, to store custom user attributes to be fetched from the /userinfo endpoint
type	String	Required	`ldap`
originKey	String	Required	Origin key must be `ldap` for an LDAP provider
config.ldapProfileFile	String	Required	The file to be used for configuring the LDAP authentication. Options are: `ldap/ldap-simple-bind.xml`, `ldap/ldap-search-and-bind.xml`, `ldap/ldap-search-and-compare.xml`
config.ldapGroupFile	String	Required	The file to be used for group integration. Options are: `ldap/ldap-groups-null.xml`, `ldap/ldap-groups-as-scopes.xml`, `ldap/ldap-groups-map-to-scopes.xml`
config.baseUrl	String	Required	The URL to the ldap server, must start with `ldap://` or `ldaps://`
config.bindPassword	String	Required	Used with `search-and-bind` and `search-and-compare`. Password for the LDAP ID that performs a search of the LDAP tree for user information.
config.mailAttributeName	String	Optional (defaults to `"mail"`)	The name of the LDAP attribute that contains the user's email address
config.mailSubstitute	String	Optional	Defines an email pattern containing a `{0}` to generate an email address for an LDAP user during authentication
config.mailSubstituteOverridesLdap	Boolean	Optional (defaults to `false`)	Set to true if you wish to override an LDAP user email address with a generated one
config.skipSSLVerification	Boolean	Optional (defaults to `false`)	Skips validation of the LDAP cert if set to true.
config.tlsConfiguration	String	Optional (defaults to `"none"`)	Sets the StartTLS options, valid values are `none`, `simple` or `external`
config.referral	String	Optional (defaults to `"follow"`)	Configures the UAA LDAP referral behavior. The following values are possible: follow → Referrals are followed ignore → Referrals are ignored and the partial result is returned throw → An error is thrown and the authentication is aborted Reference: http://docs.oracle.com/javase/jndi/tutorial/ldap/referral/jndi.html
config.attributeMappings	Object	Optional	Map external attribute to UAA recognized mappings.
config.attributeMappings.user_name	String	Optional (defaults to `"user_name"`)	Map `user_name` to the attribute for user name in the provider assertion or token. The default for LDAP is the User Name filter
config.attributeMappings.first_name	String	Optional (defaults to `"givenname"`)	Map `given_name` to the attribute for given name in the provider assertion or token.
config.attributeMappings.family_name	String	Optional (defaults to `"sn"`)	Map `family_name` to the attribute for family name in the provider assertion or token.
config.attributeMappings.phone_number	String	Optional (defaults to `"telephonenumber"`)	Map `phone_number` to the attribute for phone number in the provider assertion or token.
config.attributeMappings.email_verified	String	Optional	Maps the attribute on the assertion to the `email_verified` user record at the time of authentication. Default is false. Once set to true, record remains true for subsequent authentications.
aliasId	String	Optional	The ID of the alias IdP. Must be set to `null`, since alias identity providers are not supported for LDAP.
aliasZid	String	Optional	The ID of the identity zone in which an alias of this IdP is maintained. Must be set to `null`, since alias identity providers are not supported for LDAP.

Error Codes

Error Code	Description
401	Unauthorized - Missing or invalid token
403	Forbidden - Insufficient scope
409	Conflict - Provider with same origin and zone id exists
422	Unprocessable Entity - Invalid configuration
500	Internal Server Error

OAuth/OIDC

$ curl 'http://localhost/identity-providers?rawConfig=true' -i -X POST \
    -H 'Content-Type: application/json' \
    -H 'Authorization: Bearer 36bbfad0d040420eaa18545321effdcd' \
    -d '{
  "type" : "oauth2.0",
  "config" : {
    "emailDomain" : null,
    "providerDescription" : null,
    "attributeMappings" : {
      "email_verified" : "emailVerified",
      "external_groups" : [ "roles" ],
      "user.attribute.department" : "department",
      "phone_number" : "telephone",
      "given_name" : "first_name",
      "family_name" : "last_name",
      "email" : "emailAddress"
    },
    "addShadowUserOnLogin" : true,
    "storeCustomAttributes" : true,
    "authUrl" : "http://auth.url",
    "tokenUrl" : "http://token.url",
    "tokenKeyUrl" : null,
    "tokenKey" : "token-key",
    "userInfoUrl" : null,
    "logoutUrl" : null,
    "linkText" : null,
    "showLinkText" : false,
    "clientAuthInBody" : false,
    "skipSslValidation" : false,
    "relyingPartyId" : "uaa",
    "relyingPartySecret" : "secret",
    "scopes" : null,
    "issuer" : null,
    "responseType" : "code",
    "userPropagationParameter" : "username",
    "pkce" : true,
    "performRpInitiatedLogout" : true,
    "cacheJwks" : true
  },
  "originKey" : "my-oauth2-provider",
  "name" : "UAA Provider",
  "active" : true,
  "aliasId" : null,
  "aliasZid" : null
}'

POST /identity-providers?rawConfig=true HTTP/1.1
Content-Type: application/json
Authorization: Bearer 36bbfad0d040420eaa18545321effdcd
Content-Length: 1162
Host: localhost

{
  "type" : "oauth2.0",
  "config" : {
    "emailDomain" : null,
    "providerDescription" : null,
    "attributeMappings" : {
      "email_verified" : "emailVerified",
      "external_groups" : [ "roles" ],
      "user.attribute.department" : "department",
      "phone_number" : "telephone",
      "given_name" : "first_name",
      "family_name" : "last_name",
      "email" : "emailAddress"
    },
    "addShadowUserOnLogin" : true,
    "storeCustomAttributes" : true,
    "authUrl" : "http://auth.url",
    "tokenUrl" : "http://token.url",
    "tokenKeyUrl" : null,
    "tokenKey" : "token-key",
    "userInfoUrl" : null,
    "logoutUrl" : null,
    "linkText" : null,
    "showLinkText" : false,
    "clientAuthInBody" : false,
    "skipSslValidation" : false,
    "relyingPartyId" : "uaa",
    "relyingPartySecret" : "secret",
    "scopes" : null,
    "issuer" : null,
    "responseType" : "code",
    "userPropagationParameter" : "username",
    "pkce" : true,
    "performRpInitiatedLogout" : true,
    "cacheJwks" : true
  },
  "originKey" : "my-oauth2-provider",
  "name" : "UAA Provider",
  "active" : true,
  "aliasId" : null,
  "aliasZid" : null
}

HTTP/1.1 201 Created
Content-Security-Policy: script-src 'self'
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 1428

{
  "type" : "oauth2.0",
  "config" : {
    "emailDomain" : null,
    "additionalConfiguration" : null,
    "providerDescription" : null,
    "externalGroupsWhitelist" : [ ],
    "attributeMappings" : {
      "email_verified" : "emailVerified",
      "external_groups" : [ "roles" ],
      "user.attribute.department" : "department",
      "phone_number" : "telephone",
      "given_name" : "first_name",
      "family_name" : "last_name",
      "email" : "emailAddress"
    },
    "addShadowUserOnLogin" : true,
    "storeCustomAttributes" : true,
    "authUrl" : "http://auth.url",
    "tokenUrl" : "http://token.url",
    "tokenKeyUrl" : null,
    "tokenKey" : "token-key",
    "userInfoUrl" : null,
    "logoutUrl" : null,
    "linkText" : null,
    "showLinkText" : false,
    "clientAuthInBody" : false,
    "skipSslValidation" : false,
    "relyingPartyId" : "uaa",
    "scopes" : null,
    "issuer" : null,
    "responseType" : "code",
    "userPropagationParameter" : "username",
    "pkce" : true,
    "performRpInitiatedLogout" : true,
    "authMethod" : "client_secret_basic",
    "cacheJwks" : true,
    "checkTokenUrl" : null
  },
  "id" : "f6787b06-4126-4d26-8776-9a406019ccfa",
  "originKey" : "my-oauth2-provider",
  "name" : "UAA Provider",
  "version" : 0,
  "created" : 1732091789067,
  "last_modified" : 1732091789067,
  "active" : true,
  "identityZoneId" : "uaa",
  "aliasId" : null,
  "aliasZid" : null
}

Request Headers

Name	Description
`Authorization`	Bearer token containing `zones.<zone id>.admin` or `uaa.admin` or `idps.write` (only in the same zone that you are a user of)
`X-Identity-Zone-Id`	May include this header to administer another zone if using `zones.<zoneId>.admin` or `uaa.admin` scope against the default UAA zone.
`X-Identity-Zone-Subdomain`	If using a `zones.<zoneId>.admin` scope/token, indicates what Identity Zone this request goes to by supplying a subdomain.

Request Parameters

Parameter	Type	Constraints	Description
rawConfig	Boolean	Optional (defaults to `false`)	UAA 3.4.0 Flag indicating whether the response should use raw, unescaped JSON for the `config` field of the IDP, rather than the default behavior of encoding the JSON as a string.

Request Fields

Path	Type	Constraints	Description
name	String	Required	Human-readable name for this provider
config.providerDescription	String	Optional	Human readable name/description of this provider
config.emailDomain	Array	Optional	List of email domains associated with the provider for the purpose of associating users to the correct origin upon invitation. If empty list, no invitations are accepted. Wildcards supported.
active	Boolean	Optional	Defaults to true.
config.addShadowUserOnLogin	Boolean	Optional (defaults to `true`)	Determines whether users should be allowed to authenticate without having a user pre-populated in the users database (if true), or whether shadow users must be created before login by an administrator (if false).
config.storeCustomAttributes	Boolean	Optional (defaults to `true`)	Set to true, to store custom user attributes to be fetched from the /userinfo endpoint
type	String	Required	`"oauth2.0"`
originKey	String	Required	A unique alias for a OAuth provider
config.authUrl	String	Required	The OAuth 2.0 authorization endpoint URL
config.tokenUrl	String	Required	The OAuth 2.0 token endpoint URL
config.tokenKeyUrl	String	Optional	The URL of the token key endpoint which renders the JWKS (verification key for validating token signatures).
config.cacheJwks	Boolean	Used only if `discoveryUrl` or `tokenKeyUrl` is set.	UAA 77.11.0. Option to enable caching for the JWKS (verification key for validating token signatures). Setting it to `true` increases UAA performance and is hence recommended. Setting it to `false` forces UAA to fetch the remote JWKS at each token validation, which impacts performance but may be required for when the remote JWKS changes very frequently.
config.tokenKey	String	Optional	A verification key for validating token signatures, set to null if a `tokenKeyUrl` is provided.
config.userInfoUrl	String	Optional	A URL for fetching user info attributes when queried with the obtained token authorization.
config.showLinkText	Boolean	Optional (defaults to `true`)	A flag controlling whether a link to this provider's login will be shown on the UAA login page
config.linkText	String	Optional	Text to use for the login link to the provider
config.relyingPartyId	String	Required	The client ID which is registered with the external OAuth provider for use by the UAA
config.skipSslValidation	Boolean	Optional	A flag controlling whether SSL validation should be skipped when communicating with the external OAuth server
config.scopes	Array	Optional	What scopes to request on a call to the external OAuth provider
config.checkTokenUrl	Object	Optional	Reserved for future OAuth use.
config.logoutUrl	Object	Optional	OAuth 2.0 logout endpoint.
config.responseType	String	Optional (defaults to `"code"`)	Response type for the authorize request, will be sent to OAuth server, defaults to `code`
config.clientAuthInBody	Boolean	Optional (defaults to `false`)	Sends the client credentials in the token retrieval call as body parameters instead of a Basic Authorization header.
config.pkce	Boolean	Optional (defaults to `true`)	A flag controlling whether PKCE (RFC 7636) is active in authorization code flow when requesting tokens from the external provider.
config.performRpInitiatedLogout	Boolean	Optional (defaults to `true`)	A flag controlling whether to log out of the external provider after a successful UAA logout per OIDC RP-Initiated Logout
config.issuer	String	Optional	The OAuth 2.0 token issuer. This value is used to validate the issuer inside the token.
config.userPropagationParameter	String	Optional (defaults to `"username"`)	Name of the request parameter that is used to pass a known username when redirecting to this identity provider from the account chooser
config.attributeMappings.user_name	String	Optional (defaults to `"sub"`)	Map `user_name` to the attribute for user name in the provider assertion or token. The default for OpenID Connect is `sub`
config.groupMappingMode	String	Optional (defaults to `"EXPLICITLY_MAPPED"`)	Either `EXPLICITLY_MAPPED` in order to map external claim values to OAuth scopes using the group mappings, or `AS_SCOPES` to use claim values names as scopes. You need to define also `external_groups` for the mapping in order to use this feature.
config.authMethod	String	Optional (defaults to `"client_secret_basic"`)	UAA 77.10.0 Define an explicit method to authenticate against the identity provider. Supported values are `client_secret_basic`, `client_secret_post`, `private_key_jwt`, and `none`. Remark: If you switch the method from `client_secret_basic` to `private_key_jwt` or to `none`, your existing `config.relyingPartySecret` will be removed from UAA database. If you want to switch back to `client_secret_basic`, provide again a `config.relyingPartySecret` in the configuration.
config.jwtClientAuthentication	Object	Required if `config.authMethod` is set to `private_key_jwt`	UAA 76.5.0 Only effective if relyingPartySecret is not set or null. Creates private_key_jwt client authentication according to OIDC or OAuth2 (RFC 7523) standard. For standard OIDC compliance, set this field to `true`. Alternatively, you can further configure the created JWT for client authentication by setting this parameter to an Object containing sub-parameters, e.g. if your IdP follows OAuth2 standard according to RFC 7523. The supported sub-parameters are `kid` UAA 76.18.0 Optional custom key from your defined keys, defaults to `activeKeyId` from token policy section `key` UAA 77.4.0 Optional custom private key, used to generate the client JWT signature, defaults to key from token policy, depending on `kid` `cert` UAA 77.4.0 Optional custom X509 certificate, related to key, used to generate the client JWT with x5t header, defaults to a cert from token policy or omits x5t header `iss` Optional custom issuer, see RFC 7523, defaults to `relyingPartyId` for OIDC compliance `aud` Optional custom audience, see RFC 7523, defaults to `tokenUrl` for OIDC compliance The values in the list can be a reference to another section in uaa yaml, e.g. define for key a reference like ${"jwt.client.key"}. This will load the private key from yaml context jwt.client.key. The advantage is, that you can use a single key for many IdP configurations and the key itself is not persistent in the UAA DB.
config.attributeMappings	Object	Optional	Map external attribute to UAA recognized mappings.
config.attributeMappings.email	String	Optional	Map `email` to the attribute for email in the provider assertion or token.
config.attributeMappings.given_name	String	Optional	Map `given_name` to the attribute for given name in the provider assertion or token.
config.attributeMappings.family_name	String	Optional	Map `family_name` to the attribute for family name in the provider assertion or token.
config.attributeMappings.phone_number	String	Optional	Map `phone_number` to the attribute for phone number in the provider assertion or token.
config.attributeMappings.email_verified	String	Optional	Maps the attribute on the assertion to the `email_verified` user record at the time of authentication. Default is false. Once set to true, record remains true for subsequent authentications.
config.attributeMappings.external_groups	Array	Optional	Map `external_groups` to the attribute for groups in the provider assertion.
config.attributeMappings['user.attribute.department']	String	Optional	Map external attribute to UAA recognized mappings. Mapping should be of the format `user.attribute.<attribute_name>`. `department` is used in the documentation as an example attribute.
aliasId	String	Optional	The ID of the alias IdP. Must be set to `null`.
aliasZid	String	Optional	The ID of the identity zone in which an alias of this IdP is maintained. Defaults to `null`. Only supported for identity providers of type "saml", "oidc1.0" and "oauth2.0". If set, the field must reference an existing identity zone that is different to the one referenced in `identityZoneId`. Alias identity providers can only be created from or to the "uaa" identity zone, i.e., one of `identityZoneId` or `aliasZid` must be set to "uaa". If set, an alias identity provider is created in the referenced zone and `aliasId` is set accordingly.
config.relyingPartySecret	String	Required if `config.authMethod` is set to `client_secret_basic`.	The client secret of the relying party at the external OAuth provider. If not set and `jwtClientAuthentication` is not set, then the external OAuth client is treated as public client and the flow is protected with PKCE using code challenge method `S256`. It is recommended to set `jwtClientAuthentication:true` instead.

Response Fields

Path	Type	Constraints	Description
name	String	Required	Human-readable name for this provider
config.providerDescription	String	Optional	Human readable name/description of this provider
config.emailDomain	Array	Optional	List of email domains associated with the provider for the purpose of associating users to the correct origin upon invitation. If empty list, no invitations are accepted. Wildcards supported.
active	Boolean	Optional	Defaults to true.
config.addShadowUserOnLogin	Boolean	Optional (defaults to `true`)	Determines whether users should be allowed to authenticate without having a user pre-populated in the users database (if true), or whether shadow users must be created before login by an administrator (if false).
config.storeCustomAttributes	Boolean	Optional (defaults to `true`)	Set to true, to store custom user attributes to be fetched from the /userinfo endpoint
type	String	Required	`"oauth2.0"`
originKey	String	Required	A unique alias for a OAuth provider
config.authUrl	String	Required	The OAuth 2.0 authorization endpoint URL
config.tokenUrl	String	Required	The OAuth 2.0 token endpoint URL
config.tokenKeyUrl	String	Optional	The URL of the token key endpoint which renders the JWKS (verification key for validating token signatures).
config.cacheJwks	Boolean	Used only if `discoveryUrl` or `tokenKeyUrl` is set.	UAA 77.11.0. Option to enable caching for the JWKS (verification key for validating token signatures). Setting it to `true` increases UAA performance and is hence recommended. Setting it to `false` forces UAA to fetch the remote JWKS at each token validation, which impacts performance but may be required for when the remote JWKS changes very frequently.
config.tokenKey	String	Optional	A verification key for validating token signatures, set to null if a `tokenKeyUrl` is provided.
config.userInfoUrl	String	Optional	A URL for fetching user info attributes when queried with the obtained token authorization.
config.showLinkText	Boolean	Optional (defaults to `true`)	A flag controlling whether a link to this provider's login will be shown on the UAA login page
config.linkText	String	Optional	Text to use for the login link to the provider
config.relyingPartyId	String	Required	The client ID which is registered with the external OAuth provider for use by the UAA
config.skipSslValidation	Boolean	Optional	A flag controlling whether SSL validation should be skipped when communicating with the external OAuth server
config.scopes	Array	Optional	What scopes to request on a call to the external OAuth provider
config.checkTokenUrl	Object	Optional	Reserved for future OAuth use.
config.logoutUrl	Object	Optional	OAuth 2.0 logout endpoint.
config.responseType	String	Optional (defaults to `"code"`)	Response type for the authorize request, will be sent to OAuth server, defaults to `code`
config.clientAuthInBody	Boolean	Optional (defaults to `false`)	Sends the client credentials in the token retrieval call as body parameters instead of a Basic Authorization header.
config.pkce	Boolean	Optional (defaults to `true`)	A flag controlling whether PKCE (RFC 7636) is active in authorization code flow when requesting tokens from the external provider.
config.performRpInitiatedLogout	Boolean	Optional (defaults to `true`)	A flag controlling whether to log out of the external provider after a successful UAA logout per OIDC RP-Initiated Logout
config.issuer	String	Optional	The OAuth 2.0 token issuer. This value is used to validate the issuer inside the token.
config.userPropagationParameter	String	Optional (defaults to `"username"`)	Name of the request parameter that is used to pass a known username when redirecting to this identity provider from the account chooser
config.attributeMappings.user_name	String	Optional (defaults to `"sub"`)	Map `user_name` to the attribute for user name in the provider assertion or token. The default for OpenID Connect is `sub`
config.groupMappingMode	String	Optional (defaults to `"EXPLICITLY_MAPPED"`)	Either `EXPLICITLY_MAPPED` in order to map external claim values to OAuth scopes using the group mappings, or `AS_SCOPES` to use claim values names as scopes. You need to define also `external_groups` for the mapping in order to use this feature.
config.authMethod	String	Optional (defaults to `"client_secret_basic"`)	UAA 77.10.0 Define an explicit method to authenticate against the identity provider. Supported values are `client_secret_basic`, `client_secret_post`, `private_key_jwt`, and `none`. Remark: If you switch the method from `client_secret_basic` to `private_key_jwt` or to `none`, your existing `config.relyingPartySecret` will be removed from UAA database. If you want to switch back to `client_secret_basic`, provide again a `config.relyingPartySecret` in the configuration.
config.jwtClientAuthentication	Object	Required if `config.authMethod` is set to `private_key_jwt`	UAA 76.5.0 Only effective if relyingPartySecret is not set or null. Creates private_key_jwt client authentication according to OIDC or OAuth2 (RFC 7523) standard. For standard OIDC compliance, set this field to `true`. Alternatively, you can further configure the created JWT for client authentication by setting this parameter to an Object containing sub-parameters, e.g. if your IdP follows OAuth2 standard according to RFC 7523. The supported sub-parameters are `kid` UAA 76.18.0 Optional custom key from your defined keys, defaults to `activeKeyId` from token policy section `key` UAA 77.4.0 Optional custom private key, used to generate the client JWT signature, defaults to key from token policy, depending on `kid` `cert` UAA 77.4.0 Optional custom X509 certificate, related to key, used to generate the client JWT with x5t header, defaults to a cert from token policy or omits x5t header `iss` Optional custom issuer, see RFC 7523, defaults to `relyingPartyId` for OIDC compliance `aud` Optional custom audience, see RFC 7523, defaults to `tokenUrl` for OIDC compliance The values in the list can be a reference to another section in uaa yaml, e.g. define for key a reference like ${"jwt.client.key"}. This will load the private key from yaml context jwt.client.key. The advantage is, that you can use a single key for many IdP configurations and the key itself is not persistent in the UAA DB.
config.attributeMappings	Object	Optional	Map external attribute to UAA recognized mappings.
config.attributeMappings.email	String	Optional	Map `email` to the attribute for email in the provider assertion or token.
config.attributeMappings.given_name	String	Optional	Map `given_name` to the attribute for given name in the provider assertion or token.
config.attributeMappings.family_name	String	Optional	Map `family_name` to the attribute for family name in the provider assertion or token.
config.attributeMappings.phone_number	String	Optional	Map `phone_number` to the attribute for phone number in the provider assertion or token.
config.attributeMappings.email_verified	String	Optional	Maps the attribute on the assertion to the `email_verified` user record at the time of authentication. Default is false. Once set to true, record remains true for subsequent authentications.
config.attributeMappings.external_groups	Array	Optional	Map `external_groups` to the attribute for groups in the provider assertion.
config.attributeMappings['user.attribute.department']	String	Optional	Map external attribute to UAA recognized mappings. Mapping should be of the format `user.attribute.<attribute_name>`. `department` is used in the documentation as an example attribute.
aliasId	String	Optional	The ID of the alias IdP. Must be set to `null`.
aliasZid	String	Optional	The ID of the identity zone in which an alias of this IdP is maintained. Defaults to `null`. Only supported for identity providers of type "saml", "oidc1.0" and "oauth2.0". If set, the field must reference an existing identity zone that is different to the one referenced in `identityZoneId`. Alias identity providers can only be created from or to the "uaa" identity zone, i.e., one of `identityZoneId` or `aliasZid` must be set to "uaa". If set, an alias identity provider is created in the referenced zone and `aliasId` is set accordingly.
config.relyingPartySecret	String	Required if `config.authMethod` is set to `client_secret_basic`.	The client secret of the relying party at the external OAuth provider. If not set and `jwtClientAuthentication` is not set, then the external OAuth client is treated as public client and the flow is protected with PKCE using code challenge method `S256`. It is recommended to set `jwtClientAuthentication:true` instead.

Error Codes

Error Code	Description
403	Forbidden - Insufficient scope
409	Conflict - Provider with same origin and zone id exists
422	Unprocessable Entity - Invalid configuration
500	Internal Server Error

$ curl 'http://localhost/identity-providers?rawConfig=true' -i -X POST \
    -H 'Content-Type: application/json' \
    -H 'Authorization: Bearer bdcbafd193674cd1bd87ecbd65f7e27e' \
    -d '{
  "type" : "oidc1.0",
  "config" : {
    "emailDomain" : null,
    "providerDescription" : null,
    "externalGroupsWhitelist" : [ "uaa.user" ],
    "attributeMappings" : {
      "email_verified" : "emailVerified",
      "external_groups" : [ "roles" ],
      "user.attribute.department" : "department",
      "phone_number" : "telephone",
      "given_name" : "first_name",
      "family_name" : "last_name",
      "email" : "emailAddress"
    },
    "addShadowUserOnLogin" : true,
    "storeCustomAttributes" : true,
    "authUrl" : null,
    "tokenUrl" : null,
    "tokenKeyUrl" : null,
    "tokenKey" : null,
    "userInfoUrl" : null,
    "logoutUrl" : null,
    "linkText" : null,
    "showLinkText" : false,
    "clientAuthInBody" : false,
    "skipSslValidation" : true,
    "relyingPartyId" : "uaa",
    "relyingPartySecret" : "secret",
    "scopes" : null,
    "issuer" : null,
    "responseType" : "code",
    "userPropagationParameter" : "username",
    "pkce" : true,
    "performRpInitiatedLogout" : true,
    "cacheJwks" : true,
    "discoveryUrl" : "https://accounts.google.com/.well-known/openid-configuration",
    "passwordGrantEnabled" : false,
    "setForwardHeader" : false,
    "prompts" : [ {
      "name" : "username",
      "type" : "text",
      "text" : "Email"
    }, {
      "name" : "password",
      "type" : "password",
      "text" : "Password"
    }, {
      "name" : "passcode",
      "type" : "password",
      "text" : "Temporary Authentication Code (Get on at /passcode)"
    } ]
  },
  "originKey" : "my-oidc-provider-kq8zpc",
  "name" : "UAA Provider",
  "active" : true,
  "aliasId" : null,
  "aliasZid" : null
}'

POST /identity-providers?rawConfig=true HTTP/1.1
Content-Type: application/json
Authorization: Bearer bdcbafd193674cd1bd87ecbd65f7e27e
Content-Length: 1655
Host: localhost

{
  "type" : "oidc1.0",
  "config" : {
    "emailDomain" : null,
    "providerDescription" : null,
    "externalGroupsWhitelist" : [ "uaa.user" ],
    "attributeMappings" : {
      "email_verified" : "emailVerified",
      "external_groups" : [ "roles" ],
      "user.attribute.department" : "department",
      "phone_number" : "telephone",
      "given_name" : "first_name",
      "family_name" : "last_name",
      "email" : "emailAddress"
    },
    "addShadowUserOnLogin" : true,
    "storeCustomAttributes" : true,
    "authUrl" : null,
    "tokenUrl" : null,
    "tokenKeyUrl" : null,
    "tokenKey" : null,
    "userInfoUrl" : null,
    "logoutUrl" : null,
    "linkText" : null,
    "showLinkText" : false,
    "clientAuthInBody" : false,
    "skipSslValidation" : true,
    "relyingPartyId" : "uaa",
    "relyingPartySecret" : "secret",
    "scopes" : null,
    "issuer" : null,
    "responseType" : "code",
    "userPropagationParameter" : "username",
    "pkce" : true,
    "performRpInitiatedLogout" : true,
    "cacheJwks" : true,
    "discoveryUrl" : "https://accounts.google.com/.well-known/openid-configuration",
    "passwordGrantEnabled" : false,
    "setForwardHeader" : false,
    "prompts" : [ {
      "name" : "username",
      "type" : "text",
      "text" : "Email"
    }, {
      "name" : "password",
      "type" : "password",
      "text" : "Password"
    }, {
      "name" : "passcode",
      "type" : "password",
      "text" : "Temporary Authentication Code (Get on at /passcode)"
    } ]
  },
  "originKey" : "my-oidc-provider-kq8zpc",
  "name" : "UAA Provider",
  "active" : true,
  "aliasId" : null,
  "aliasZid" : null
}

HTTP/1.1 201 Created
Content-Security-Policy: script-src 'self'
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 1856

{
  "type" : "oidc1.0",
  "config" : {
    "emailDomain" : null,
    "additionalConfiguration" : null,
    "providerDescription" : null,
    "externalGroupsWhitelist" : [ "uaa.user" ],
    "attributeMappings" : {
      "email_verified" : "emailVerified",
      "external_groups" : [ "roles" ],
      "user.attribute.department" : "department",
      "phone_number" : "telephone",
      "given_name" : "first_name",
      "family_name" : "last_name",
      "email" : "emailAddress"
    },
    "addShadowUserOnLogin" : true,
    "storeCustomAttributes" : true,
    "authUrl" : null,
    "tokenUrl" : null,
    "tokenKeyUrl" : null,
    "tokenKey" : null,
    "userInfoUrl" : null,
    "logoutUrl" : null,
    "linkText" : null,
    "showLinkText" : false,
    "clientAuthInBody" : false,
    "skipSslValidation" : true,
    "relyingPartyId" : "uaa",
    "scopes" : null,
    "issuer" : null,
    "responseType" : "code",
    "userPropagationParameter" : "username",
    "pkce" : true,
    "performRpInitiatedLogout" : true,
    "authMethod" : "client_secret_basic",
    "cacheJwks" : true,
    "discoveryUrl" : "https://accounts.google.com/.well-known/openid-configuration",
    "passwordGrantEnabled" : false,
    "setForwardHeader" : false,
    "prompts" : [ {
      "name" : "username",
      "type" : "text",
      "text" : "Email"
    }, {
      "name" : "password",
      "type" : "password",
      "text" : "Password"
    }, {
      "name" : "passcode",
      "type" : "password",
      "text" : "Temporary Authentication Code (Get on at /passcode)"
    } ]
  },
  "id" : "355acf14-3fcd-4823-a08c-2bd8d93eec7e",
  "originKey" : "my-oidc-provider-kq8zpc",
  "name" : "UAA Provider",
  "version" : 0,
  "created" : 1732091789169,
  "last_modified" : 1732091789169,
  "active" : true,
  "identityZoneId" : "uaa",
  "aliasId" : null,
  "aliasZid" : null
}

Request Headers

Name	Description
`Authorization`	Bearer token containing `zones.<zone id>.admin` or `uaa.admin` or `idps.write` (only in the same zone that you are a user of)
`X-Identity-Zone-Id`	May include this header to administer another zone if using `zones.<zoneId>.admin` or `uaa.admin` scope against the default UAA zone.
`X-Identity-Zone-Subdomain`	If using a `zones.<zoneId>.admin` scope/token, indicates what Identity Zone this request goes to by supplying a subdomain.

Request Parameters

Parameter	Type	Constraints	Description
rawConfig	Boolean	Optional (defaults to `false`)	UAA 3.4.0 Flag indicating whether the response should use raw, unescaped JSON for the `config` field of the IDP, rather than the default behavior of encoding the JSON as a string.

Request Fields

Path	Type	Constraints	Description
name	String	Required	Human-readable name for this provider
config.providerDescription	String	Optional	Human readable name/description of this provider
config.emailDomain	Array	Optional	List of email domains associated with the provider for the purpose of associating users to the correct origin upon invitation. If empty list, no invitations are accepted. Wildcards supported.
active	Boolean	Optional	Defaults to true.
config.addShadowUserOnLogin	Boolean	Optional (defaults to `true`)	Determines whether users should be allowed to authenticate without having a user pre-populated in the users database (if true), or whether shadow users must be created before login by an administrator (if false).
config.storeCustomAttributes	Boolean	Optional (defaults to `true`)	Set to true, to store custom user attributes to be fetched from the /userinfo endpoint
type	String	Required	`"oidc1.0"`
originKey	String	Required	A unique alias for the OIDC 1.0 provider
config.discoveryUrl	String	Optional	The OpenID Connect Discovery URL, typically ends with /.well-known/openid-configurationmit
config.authUrl	String	Required unless `discoveryUrl` is set.	The OIDC 1.0 authorization endpoint URL. This can be left blank if a discovery URL is provided. If both are provided, this property overrides the discovery URL.
config.tokenUrl	String	Required unless `discoveryUrl` is set.	The OIDC 1.0 token endpoint URL. This can be left blank if a discovery URL is provided. If both are provided, this property overrides the discovery URL.
config.tokenKeyUrl	String	Required unless `discoveryUrl` is set.	The URL of the token key endpoint which renders the JWKS (verification key for validating token signatures). This can be left blank if a discovery URL is provided. If both are provided, this property overrides the discovery URL.
config.cacheJwks	Boolean	Used only if `discoveryUrl` or `tokenKeyUrl` is set.	UAA 77.11.0. Option to enable caching for the JWKS (verification key for validating token signatures). Setting it to `true` increases UAA performance and is hence recommended. Setting it to `false` forces UAA to fetch the remote JWKS at each token validation, which impacts performance but may be required for when the remote JWKS changes very frequently.
config.tokenKey	String	Required unless `discoveryUrl` is set.	A verification key for validating token signatures. We recommend not setting this as it will not allow for key rotation. This can be left blank if a discovery URL is provided. If both are provided, this property overrides the discovery URL.
config.showLinkText	Boolean	Optional (defaults to `true`)	A flag controlling whether a link to this provider's login will be shown on the UAA login page
config.linkText	String	Optional	Text to use for the login link to the provider
config.relyingPartyId	String	Required	The client ID which is registered with the external OAuth provider for use by the UAA
config.skipSslValidation	Boolean	Optional	A flag controlling whether SSL validation should be skipped when communicating with the external OAuth server
config.scopes	Array	Optional	What scopes to request on a call to the external OAuth/OpenID provider. For example, can provide `openid`, `roles`, or `profile` to request ID token, scopes populated in the ID token external groups attribute mappings, or the user profile information, respectively.
config.checkTokenUrl	Object	Optional	Reserved for future OAuth/OIDC use.
config.clientAuthInBody	Boolean	Optional (defaults to `false`)	Only effective if relyingPartySecret is defined. Sends the client credentials in the token retrieval call as body parameters instead of a Basic Authorization header. It is recommended to set `jwtClientAuthentication:true` instead.
config.pkce	Boolean	Optional (defaults to `true`)	A flag controlling whether PKCE (RFC 7636) is active in authorization code flow when requesting tokens from the external provider.
config.performRpInitiatedLogout	Boolean	Optional (defaults to `true`)	A flag controlling whether to log out of the external provider after a successful UAA logout per OIDC RP-Initiated Logout
config.userInfoUrl	Object	Optional	Reserved for future OIDC use. This can be left blank if a discovery URL is provided. If both are provided, this property overrides the discovery URL.
config.logoutUrl	Object	Optional	OIDC logout endpoint. This can be left blank if a discovery URL is provided. If both are provided, this property overrides the discovery URL.
config.responseType	String	Optional (defaults to `"code"`)	Response type for the authorize request, defaults to `code`, but can be `code id_token` if the OIDC server can return an id_token as a query parameter in the redirect.
config.issuer	String	Optional	The OAuth 2.0 token issuer. This value is used to validate the issuer inside the token.
config.userPropagationParameter	String	Optional (defaults to `"username"`)	Name of the request parameter that is used to pass a known username when redirecting to this identity provider from the account chooser
config.externalGroupsWhitelist	Array	Optional	JSON Array containing the groups names which need to be populated in the user's `id_token` or response from `/userinfo` endpoint. If you don't specify the whitelist no groups will be populated in the `id_token` or `/userinfo` response. Please note that regex is allowed. Acceptable patterns are `` translates to all groups `pattern` Contains pattern `pattern` Starts with pattern `*pattern` Ends with pattern
config.passwordGrantEnabled	Boolean	Optional (defaults to `false`)	Enable Resource Owner Password Grant flow for this identity provider.
config.setForwardHeader	Boolean	Optional (defaults to `false`)	Only effective if Password Grant enabled. Set X-Forward-For header in Password Grant request to this identity provider.
config.authMethod	String	Optional (defaults to `"client_secret_basic"`)	UAA 77.10.0 Define an explicit method to authenticate against the identity provider. Supported values are `client_secret_basic`, `client_secret_post`, `private_key_jwt`, and `none`. Remark: If you switch the method from `client_secret_basic` to `private_key_jwt` or to `none`, your existing `config.relyingPartySecret` will be removed from UAA database. If you want to switch back to `client_secret_basic`, provide again a `config.relyingPartySecret` in the configuration.
config.jwtClientAuthentication	Object	Required if `config.authMethod` is set to `private_key_jwt`	UAA 76.5.0 Only effective if relyingPartySecret is not set or null. Creates private_key_jwt client authentication according to OIDC or OAuth2 (RFC 7523) standard. For standard OIDC compliance, set this field to `true`. Alternatively, you can further configure the created JWT for client authentication by setting this parameter to an Object containing sub-parameters, e.g. if your IdP follows OAuth2 standard according to RFC 7523. The supported sub-parameters are `kid` UAA 76.18.0 Optional custom key from your defined keys, defaults to `activeKeyId` from token policy section `key` UAA 77.4.0 Optional custom private key, used to generate the client JWT signature, defaults to key from token policy, depending on `kid` `cert` UAA 77.4.0 Optional custom X509 certificate, related to key, used to generate the client JWT with x5t header, defaults to a cert from token policy or omits x5t header `iss` Optional custom issuer, see RFC 7523, defaults to `relyingPartyId` for OIDC compliance `aud` Optional custom audience, see RFC 7523, defaults to `tokenUrl` for OIDC compliance The values in the list can be a reference to another section in uaa yaml, e.g. define for key a reference like ${"jwt.client.key"}. This will load the private key from yaml context jwt.client.key. The advantage is, that you can use a single key for many IdP configurations and the key itself is not persistent in the UAA DB.
config.attributeMappings.user_name	String	Optional (defaults to `"sub"`)	Map `user_name` to the attribute for user name in the provider assertion or token. The default for OpenID Connect is `sub`.
config.additionalAuthzParameters	Object	Optional	UAA 76.17.0Map of key-value pairs that are added as additional parameters for grant type `authorization_code`. For example, configure an entry with key `token_format` and value `jwt`.
config.prompts[]	Array	Optional	List of fields that users are prompted on to the OIDC provider through the password grant flow. Defaults to username, password, and passcode. Any additional prompts beyond username, password, and passcode will be forwarded on to the OIDC provider.
config.prompts[].name	String	Optional	Name of field
config.prompts[].type	String	Optional	What kind of field this is (e.g. text or password)
config.prompts[].text	String	Optional	Actual text displayed on prompt for field
config.attributeMappings	Object	Optional	Map external attribute to UAA recognized mappings.
config.attributeMappings.email	String	Optional	Map `email` to the attribute for email in the provider assertion or token.
config.attributeMappings.given_name	String	Optional	Map `given_name` to the attribute for given name in the provider assertion or token.
config.attributeMappings.family_name	String	Optional	Map `family_name` to the attribute for family name in the provider assertion or token.
config.attributeMappings.phone_number	String	Optional	Map `phone_number` to the attribute for phone number in the provider assertion or token.
config.attributeMappings.email_verified	String	Optional	Maps the attribute on the assertion to the `email_verified` user record at the time of authentication. Default is false. Once set to true, record remains true for subsequent authentications.
config.attributeMappings.external_groups	Array	Optional	Map `external_groups` to the attribute for groups in the provider assertion.
config.attributeMappings['user.attribute.department']	String	Optional	Map external attribute to UAA recognized mappings. Mapping should be of the format `user.attribute.<attribute_name>`. `department` is used in the documentation as an example attribute.
aliasId	String	Optional	The ID of the alias IdP. Must be set to `null`.
aliasZid	String	Optional	The ID of the identity zone in which an alias of this IdP is maintained. Defaults to `null`. Only supported for identity providers of type "saml", "oidc1.0" and "oauth2.0". If set, the field must reference an existing identity zone that is different to the one referenced in `identityZoneId`. Alias identity providers can only be created from or to the "uaa" identity zone, i.e., one of `identityZoneId` or `aliasZid` must be set to "uaa". If set, an alias identity provider is created in the referenced zone and `aliasId` is set accordingly.
config.relyingPartySecret	String	Required if `config.authMethod` is set to `client_secret_basic`.	The client secret of the relying party at the external OAuth provider. If not set and `jwtClientAuthentication` is not set, then the external OAuth client is treated as public client and the flow is protected with PKCE using code challenge method `S256`. It is recommended to set `jwtClientAuthentication:true` instead.

Response Fields

Path	Type	Constraints	Description
name	String	Required	Human-readable name for this provider
config.providerDescription	String	Optional	Human readable name/description of this provider
config.emailDomain	Array	Optional	List of email domains associated with the provider for the purpose of associating users to the correct origin upon invitation. If empty list, no invitations are accepted. Wildcards supported.
active	Boolean	Optional	Defaults to true.
config.addShadowUserOnLogin	Boolean	Optional (defaults to `true`)	Determines whether users should be allowed to authenticate without having a user pre-populated in the users database (if true), or whether shadow users must be created before login by an administrator (if false).
config.storeCustomAttributes	Boolean	Optional (defaults to `true`)	Set to true, to store custom user attributes to be fetched from the /userinfo endpoint
type	String	Required	`"oidc1.0"`
originKey	String	Required	A unique alias for the OIDC 1.0 provider
config.discoveryUrl	String	Optional	The OpenID Connect Discovery URL, typically ends with /.well-known/openid-configurationmit
config.authUrl	String	Required unless `discoveryUrl` is set.	The OIDC 1.0 authorization endpoint URL. This can be left blank if a discovery URL is provided. If both are provided, this property overrides the discovery URL.
config.tokenUrl	String	Required unless `discoveryUrl` is set.	The OIDC 1.0 token endpoint URL. This can be left blank if a discovery URL is provided. If both are provided, this property overrides the discovery URL.
config.tokenKeyUrl	String	Required unless `discoveryUrl` is set.	The URL of the token key endpoint which renders the JWKS (verification key for validating token signatures). This can be left blank if a discovery URL is provided. If both are provided, this property overrides the discovery URL.
config.cacheJwks	Boolean	Used only if `discoveryUrl` or `tokenKeyUrl` is set.	UAA 77.11.0. Option to enable caching for the JWKS (verification key for validating token signatures). Setting it to `true` increases UAA performance and is hence recommended. Setting it to `false` forces UAA to fetch the remote JWKS at each token validation, which impacts performance but may be required for when the remote JWKS changes very frequently.
config.tokenKey	String	Required unless `discoveryUrl` is set.	A verification key for validating token signatures. We recommend not setting this as it will not allow for key rotation. This can be left blank if a discovery URL is provided. If both are provided, this property overrides the discovery URL.
config.showLinkText	Boolean	Optional (defaults to `true`)	A flag controlling whether a link to this provider's login will be shown on the UAA login page
config.linkText	String	Optional	Text to use for the login link to the provider
config.relyingPartyId	String	Required	The client ID which is registered with the external OAuth provider for use by the UAA
config.skipSslValidation	Boolean	Optional	A flag controlling whether SSL validation should be skipped when communicating with the external OAuth server
config.scopes	Array	Optional	What scopes to request on a call to the external OAuth/OpenID provider. For example, can provide `openid`, `roles`, or `profile` to request ID token, scopes populated in the ID token external groups attribute mappings, or the user profile information, respectively.
config.checkTokenUrl	Object	Optional	Reserved for future OAuth/OIDC use.
config.clientAuthInBody	Boolean	Optional (defaults to `false`)	Only effective if relyingPartySecret is defined. Sends the client credentials in the token retrieval call as body parameters instead of a Basic Authorization header. It is recommended to set `jwtClientAuthentication:true` instead.
config.pkce	Boolean	Optional (defaults to `true`)	A flag controlling whether PKCE (RFC 7636) is active in authorization code flow when requesting tokens from the external provider.
config.performRpInitiatedLogout	Boolean	Optional (defaults to `true`)	A flag controlling whether to log out of the external provider after a successful UAA logout per OIDC RP-Initiated Logout
config.userInfoUrl	Object	Optional	Reserved for future OIDC use. This can be left blank if a discovery URL is provided. If both are provided, this property overrides the discovery URL.
config.logoutUrl	Object	Optional	OIDC logout endpoint. This can be left blank if a discovery URL is provided. If both are provided, this property overrides the discovery URL.
config.responseType	String	Optional (defaults to `"code"`)	Response type for the authorize request, defaults to `code`, but can be `code id_token` if the OIDC server can return an id_token as a query parameter in the redirect.
config.issuer	String	Optional	The OAuth 2.0 token issuer. This value is used to validate the issuer inside the token.
config.userPropagationParameter	String	Optional (defaults to `"username"`)	Name of the request parameter that is used to pass a known username when redirecting to this identity provider from the account chooser
config.externalGroupsWhitelist	Array	Optional	JSON Array containing the groups names which need to be populated in the user's `id_token` or response from `/userinfo` endpoint. If you don't specify the whitelist no groups will be populated in the `id_token` or `/userinfo` response. Please note that regex is allowed. Acceptable patterns are `` translates to all groups `pattern` Contains pattern `pattern` Starts with pattern `*pattern` Ends with pattern
config.passwordGrantEnabled	Boolean	Optional (defaults to `false`)	Enable Resource Owner Password Grant flow for this identity provider.
config.setForwardHeader	Boolean	Optional (defaults to `false`)	Only effective if Password Grant enabled. Set X-Forward-For header in Password Grant request to this identity provider.
config.authMethod	String	Optional (defaults to `"client_secret_basic"`)	UAA 77.10.0 Define an explicit method to authenticate against the identity provider. Supported values are `client_secret_basic`, `client_secret_post`, `private_key_jwt`, and `none`. Remark: If you switch the method from `client_secret_basic` to `private_key_jwt` or to `none`, your existing `config.relyingPartySecret` will be removed from UAA database. If you want to switch back to `client_secret_basic`, provide again a `config.relyingPartySecret` in the configuration.
config.jwtClientAuthentication	Object	Required if `config.authMethod` is set to `private_key_jwt`	UAA 76.5.0 Only effective if relyingPartySecret is not set or null. Creates private_key_jwt client authentication according to OIDC or OAuth2 (RFC 7523) standard. For standard OIDC compliance, set this field to `true`. Alternatively, you can further configure the created JWT for client authentication by setting this parameter to an Object containing sub-parameters, e.g. if your IdP follows OAuth2 standard according to RFC 7523. The supported sub-parameters are `kid` UAA 76.18.0 Optional custom key from your defined keys, defaults to `activeKeyId` from token policy section `key` UAA 77.4.0 Optional custom private key, used to generate the client JWT signature, defaults to key from token policy, depending on `kid` `cert` UAA 77.4.0 Optional custom X509 certificate, related to key, used to generate the client JWT with x5t header, defaults to a cert from token policy or omits x5t header `iss` Optional custom issuer, see RFC 7523, defaults to `relyingPartyId` for OIDC compliance `aud` Optional custom audience, see RFC 7523, defaults to `tokenUrl` for OIDC compliance The values in the list can be a reference to another section in uaa yaml, e.g. define for key a reference like ${"jwt.client.key"}. This will load the private key from yaml context jwt.client.key. The advantage is, that you can use a single key for many IdP configurations and the key itself is not persistent in the UAA DB.
config.attributeMappings.user_name	String	Optional (defaults to `"sub"`)	Map `user_name` to the attribute for user name in the provider assertion or token. The default for OpenID Connect is `sub`.
config.additionalAuthzParameters	Object	Optional	UAA 76.17.0Map of key-value pairs that are added as additional parameters for grant type `authorization_code`. For example, configure an entry with key `token_format` and value `jwt`.
config.prompts[]	Array	Optional	List of fields that users are prompted on to the OIDC provider through the password grant flow. Defaults to username, password, and passcode. Any additional prompts beyond username, password, and passcode will be forwarded on to the OIDC provider.
config.prompts[].name	String	Optional	Name of field
config.prompts[].type	String	Optional	What kind of field this is (e.g. text or password)
config.prompts[].text	String	Optional	Actual text displayed on prompt for field
config.attributeMappings	Object	Optional	Map external attribute to UAA recognized mappings.
config.attributeMappings.email	String	Optional	Map `email` to the attribute for email in the provider assertion or token.
config.attributeMappings.given_name	String	Optional	Map `given_name` to the attribute for given name in the provider assertion or token.
config.attributeMappings.family_name	String	Optional	Map `family_name` to the attribute for family name in the provider assertion or token.
config.attributeMappings.phone_number	String	Optional	Map `phone_number` to the attribute for phone number in the provider assertion or token.
config.attributeMappings.email_verified	String	Optional	Maps the attribute on the assertion to the `email_verified` user record at the time of authentication. Default is false. Once set to true, record remains true for subsequent authentications.
config.attributeMappings.external_groups	Array	Optional	Map `external_groups` to the attribute for groups in the provider assertion.
config.attributeMappings['user.attribute.department']	String	Optional	Map external attribute to UAA recognized mappings. Mapping should be of the format `user.attribute.<attribute_name>`. `department` is used in the documentation as an example attribute.
aliasId	String	Optional	The ID of the alias IdP. Must be set to `null`.
aliasZid	String	Optional	The ID of the identity zone in which an alias of this IdP is maintained. Defaults to `null`. Only supported for identity providers of type "saml", "oidc1.0" and "oauth2.0". If set, the field must reference an existing identity zone that is different to the one referenced in `identityZoneId`. Alias identity providers can only be created from or to the "uaa" identity zone, i.e., one of `identityZoneId` or `aliasZid` must be set to "uaa". If set, an alias identity provider is created in the referenced zone and `aliasId` is set accordingly.
config.relyingPartySecret	String	Required if `config.authMethod` is set to `client_secret_basic`.	The client secret of the relying party at the external OAuth provider. If not set and `jwtClientAuthentication` is not set, then the external OAuth client is treated as public client and the flow is protected with PKCE using code challenge method `S256`. It is recommended to set `jwtClientAuthentication:true` instead.

Error Codes

Error Code	Description
403	Forbidden - Insufficient scope
409	Conflict - Provider with same origin and zone id exists
422	Unprocessable Entity - Invalid configuration
500	Internal Server Error

Retrieve All

$ curl 'http://localhost/identity-providers?rawConfig=false' -i -X GET \
    -H 'Content-Type: application/json' \
    -H 'Authorization: Bearer c61573ad2d2648e1bff7822dfbe646e6'

GET /identity-providers?rawConfig=false HTTP/1.1
Content-Type: application/json
Authorization: Bearer c61573ad2d2648e1bff7822dfbe646e6
Host: localhost

HTTP/1.1 200 OK
Content-Security-Policy: script-src 'self'
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 16224

[ {
  "type" : "saml",
  "config" : "{\"emailDomain\":null,\"additionalConfiguration\":null,\"providerDescription\":null,\"externalGroupsWhitelist\":[],\"attributeMappings\":{\"email_verified\":\"emailVerified\",\"external_groups\":[\"roles\"],\"user.attribute.department\":\"department\",\"phone_number\":\"telephone\",\"given_name\":\"first_name\",\"family_name\":\"last_name\",\"email\":\"emailAddress\"},\"addShadowUserOnLogin\":true,\"storeCustomAttributes\":true,\"metaDataLocation\":\"<?xml version=\\\"1.0\\\" encoding=\\\"UTF-8\\\"?><md:EntityDescriptor xmlns:md=\\\"urn:oasis:names:tc:SAML:2.0:metadata\\\" entityID=\\\"http://www.okta.com/SAML\\\"><md:IDPSSODescriptor WantAuthnRequestsSigned=\\\"true\\\" protocolSupportEnumeration=\\\"urn:oasis:names:tc:SAML:2.0:protocol\\\"><md:KeyDescriptor use=\\\"signing\\\"><ds:KeyInfo xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:X509Data><ds:X509Certificate>MIICmTCCAgKgAwIBAgIGAUPATqmEMA0GCSqGSIb3DQEBBQUAMIGPMQswCQYDVQQGEwJVUzETMBEG\\nA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU\\nMBIGA1UECwwLU1NPUHJvdmlkZXIxEDAOBgNVBAMMB1Bpdm90YWwxHDAaBgkqhkiG9w0BCQEWDWlu\\nZm9Ab2t0YS5jb20wHhcNMTQwMTIzMTgxMjM3WhcNNDQwMTIzMTgxMzM3WjCBjzELMAkGA1UEBhMC\\nVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoM\\nBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRAwDgYDVQQDDAdQaXZvdGFsMRwwGgYJKoZIhvcN\\nAQkBFg1pbmZvQG9rdGEuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCeil67/TLOiTZU\\nWWgW2XEGgFZ94bVO90v5J1XmcHMwL8v5Z/8qjdZLpGdwI7Ph0CyXMMNklpaR/Ljb8fsls3amdT5O\\nBw92Zo8ulcpjw2wuezTwL0eC0wY/GQDAZiXL59npE6U+fH1lbJIq92hx0HJSru/0O1q3+A/+jjZL\\n3tL/SwIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAI5BoWZoH6Mz9vhypZPOJCEKa/K+biZQsA4Zqsuk\\nvvphhSERhqk/Nv76Vkl8uvJwwHbQrR9KJx4L3PRkGCG24rix71jEuXVGZUsDNM3CUKnARx4MEab6\\nGFHNkZ6DmoT/PFagngecHu+EwmuDtaG0rEkFrARwe+d8Ru0BN558abFb</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:SingleSignOnService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\\\" Location=\\\"https://pivotal.oktapreview.com/app/pivotal_pivotalcfstaging_1/k2lw4l5bPODCMIIDBRYZ/sso/saml\\\"/><md:SingleSignOnService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\\\" Location=\\\"https://pivotal.oktapreview.com/app/pivotal_pivotalcfstaging_1/k2lw4l5bPODCMIIDBRYZ/sso/saml\\\"/></md:IDPSSODescriptor></md:EntityDescriptor>\\n\",\"idpEntityAlias\":\"SAML\",\"zoneId\":\"uaa\",\"nameID\":\"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress\",\"assertionConsumerIndex\":0,\"metadataTrustCheck\":false,\"showSamlLink\":false,\"linkText\":\"IDPEndpointsMockTests Saml Provider:SAML\",\"iconUrl\":null,\"groupMappingMode\":\"EXPLICITLY_MAPPED\",\"skipSslValidation\":false,\"authnContext\":null,\"socketFactoryClassName\":null}",
  "id" : "68935ecc-8d76-483a-88fc-7c2fa6e5add5",
  "originKey" : "SAML",
  "name" : "SAML name",
  "version" : 0,
  "created" : 1732091788197,
  "last_modified" : 1732091788197,
  "active" : true,
  "identityZoneId" : "uaa",
  "aliasId" : null,
  "aliasZid" : null
}, {
  "type" : "saml",
  "config" : "{\"emailDomain\":null,\"additionalConfiguration\":null,\"providerDescription\":null,\"externalGroupsWhitelist\":[],\"attributeMappings\":{},\"addShadowUserOnLogin\":true,\"storeCustomAttributes\":true,\"metaDataLocation\":\"<?xml version=\\\"1.0\\\"?>\\n<md:EntityDescriptor xmlns:md=\\\"urn:oasis:names:tc:SAML:2.0:metadata\\\" xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\" entityID=\\\"http://example.com/saml2/idp/metadata.php\\\" ID=\\\"_7a1d882b1a0cb702f97968d831d70eecce036d6d0c249ae65cca0e91f5656d58\\\"><ds:Signature>\\n  <ds:SignedInfo><ds:CanonicalizationMethod Algorithm=\\\"http://www.w3.org/2001/10/xml-exc-c14n#\\\"/>\\n    <ds:SignatureMethod Algorithm=\\\"http://www.w3.org/2001/04/xmldsig-more#rsa-sha256\\\"/>\\n  <ds:Reference URI=\\\"#_7a1d882b1a0cb702f97968d831d70eecce036d6d0c249ae65cca0e91f5656d58\\\"><ds:Transforms><ds:Transform Algorithm=\\\"http://www.w3.org/2000/09/xmldsig#enveloped-signature\\\"/><ds:Transform Algorithm=\\\"http://www.w3.org/2001/10/xml-exc-c14n#\\\"/></ds:Transforms><ds:DigestMethod Algorithm=\\\"http://www.w3.org/2001/04/xmlenc#sha256\\\"/><ds:DigestValue>HOSWDJYkLvErI1gVynUVmufFVDCKPqExLnnnMjXgoJQ=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>ryMe0PXC+vR/c0nSEhSJsTaF0lHiuZ6PguqCbul7RC9WKLmFS9DD7Dgp3WHQ2zWpRimCTHxw/VO9hyCTxAcW9zxW4OdpD4YorqcmXtLkpasBCVuFLbQ8oylnjrem4kpGflfnuk3bW1mp6AXy52jwALDm8MsTwLK+O74YkeVTPP5bki/PK0N4jHnhYhvhHKUyT8Gug0v2o4KA/1ik83e9vcYEFc/9WGpXFeDMF6pXsJQqC/+eWoLfZJDNrwSsSlg+oD+ZF91YccN9i9lJoaIPcVvPWDfEv7vL79LgnmPBeYxm/fWb4/ANMxvCLIP1R3Ixrz5oFoIX2NP1+uZOpoRWbg==</ds:SignatureValue>\\n<ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIEEzCCAvugAwIBAgIJAIc1qzLrv+5nMA0GCSqGSIb3DQEBCwUAMIGfMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ08xFDASBgNVBAcMC0Nhc3RsZSBSb2NrMRwwGgYDVQQKDBNTYW1sIFRlc3RpbmcgU2VydmVyMQswCQYDVQQLDAJJVDEgMB4GA1UEAwwXc2ltcGxlc2FtbHBocC5jZmFwcHMuaW8xIDAeBgkqhkiG9w0BCQEWEWZoYW5pa0BwaXZvdGFsLmlvMB4XDTE1MDIyMzIyNDUwM1oXDTI1MDIyMjIyNDUwM1owgZ8xCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDTzEUMBIGA1UEBwwLQ2FzdGxlIFJvY2sxHDAaBgNVBAoME1NhbWwgVGVzdGluZyBTZXJ2ZXIxCzAJBgNVBAsMAklUMSAwHgYDVQQDDBdzaW1wbGVzYW1scGhwLmNmYXBwcy5pbzEgMB4GCSqGSIb3DQEJARYRZmhhbmlrQHBpdm90YWwuaW8wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC4cn62E1xLqpN34PmbrKBbkOXFjzWgJ9b+pXuaRft6A339uuIQeoeH5qeSKRVTl32L0gdz2ZivLwZXW+cqvftVW1tvEHvzJFyxeTW3fCUeCQsebLnA2qRa07RkxTo6Nf244mWWRDodcoHEfDUSbxfTZ6IExSojSIU2RnD6WllYWFdD1GFpBJOmQB8rAc8wJIBdHFdQnX8Ttl7hZ6rtgqEYMzYVMuJ2F2r1HSU1zSAvwpdYP6rRGFRJEfdA9mm3WKfNLSc5cljz0X/TXy0vVlAV95l9qcfFzPmrkNIst9FZSwpvB49LyAVke04FQPPwLgVH4gphiJH3jvZ7I+J5lS8VAgMBAAGjUDBOMB0GA1UdDgQWBBTTyP6Cc5HlBJ5+ucVCwGc5ogKNGzAfBgNVHSMEGDAWgBTTyP6Cc5HlBJ5+ucVCwGc5ogKNGzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAvMS4EQeP/ipV4jOG5lO6/tYCb/iJeAduOnRhkJk0DbX329lDLZhTTL/x/w/9muCVcvLrzEp6PN+VWfw5E5FWtZN0yhGtP9R+vZnrV+oc2zGD+no1/ySFOe3EiJCO5dehxKjYEmBRv5sU/LZFKZpozKN/BMEa6CqLuxbzb7ykxVr7EVFXwltPxzE9TmL9OACNNyF5eJHWMRMllarUvkcXlh4pux4ks9e6zV9DQBy2zds9f1I3qxg0eX6JnGrXi/ZiCT+lJgVe3ZFXiejiLAiKB04sXW3ti0LW3lx13Y1YlQ4/tlpgTgfIJxKV6nyPiLoK0nywbMd+vpAirDt2Oc+hk</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature>\\n  <md:IDPSSODescriptor protocolSupportEnumeration=\\\"urn:oasis:names:tc:SAML:2.0:protocol\\\">\\n    <md:KeyDescriptor use=\\\"signing\\\">\\n      <ds:KeyInfo xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\">\\n        <ds:X509Data>\\n          <ds:X509Certificate>MIIEEzCCAvugAwIBAgIJAIc1qzLrv+5nMA0GCSqGSIb3DQEBCwUAMIGfMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ08xFDASBgNVBAcMC0Nhc3RsZSBSb2NrMRwwGgYDVQQKDBNTYW1sIFRlc3RpbmcgU2VydmVyMQswCQYDVQQLDAJJVDEgMB4GA1UEAwwXc2ltcGxlc2FtbHBocC5jZmFwcHMuaW8xIDAeBgkqhkiG9w0BCQEWEWZoYW5pa0BwaXZvdGFsLmlvMB4XDTE1MDIyMzIyNDUwM1oXDTI1MDIyMjIyNDUwM1owgZ8xCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDTzEUMBIGA1UEBwwLQ2FzdGxlIFJvY2sxHDAaBgNVBAoME1NhbWwgVGVzdGluZyBTZXJ2ZXIxCzAJBgNVBAsMAklUMSAwHgYDVQQDDBdzaW1wbGVzYW1scGhwLmNmYXBwcy5pbzEgMB4GCSqGSIb3DQEJARYRZmhhbmlrQHBpdm90YWwuaW8wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC4cn62E1xLqpN34PmbrKBbkOXFjzWgJ9b+pXuaRft6A339uuIQeoeH5qeSKRVTl32L0gdz2ZivLwZXW+cqvftVW1tvEHvzJFyxeTW3fCUeCQsebLnA2qRa07RkxTo6Nf244mWWRDodcoHEfDUSbxfTZ6IExSojSIU2RnD6WllYWFdD1GFpBJOmQB8rAc8wJIBdHFdQnX8Ttl7hZ6rtgqEYMzYVMuJ2F2r1HSU1zSAvwpdYP6rRGFRJEfdA9mm3WKfNLSc5cljz0X/TXy0vVlAV95l9qcfFzPmrkNIst9FZSwpvB49LyAVke04FQPPwLgVH4gphiJH3jvZ7I+J5lS8VAgMBAAGjUDBOMB0GA1UdDgQWBBTTyP6Cc5HlBJ5+ucVCwGc5ogKNGzAfBgNVHSMEGDAWgBTTyP6Cc5HlBJ5+ucVCwGc5ogKNGzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAvMS4EQeP/ipV4jOG5lO6/tYCb/iJeAduOnRhkJk0DbX329lDLZhTTL/x/w/9muCVcvLrzEp6PN+VWfw5E5FWtZN0yhGtP9R+vZnrV+oc2zGD+no1/ySFOe3EiJCO5dehxKjYEmBRv5sU/LZFKZpozKN/BMEa6CqLuxbzb7ykxVr7EVFXwltPxzE9TmL9OACNNyF5eJHWMRMllarUvkcXlh4pux4ks9e6zV9DQBy2zds9f1I3qxg0eX6JnGrXi/ZiCT+lJgVe3ZFXiejiLAiKB04sXW3ti0LW3lx13Y1YlQ4/tlpgTgfIJxKV6nyPiLoK0nywbMd+vpAirDt2Oc+hk</ds:X509Certificate>\\n        </ds:X509Data>\\n      </ds:KeyInfo>\\n    </md:KeyDescriptor>\\n    <md:KeyDescriptor use=\\\"encryption\\\">\\n      <ds:KeyInfo xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\">\\n        <ds:X509Data>\\n          <ds:X509Certificate>MIIEEzCCAvugAwIBAgIJAIc1qzLrv+5nMA0GCSqGSIb3DQEBCwUAMIGfMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ08xFDASBgNVBAcMC0Nhc3RsZSBSb2NrMRwwGgYDVQQKDBNTYW1sIFRlc3RpbmcgU2VydmVyMQswCQYDVQQLDAJJVDEgMB4GA1UEAwwXc2ltcGxlc2FtbHBocC5jZmFwcHMuaW8xIDAeBgkqhkiG9w0BCQEWEWZoYW5pa0BwaXZvdGFsLmlvMB4XDTE1MDIyMzIyNDUwM1oXDTI1MDIyMjIyNDUwM1owgZ8xCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDTzEUMBIGA1UEBwwLQ2FzdGxlIFJvY2sxHDAaBgNVBAoME1NhbWwgVGVzdGluZyBTZXJ2ZXIxCzAJBgNVBAsMAklUMSAwHgYDVQQDDBdzaW1wbGVzYW1scGhwLmNmYXBwcy5pbzEgMB4GCSqGSIb3DQEJARYRZmhhbmlrQHBpdm90YWwuaW8wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC4cn62E1xLqpN34PmbrKBbkOXFjzWgJ9b+pXuaRft6A339uuIQeoeH5qeSKRVTl32L0gdz2ZivLwZXW+cqvftVW1tvEHvzJFyxeTW3fCUeCQsebLnA2qRa07RkxTo6Nf244mWWRDodcoHEfDUSbxfTZ6IExSojSIU2RnD6WllYWFdD1GFpBJOmQB8rAc8wJIBdHFdQnX8Ttl7hZ6rtgqEYMzYVMuJ2F2r1HSU1zSAvwpdYP6rRGFRJEfdA9mm3WKfNLSc5cljz0X/TXy0vVlAV95l9qcfFzPmrkNIst9FZSwpvB49LyAVke04FQPPwLgVH4gphiJH3jvZ7I+J5lS8VAgMBAAGjUDBOMB0GA1UdDgQWBBTTyP6Cc5HlBJ5+ucVCwGc5ogKNGzAfBgNVHSMEGDAWgBTTyP6Cc5HlBJ5+ucVCwGc5ogKNGzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAvMS4EQeP/ipV4jOG5lO6/tYCb/iJeAduOnRhkJk0DbX329lDLZhTTL/x/w/9muCVcvLrzEp6PN+VWfw5E5FWtZN0yhGtP9R+vZnrV+oc2zGD+no1/ySFOe3EiJCO5dehxKjYEmBRv5sU/LZFKZpozKN/BMEa6CqLuxbzb7ykxVr7EVFXwltPxzE9TmL9OACNNyF5eJHWMRMllarUvkcXlh4pux4ks9e6zV9DQBy2zds9f1I3qxg0eX6JnGrXi/ZiCT+lJgVe3ZFXiejiLAiKB04sXW3ti0LW3lx13Y1YlQ4/tlpgTgfIJxKV6nyPiLoK0nywbMd+vpAirDt2Oc+hk</ds:X509Certificate>\\n        </ds:X509Data>\\n      </ds:KeyInfo>\\n    </md:KeyDescriptor>\\n    <md:SingleLogoutService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\\\" Location=\\\"http://example.com/saml2/idp/SingleLogoutService.php\\\"/>\\n    <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>\\n    <md:SingleSignOnService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\\\" Location=\\\"http://example.com/saml2/idp/SSOService.php\\\"/>\\n  </md:IDPSSODescriptor>\\n  <md:ContactPerson contactType=\\\"technical\\\">\\n    <md:GivenName>Filip</md:GivenName>\\n    <md:SurName>Hanik</md:SurName>\\n    <md:EmailAddress>[email protected]</md:EmailAddress>\\n  </md:ContactPerson>\\n</md:EntityDescriptor>\\n\",\"idpEntityAlias\":\"SAMLMetadataUrl\",\"zoneId\":\"uaa\",\"nameID\":\"urn:oasis:names:tc:SAML:1.1:nameid-format:transient\",\"assertionConsumerIndex\":0,\"metadataTrustCheck\":false,\"showSamlLink\":false,\"linkText\":\"IDPEndpointsMockTests Saml Provider:SAML\",\"iconUrl\":null,\"groupMappingMode\":\"EXPLICITLY_MAPPED\",\"skipSslValidation\":false,\"authnContext\":null,\"socketFactoryClassName\":null}",
  "id" : "2c5ce8ce-de04-4173-ab5f-947d6997c047",
  "originKey" : "SAMLMetadataUrl",
  "name" : "SAML name",
  "version" : 0,
  "created" : 1732091788288,
  "last_modified" : 1732091788288,
  "active" : true,
  "identityZoneId" : "uaa",
  "aliasId" : null,
  "aliasZid" : null
}, {
  "type" : "keystone",
  "config" : "null",
  "id" : "71ce5c1a-e1e9-41f5-a96a-fe51e8943fd0",
  "originKey" : "keystone",
  "name" : "keystone",
  "version" : 0,
  "created" : 946684800000,
  "last_modified" : 946684800000,
  "active" : true,
  "identityZoneId" : "uaa",
  "aliasId" : null,
  "aliasZid" : null
}, {
  "type" : "ldap",
  "config" : "{\"emailDomain\":null,\"additionalConfiguration\":null,\"providerDescription\":null,\"externalGroupsWhitelist\":[],\"attributeMappings\":{},\"addShadowUserOnLogin\":true,\"storeCustomAttributes\":true,\"ldapProfileFile\":\"ldap/ldap-search-and-bind.xml\",\"baseUrl\":\"ldap://localhost:389/\",\"referral\":null,\"skipSSLVerification\":false,\"userDNPattern\":null,\"userDNPatternDelimiter\":null,\"bindUserDn\":\"cn=admin,dc=test,dc=com\",\"userSearchBase\":\"dc=test,dc=com\",\"userSearchFilter\":\"cn={0}\",\"passwordAttributeName\":null,\"passwordEncoder\":null,\"localPasswordCompare\":null,\"mailAttributeName\":\"mail\",\"mailSubstitute\":null,\"mailSubstituteOverridesLdap\":false,\"ldapGroupFile\":null,\"groupSearchBase\":null,\"groupSearchFilter\":null,\"groupsIgnorePartialResults\":null,\"autoAddGroups\":true,\"groupSearchSubTree\":true,\"maxGroupSearchDepth\":10,\"groupRoleAttribute\":null,\"tlsConfiguration\":\"none\"}",
  "id" : "36f5d9f4-d247-42dd-9320-00ca515c116a",
  "originKey" : "ldap",
  "name" : "UAA LDAP Provider",
  "version" : 1,
  "created" : 946684800000,
  "last_modified" : 1732091787753,
  "active" : false,
  "identityZoneId" : "uaa",
  "aliasId" : null,
  "aliasZid" : null
}, {
  "type" : "login-server",
  "config" : "null",
  "id" : "5dc7ccab-b80b-4933-906d-a786be045473",
  "originKey" : "login-server",
  "name" : "login-server",
  "version" : 0,
  "created" : 946684800000,
  "last_modified" : 946684800000,
  "active" : true,
  "identityZoneId" : "uaa",
  "aliasId" : null,
  "aliasZid" : null
}, {
  "type" : "oauth2.0",
  "config" : "{\"emailDomain\":null,\"additionalConfiguration\":null,\"providerDescription\":null,\"externalGroupsWhitelist\":[],\"attributeMappings\":{\"email_verified\":\"emailVerified\",\"external_groups\":[\"roles\"],\"user.attribute.department\":\"department\",\"phone_number\":\"telephone\",\"given_name\":\"first_name\",\"family_name\":\"last_name\",\"email\":\"emailAddress\"},\"addShadowUserOnLogin\":true,\"storeCustomAttributes\":true,\"authUrl\":\"http://auth.url\",\"tokenUrl\":\"http://token.url\",\"tokenKeyUrl\":null,\"tokenKey\":\"token-key\",\"userInfoUrl\":null,\"logoutUrl\":null,\"linkText\":null,\"showLinkText\":false,\"clientAuthInBody\":false,\"skipSslValidation\":false,\"relyingPartyId\":\"uaa\",\"scopes\":null,\"issuer\":null,\"responseType\":\"code\",\"userPropagationParameter\":\"username\",\"pkce\":true,\"performRpInitiatedLogout\":true,\"authMethod\":\"client_secret_basic\",\"cacheJwks\":true,\"checkTokenUrl\":null}",
  "id" : "f6787b06-4126-4d26-8776-9a406019ccfa",
  "originKey" : "my-oauth2-provider",
  "name" : "UAA Provider",
  "version" : 0,
  "created" : 1732091789067,
  "last_modified" : 1732091789067,
  "active" : true,
  "identityZoneId" : "uaa",
  "aliasId" : null,
  "aliasZid" : null
}, {
  "type" : "oidc1.0",
  "config" : "{\"emailDomain\":null,\"additionalConfiguration\":null,\"providerDescription\":null,\"externalGroupsWhitelist\":[\"uaa.user\"],\"attributeMappings\":{\"email_verified\":\"emailVerified\",\"external_groups\":[\"roles\"],\"user.attribute.department\":\"department\",\"phone_number\":\"telephone\",\"given_name\":\"first_name\",\"family_name\":\"last_name\",\"email\":\"emailAddress\"},\"addShadowUserOnLogin\":true,\"storeCustomAttributes\":true,\"authUrl\":null,\"tokenUrl\":null,\"tokenKeyUrl\":null,\"tokenKey\":null,\"userInfoUrl\":null,\"logoutUrl\":null,\"linkText\":null,\"showLinkText\":false,\"clientAuthInBody\":false,\"skipSslValidation\":true,\"relyingPartyId\":\"uaa\",\"scopes\":null,\"issuer\":null,\"responseType\":\"code\",\"userPropagationParameter\":\"username\",\"pkce\":true,\"performRpInitiatedLogout\":true,\"authMethod\":\"client_secret_basic\",\"cacheJwks\":true,\"discoveryUrl\":\"https://accounts.google.com/.well-known/openid-configuration\",\"passwordGrantEnabled\":false,\"setForwardHeader\":false,\"prompts\":[{\"name\":\"username\",\"type\":\"text\",\"text\":\"Email\"},{\"name\":\"password\",\"type\":\"password\",\"text\":\"Password\"},{\"name\":\"passcode\",\"type\":\"password\",\"text\":\"Temporary Authentication Code (Get on at /passcode)\"}]}",
  "id" : "355acf14-3fcd-4823-a08c-2bd8d93eec7e",
  "originKey" : "my-oidc-provider-kq8zpc",
  "name" : "UAA Provider",
  "version" : 0,
  "created" : 1732091789169,
  "last_modified" : 1732091789169,
  "active" : true,
  "identityZoneId" : "uaa",
  "aliasId" : null,
  "aliasZid" : null
}, {
  "type" : "uaa",
  "config" : "null",
  "id" : "0485e661-128a-4a89-917a-5effc77ce725",
  "originKey" : "uaa",
  "name" : "uaa",
  "version" : 3,
  "created" : 946684800000,
  "last_modified" : 1732091789265,
  "active" : true,
  "identityZoneId" : "uaa",
  "aliasId" : null,
  "aliasZid" : null
} ]

Request Headers

Name	Description
`Authorization`	Bearer token containing `zones.<zone id>.admin` or `zones.<zone id>.idps.read` or `uaa.admin` or `idps.read` (only in the same zone that you are a user of)
`X-Identity-Zone-Id`	May include this header to administer another zone if using `zones.<zoneId>.admin` or `zones.<zone id>.idps.read` or `uaa.admin` scope against the default UAA zone.
`X-Identity-Zone-Subdomain`	If using a `zones.<zoneId>.admin` scope/token, indicates what Identity Zone this request goes to by supplying a subdomain.

Request Parameters

Parameter	Type	Constraints	Description
rawConfig	Boolean	Optional (defaults to `false`)	UAA 3.4.0 Flag indicating whether the response should use raw, unescaped JSON for the `config` field of the IDP, rather than the default behavior of encoding the JSON as a string.

Response Fields

Path	Type	Description
`[].type`	`String`	Type of the identity provider.
`[].originKey`	`String`	Unique identifier for the identity provider.
`[].name`	`String`	Human-readable name for this provider
`[].config`	`String`	Json config for the Identity Provider
`[].aliasId`	`String`	The ID of the alias IdP.
`[].aliasZid`	`String`	The ID of the identity zone in which an alias of this IdP is maintained.
`[].version`	`Number`	Version of the identity provider data. Clients can use this to protect against conflicting updates
`[].active`	`Boolean`	Defaults to true.
`[].id`	`String`	Unique identifier for this provider - GUID generated by the UAA
`[].identityZoneId`	`String`	Set to the zone that this provider will be active in. Determined either by the Host header or the zone switch header.
`[].created`	`Number`	UAA sets the creation date
`[].last_modified`	`Number`	UAA sets the modification date

Error Codes

Error Code	Description
403	Forbidden - Insufficient scope

Retrieve with Filtering

$ curl 'http://localhost/identity-providers?rawConfig=false&active_only=false&originKey=my-oauth2-provider' -i -X GET \
    -H 'Content-Type: application/json' \
    -H 'Authorization: Bearer c4dbaad4e5a441bca388b2cc280ac4ad'

GET /identity-providers?rawConfig=false&active_only=false&originKey=my-oauth2-provider HTTP/1.1
Content-Type: application/json
Authorization: Bearer c4dbaad4e5a441bca388b2cc280ac4ad
Host: localhost

HTTP/1.1 200 OK
Content-Security-Policy: script-src 'self'
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 1267

[ {
  "type" : "oauth2.0",
  "config" : "{\"emailDomain\":null,\"additionalConfiguration\":null,\"providerDescription\":null,\"externalGroupsWhitelist\":[],\"attributeMappings\":{\"email_verified\":\"emailVerified\",\"external_groups\":[\"roles\"],\"user.attribute.department\":\"department\",\"phone_number\":\"telephone\",\"given_name\":\"first_name\",\"family_name\":\"last_name\",\"email\":\"emailAddress\"},\"addShadowUserOnLogin\":true,\"storeCustomAttributes\":true,\"authUrl\":\"http://auth.url\",\"tokenUrl\":\"http://token.url\",\"tokenKeyUrl\":null,\"tokenKey\":\"token-key\",\"userInfoUrl\":null,\"logoutUrl\":null,\"linkText\":null,\"showLinkText\":false,\"clientAuthInBody\":false,\"skipSslValidation\":false,\"relyingPartyId\":\"uaa\",\"scopes\":null,\"issuer\":null,\"responseType\":\"code\",\"userPropagationParameter\":\"username\",\"pkce\":true,\"performRpInitiatedLogout\":true,\"authMethod\":\"client_secret_basic\",\"cacheJwks\":true,\"checkTokenUrl\":null}",
  "id" : "f6787b06-4126-4d26-8776-9a406019ccfa",
  "originKey" : "my-oauth2-provider",
  "name" : "UAA Provider",
  "version" : 0,
  "created" : 1732091789067,
  "last_modified" : 1732091789067,
  "active" : true,
  "identityZoneId" : "uaa",
  "aliasId" : null,
  "aliasZid" : null
} ]

Request Headers

Name	Description
`Authorization`	Bearer token containing `zones.<zone id>.admin` or `zones.<zone id>.idps.read` or `uaa.admin` or `idps.read` (only in the same zone that you are a user of)
`X-Identity-Zone-Id`	May include this header to administer another zone if using `zones.<zoneId>.admin` or `zones.<zone id>.idps.read` or `uaa.admin` scope against the default UAA zone.
`X-Identity-Zone-Subdomain`	If using a `zones.<zoneId>.admin` scope/token, indicates what Identity Zone this request goes to by supplying a subdomain.

Request Parameters

Parameter	Type	Constraints	Description
rawConfig	Boolean	Optional (defaults to `false`)	Flag indicating whether the response should use raw, unescaped JSON for the `config` field of the IDP, rather than the default behavior of encoding the JSON as a string.
active_only	Boolean	Optional (defaults to `false`)	Flag indicating whether only active IdPs should be returned or all.
originKey	String	Optional	UAA 77.10.0 Return only IdPs with specific origin.

Response Fields

Path	Type	Description
`[].type`	`String`	Type of the identity provider.
`[].originKey`	`String`	Unique identifier for the identity provider.
`[].name`	`String`	Human-readable name for this provider
`[].config`	`String`	Json config for the Identity Provider
`[].aliasId`	`String`	The ID of the alias IdP.
`[].aliasZid`	`String`	The ID of the identity zone in which an alias of this IdP is maintained.
`[].version`	`Number`	Version of the identity provider data. Clients can use this to protect against conflicting updates
`[].active`	`Boolean`	Defaults to true.
`[].id`	`String`	Unique identifier for this provider - GUID generated by the UAA
`[].identityZoneId`	`String`	Set to the zone that this provider will be active in. Determined either by the Host header or the zone switch header.
`[].created`	`Number`	UAA sets the creation date
`[].last_modified`	`Number`	UAA sets the modification date

Error Codes

Error Code	Description
403	Forbidden - Insufficient scope

Retrieve

$ curl 'http://localhost/identity-providers/aa2dc1c6-f80a-4d93-85c2-da18a23c072f?rawConfig=false' -i -X GET \
    -H 'Content-Type: application/json' \
    -H 'Authorization: Bearer c3decc2bd29c48f5944e44fee6850494'

GET /identity-providers/aa2dc1c6-f80a-4d93-85c2-da18a23c072f?rawConfig=false HTTP/1.1
Content-Type: application/json
Authorization: Bearer c3decc2bd29c48f5944e44fee6850494
Host: localhost

HTTP/1.1 200 OK
Content-Security-Policy: script-src 'self'
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 3248

{
  "type" : "saml",
  "config" : "{\"emailDomain\":null,\"additionalConfiguration\":null,\"providerDescription\":null,\"externalGroupsWhitelist\":[],\"attributeMappings\":{\"email_verified\":\"emailVerified\",\"external_groups\":[\"roles\"],\"user.attribute.department\":\"department\",\"phone_number\":\"telephone\",\"given_name\":\"first_name\",\"family_name\":\"last_name\",\"email\":\"emailAddress\"},\"addShadowUserOnLogin\":true,\"storeCustomAttributes\":true,\"metaDataLocation\":\"<?xml version=\\\"1.0\\\" encoding=\\\"UTF-8\\\"?><md:EntityDescriptor xmlns:md=\\\"urn:oasis:names:tc:SAML:2.0:metadata\\\" entityID=\\\"http://www.okta.com/saml-for-get\\\"><md:IDPSSODescriptor WantAuthnRequestsSigned=\\\"true\\\" protocolSupportEnumeration=\\\"urn:oasis:names:tc:SAML:2.0:protocol\\\"><md:KeyDescriptor use=\\\"signing\\\"><ds:KeyInfo xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:X509Data><ds:X509Certificate>MIICmTCCAgKgAwIBAgIGAUPATqmEMA0GCSqGSIb3DQEBBQUAMIGPMQswCQYDVQQGEwJVUzETMBEG\\nA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU\\nMBIGA1UECwwLU1NPUHJvdmlkZXIxEDAOBgNVBAMMB1Bpdm90YWwxHDAaBgkqhkiG9w0BCQEWDWlu\\nZm9Ab2t0YS5jb20wHhcNMTQwMTIzMTgxMjM3WhcNNDQwMTIzMTgxMzM3WjCBjzELMAkGA1UEBhMC\\nVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoM\\nBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRAwDgYDVQQDDAdQaXZvdGFsMRwwGgYJKoZIhvcN\\nAQkBFg1pbmZvQG9rdGEuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCeil67/TLOiTZU\\nWWgW2XEGgFZ94bVO90v5J1XmcHMwL8v5Z/8qjdZLpGdwI7Ph0CyXMMNklpaR/Ljb8fsls3amdT5O\\nBw92Zo8ulcpjw2wuezTwL0eC0wY/GQDAZiXL59npE6U+fH1lbJIq92hx0HJSru/0O1q3+A/+jjZL\\n3tL/SwIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAI5BoWZoH6Mz9vhypZPOJCEKa/K+biZQsA4Zqsuk\\nvvphhSERhqk/Nv76Vkl8uvJwwHbQrR9KJx4L3PRkGCG24rix71jEuXVGZUsDNM3CUKnARx4MEab6\\nGFHNkZ6DmoT/PFagngecHu+EwmuDtaG0rEkFrARwe+d8Ru0BN558abFb</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:SingleSignOnService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\\\" Location=\\\"https://pivotal.oktapreview.com/app/pivotal_pivotalcfstaging_1/k2lw4l5bPODCMIIDBRYZ/sso/saml\\\"/><md:SingleSignOnService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\\\" Location=\\\"https://pivotal.oktapreview.com/app/pivotal_pivotalcfstaging_1/k2lw4l5bPODCMIIDBRYZ/sso/saml\\\"/></md:IDPSSODescriptor></md:EntityDescriptor>\\n\",\"idpEntityAlias\":\"saml-for-get\",\"zoneId\":\"uaa\",\"nameID\":\"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress\",\"assertionConsumerIndex\":0,\"metadataTrustCheck\":false,\"showSamlLink\":false,\"linkText\":\"IDPEndpointsMockTests Saml Provider:saml-for-get\",\"iconUrl\":null,\"groupMappingMode\":\"EXPLICITLY_MAPPED\",\"skipSslValidation\":false,\"authnContext\":null,\"socketFactoryClassName\":null}",
  "id" : "aa2dc1c6-f80a-4d93-85c2-da18a23c072f",
  "originKey" : "saml-for-get",
  "name" : "saml-for-get name",
  "version" : 0,
  "created" : 1732091788974,
  "last_modified" : 1732091788974,
  "active" : true,
  "identityZoneId" : "uaa",
  "aliasId" : null,
  "aliasZid" : null
}

Path Parameters

/identity-providers/{id}

Parameter	Description
id	Unique identifier for this provider - GUID generated by the UAA

Request Headers

Name	Description
`Authorization`	Bearer token containing `zones.<zone id>.admin` or `zones.<zone id>.idps.read` or `uaa.admin` or `idps.read` (only in the same zone that you are a user of)
`X-Identity-Zone-Id`	May include this header to administer another zone if using `zones.<zoneId>.admin` or `zones.<zone id>.idps.read` or `uaa.admin` scope against the default UAA zone.
`X-Identity-Zone-Subdomain`	If using a `zones.<zoneId>.admin` scope/token, indicates what Identity Zone this request goes to by supplying a subdomain.

Request Parameters

Parameter	Type	Constraints	Description
rawConfig	Boolean	Optional (defaults to `false`)	UAA 3.4.0 Flag indicating whether the response should use raw, unescaped JSON for the `config` field of the IDP, rather than the default behavior of encoding the JSON as a string.

Response Fields

Path	Type	Description
`name`	`String`	Human-readable name for this provider
`config.providerDescription`	`String`	Human readable name/description of this provider
`config.emailDomain`	`Array`	List of email domains associated with the provider for the purpose of associating users to the correct origin upon invitation. If empty list, no invitations are accepted. Wildcards supported.
`active`	`Boolean`	Defaults to true.
`config.addShadowUserOnLogin`	`Boolean`	Determines whether users should be allowed to authenticate without having a user pre-populated in the users database (if true), or whether shadow users must be created before login by an administrator (if false).
`config.storeCustomAttributes`	`Boolean`	Set to true, to store custom user attributes to be fetched from the /userinfo endpoint
`type`	`String`	Type of the identity provider.
`originKey`	`String`	Unique identifier for the identity provider.
`config`	`String`	Various configuration properties for the identity provider.
`config.additionalConfiguration`	`Object`	(Unused.)
`version`	`Number`	Version of the identity provider data. Clients can use this to protect against conflicting updates
`id`	`String`	Unique identifier for this provider - GUID generated by the UAA
`identityZoneId`	`String`	Set to the zone that this provider will be active in. Determined either by the Host header or the zone switch header.
`created`	`Number`	UAA sets the creation date
`last_modified`	`Number`	UAA sets the modification date
`aliasId`	`String`	The ID of the alias IdP.
`aliasZid`	`String`	The ID of the identity zone in which an alias of this IdP is maintained.

Error Codes

Error Code	Description
403	Forbidden - Insufficient scope

Update

$ curl 'http://localhost/identity-providers/0485e661-128a-4a89-917a-5effc77ce725?rawConfig=true' -i -X PUT \
    -H 'Content-Type: application/json' \
    -H 'Authorization: Bearer 81575eb382c14c58a8d6ac2989d2f0a8' \
    -d '{"type":"uaa","config":{"emailDomain":null,"providerDescription":null,"passwordPolicy":null,"lockoutPolicy":{"lockoutPeriodSeconds":8,"lockoutAfterFailures":8,"countFailuresWithin":8},"disableInternalUserManagement":false},"originKey":"uaa","name":"uaa","version":3,"active":true,"aliasId":null,"aliasZid":null}'

PUT /identity-providers/0485e661-128a-4a89-917a-5effc77ce725?rawConfig=true HTTP/1.1
Content-Type: application/json
Authorization: Bearer 81575eb382c14c58a8d6ac2989d2f0a8
Content-Length: 311
Host: localhost

{"type":"uaa","config":{"emailDomain":null,"providerDescription":null,"passwordPolicy":null,"lockoutPolicy":{"lockoutPeriodSeconds":8,"lockoutAfterFailures":8,"countFailuresWithin":8},"disableInternalUserManagement":false},"originKey":"uaa","name":"uaa","version":3,"active":true,"aliasId":null,"aliasZid":null}

HTTP/1.1 200 OK
Content-Security-Policy: script-src 'self'
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 600

{
  "type" : "uaa",
  "config" : {
    "emailDomain" : null,
    "additionalConfiguration" : null,
    "providerDescription" : null,
    "passwordPolicy" : null,
    "lockoutPolicy" : {
      "lockoutPeriodSeconds" : 8,
      "lockoutAfterFailures" : 8,
      "countFailuresWithin" : 8
    },
    "disableInternalUserManagement" : false
  },
  "id" : "0485e661-128a-4a89-917a-5effc77ce725",
  "originKey" : "uaa",
  "name" : "uaa",
  "version" : 4,
  "created" : 946684800000,
  "last_modified" : 1732091789823,
  "active" : true,
  "identityZoneId" : "uaa",
  "aliasId" : null,
  "aliasZid" : null
}

Path Parameters

/identity-providers/{id}

Parameter	Description
id	Unique identifier for this provider - GUID generated by the UAA

Request Headers

Name	Description
`Authorization`	Bearer token containing `zones.<zone id>.admin` or `uaa.admin` or `idps.write` (only in the same zone that you are a user of)
`X-Identity-Zone-Id`	May include this header to administer another zone if using `zones.<zoneId>.admin` or `uaa.admin` scope against the default UAA zone.
`X-Identity-Zone-Subdomain`	If using a `zones.<zoneId>.admin` scope/token, indicates what Identity Zone this request goes to by supplying a subdomain.

Request Parameters

Parameter	Type	Constraints	Description
rawConfig	Boolean	Optional (defaults to `false`)	UAA 3.4.0 Flag indicating whether the response should use raw, unescaped JSON for the `config` field of the IDP, rather than the default behavior of encoding the JSON as a string.

Request and Response Fields

Path	Type	Constraints	Description
name	String	Required	Human-readable name for this provider
config.providerDescription	String	Optional	Human readable name/description of this provider
config.emailDomain	Array	Optional	List of email domains associated with the provider for the purpose of associating users to the correct origin upon invitation. If empty list, no invitations are accepted. Wildcards supported.
active	Boolean	Optional	Defaults to true.
config.addShadowUserOnLogin	Boolean	Optional (defaults to `true`)	Determines whether users should be allowed to authenticate without having a user pre-populated in the users database (if true), or whether shadow users must be created before login by an administrator (if false).
config.storeCustomAttributes	Boolean	Optional (defaults to `true`)	Set to true, to store custom user attributes to be fetched from the /userinfo endpoint
type	String	Required	`uaa`
originKey	String	Required	A unique identifier for the IDP. Cannot be updated.
version	Number	Required	Version of the identity provider data. Clients can use this to protect against conflicting updates
config.passwordPolicy.minLength	Number	Required when `passwordPolicy` in the config is not null	Minimum number of characters required for password to be considered valid (defaults to 0).
config.passwordPolicy.maxLength	Number	Required when `passwordPolicy` in the config is not null	Maximum number of characters required for password to be considered valid (defaults to 255).
config.passwordPolicy.requireUpperCaseCharacter	Number	Required when `passwordPolicy` in the config is not null	Minimum number of uppercase characters required for password to be considered valid (defaults to 0).
config.passwordPolicy.requireLowerCaseCharacter	Number	Required when `passwordPolicy` in the config is not null	Minimum number of lowercase characters required for password to be considered valid (defaults to 0).
config.passwordPolicy.requireDigit	Number	Required when `passwordPolicy` in the config is not null	Minimum number of digits required for password to be considered valid (defaults to 0).
config.passwordPolicy.requireSpecialCharacter	Number	Required when `passwordPolicy` in the config is not null	Minimum number of special characters required for password to be considered valid (defaults to 0).
config.passwordPolicy.expirePasswordInMonths	Number	Required when `passwordPolicy` in the config is not null	Number of months after which current password expires (defaults to 0).
config.passwordPolicy.passwordNewerThan	Number	Required when `passwordPolicy` in the config is not null	This timestamp value can be used to force change password for every user. If the user's passwordLastModified is older than this value, the password is expired (defaults to null).
config.lockoutPolicy.lockoutPeriodSeconds	Number	Required when `LockoutPolicy` in the config is not null	Number of seconds in which lockoutAfterFailures failures must occur in order for account to be locked (defaults to 3600).
config.lockoutPolicy.lockoutAfterFailures	Number	Required when `LockoutPolicy` in the config is not null	Number of allowed failures before account is locked (defaults to 5).
config.lockoutPolicy.countFailuresWithin	Number	Required when `LockoutPolicy` in the config is not null	Number of seconds to lock out an account when lockoutAfterFailures failures is exceeded (defaults to 300).
config.disableInternalUserManagement	Boolean	Optional	When set to true, user management is disabled for this provider, defaults to false
aliasId	String	Optional	The ID of the alias IdP. The `aliasId` value of the existing identity provider must be left unchanged.
aliasZid	String	Optional	The ID of the identity zone in which an alias of this IdP is maintained. Defaults to `null`. Only supported for identity providers of type "saml", "oidc1.0" and "oauth2.0". If set, the field must reference an existing identity zone that is different to the one referenced in `identityZoneId`. Alias identity providers can only be created from or to the "uaa" identity zone, i.e., one of `identityZoneId` or `aliasZid` must be set to "uaa". If set and the identity provider did not reference an alias before, an alias identity provider is created in the referenced zone and `aliasId` is set accordingly. If the identity provider already referenced an alias identity provider before the update, this field must be left unchanged.

Error Codes

Error Code	Description
403	Forbidden - Insufficient scope
422	Unprocessable Entity - Invalid config or updating IdP with alias while `aliasEntitiesEnabled` is false

Delete

$ curl 'http://localhost/identity-providers/7dd11ede-118f-4422-a319-7197c2f8a292?rawConfig=false' -i -X DELETE \
    -H 'Content-Type: application/json' \
    -H 'Authorization: Bearer bac215e235474b579218ea0f406ec0fb'

DELETE /identity-providers/7dd11ede-118f-4422-a319-7197c2f8a292?rawConfig=false HTTP/1.1
Content-Type: application/json
Authorization: Bearer bac215e235474b579218ea0f406ec0fb
Host: localhost

HTTP/1.1 200 OK
Content-Security-Policy: script-src 'self'
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 3263

{
  "type" : "saml",
  "config" : "{\"emailDomain\":null,\"additionalConfiguration\":null,\"providerDescription\":null,\"externalGroupsWhitelist\":[],\"attributeMappings\":{\"email_verified\":\"emailVerified\",\"external_groups\":[\"roles\"],\"user.attribute.department\":\"department\",\"phone_number\":\"telephone\",\"given_name\":\"first_name\",\"family_name\":\"last_name\",\"email\":\"emailAddress\"},\"addShadowUserOnLogin\":true,\"storeCustomAttributes\":true,\"metaDataLocation\":\"<?xml version=\\\"1.0\\\" encoding=\\\"UTF-8\\\"?><md:EntityDescriptor xmlns:md=\\\"urn:oasis:names:tc:SAML:2.0:metadata\\\" entityID=\\\"http://www.okta.com/saml-for-delete\\\"><md:IDPSSODescriptor WantAuthnRequestsSigned=\\\"true\\\" protocolSupportEnumeration=\\\"urn:oasis:names:tc:SAML:2.0:protocol\\\"><md:KeyDescriptor use=\\\"signing\\\"><ds:KeyInfo xmlns:ds=\\\"http://www.w3.org/2000/09/xmldsig#\\\"><ds:X509Data><ds:X509Certificate>MIICmTCCAgKgAwIBAgIGAUPATqmEMA0GCSqGSIb3DQEBBQUAMIGPMQswCQYDVQQGEwJVUzETMBEG\\nA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU\\nMBIGA1UECwwLU1NPUHJvdmlkZXIxEDAOBgNVBAMMB1Bpdm90YWwxHDAaBgkqhkiG9w0BCQEWDWlu\\nZm9Ab2t0YS5jb20wHhcNMTQwMTIzMTgxMjM3WhcNNDQwMTIzMTgxMzM3WjCBjzELMAkGA1UEBhMC\\nVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoM\\nBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRAwDgYDVQQDDAdQaXZvdGFsMRwwGgYJKoZIhvcN\\nAQkBFg1pbmZvQG9rdGEuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCeil67/TLOiTZU\\nWWgW2XEGgFZ94bVO90v5J1XmcHMwL8v5Z/8qjdZLpGdwI7Ph0CyXMMNklpaR/Ljb8fsls3amdT5O\\nBw92Zo8ulcpjw2wuezTwL0eC0wY/GQDAZiXL59npE6U+fH1lbJIq92hx0HJSru/0O1q3+A/+jjZL\\n3tL/SwIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAI5BoWZoH6Mz9vhypZPOJCEKa/K+biZQsA4Zqsuk\\nvvphhSERhqk/Nv76Vkl8uvJwwHbQrR9KJx4L3PRkGCG24rix71jEuXVGZUsDNM3CUKnARx4MEab6\\nGFHNkZ6DmoT/PFagngecHu+EwmuDtaG0rEkFrARwe+d8Ru0BN558abFb</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:SingleSignOnService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\\\" Location=\\\"https://pivotal.oktapreview.com/app/pivotal_pivotalcfstaging_1/k2lw4l5bPODCMIIDBRYZ/sso/saml\\\"/><md:SingleSignOnService Binding=\\\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\\\" Location=\\\"https://pivotal.oktapreview.com/app/pivotal_pivotalcfstaging_1/k2lw4l5bPODCMIIDBRYZ/sso/saml\\\"/></md:IDPSSODescriptor></md:EntityDescriptor>\\n\",\"idpEntityAlias\":\"saml-for-delete\",\"zoneId\":\"uaa\",\"nameID\":\"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress\",\"assertionConsumerIndex\":0,\"metadataTrustCheck\":false,\"showSamlLink\":false,\"linkText\":\"IDPEndpointsMockTests Saml Provider:saml-for-delete\",\"iconUrl\":null,\"groupMappingMode\":\"EXPLICITLY_MAPPED\",\"skipSslValidation\":false,\"authnContext\":null,\"socketFactoryClassName\":null}",
  "id" : "7dd11ede-118f-4422-a319-7197c2f8a292",
  "originKey" : "saml-for-delete",
  "name" : "saml-for-delete name",
  "version" : 0,
  "created" : 1732091789755,
  "last_modified" : 1732091789755,
  "active" : true,
  "identityZoneId" : "uaa",
  "aliasId" : null,
  "aliasZid" : null
}

Path Parameters

/identity-providers/{id}

Parameter	Description
id	Unique identifier for this provider - GUID generated by the UAA

Request Headers

Name	Description
`Authorization`	Bearer token containing `zones.<zone id>.admin` or `uaa.admin` or `idps.write` (only in the same zone that you are a user of)
`X-Identity-Zone-Id`	May include this header to administer another zone if using `zones.<zoneId>.admin` or `uaa.admin` scope against the default UAA zone.
`X-Identity-Zone-Subdomain`	If using a `zones.<zoneId>.admin` scope/token, indicates what Identity Zone this request goes to by supplying a subdomain.

Request Parameters

Parameter	Type	Constraints	Description
rawConfig	Boolean	Optional (defaults to `false`)	UAA 3.4.0 Flag indicating whether the response should use raw, unescaped JSON for the `config` field of the IDP, rather than the default behavior of encoding the JSON as a string.

Response Fields

Path	Type	Description
`name`	`String`	Human-readable name for this provider
`config.providerDescription`	`String`	Human readable name/description of this provider
`config.emailDomain`	`Array`	List of email domains associated with the provider for the purpose of associating users to the correct origin upon invitation. If empty list, no invitations are accepted. Wildcards supported.
`active`	`Boolean`	Defaults to true.
`config.addShadowUserOnLogin`	`Boolean`	Determines whether users should be allowed to authenticate without having a user pre-populated in the users database (if true), or whether shadow users must be created before login by an administrator (if false).
`config.storeCustomAttributes`	`Boolean`	Set to true, to store custom user attributes to be fetched from the /userinfo endpoint
`type`	`String`	Type of the identity provider.
`originKey`	`String`	Unique identifier for the identity provider.
`config`	`String`	Various configuration properties for the identity provider.
`config.additionalConfiguration`	`Object`	(Unused.)
`version`	`Number`	Version of the identity provider data. Clients can use this to protect against conflicting updates
`id`	`String`	Unique identifier for this provider - GUID generated by the UAA
`identityZoneId`	`String`	Set to the zone that this provider will be active in. Determined either by the Host header or the zone switch header.
`created`	`Number`	UAA sets the creation date
`last_modified`	`Number`	UAA sets the modification date
`aliasId`	`String`	The ID of the alias IdP.
`aliasZid`	`String`	The ID of the identity zone in which an alias of this IdP is maintained.

Error Codes

Error Code	Description
403	Forbidden - Insufficient scope
422	Unprocessable Entity (e.g., deleting IdP with alias while `aliasEntitiesEnabled` is false)

Force password change for Users

$ curl 'http://localhost/identity-providers/0485e661-128a-4a89-917a-5effc77ce725/status' -i -X PATCH \
    -H 'Content-Type: application/json' \
    -H 'Authorization: Bearer e6971d26e7594aa7a8c44b334b6b79eb' \
    -d '{"requirePasswordChange":true}'

PATCH /identity-providers/0485e661-128a-4a89-917a-5effc77ce725/status HTTP/1.1
Content-Type: application/json
Authorization: Bearer e6971d26e7594aa7a8c44b334b6b79eb
Content-Length: 30
Host: localhost

{"requirePasswordChange":true}

HTTP/1.1 200 OK
Content-Security-Policy: script-src 'self'
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 36

{
  "requirePasswordChange" : true
}

Path Parameters

/identity-providers/{id}/status

Parameter	Description
id	Unique identifier for this provider - GUID generated by the UAA

Request Headers

Name	Description
`Authorization`	Bearer token containing `zones.<zone id>.admin` or `uaa.admin` or `idps.write` (only in the same zone that you are a user of)
`X-Identity-Zone-Id`	May include this header to administer another zone if using `zones.<zoneId>.admin` or `uaa.admin` scope against the default UAA zone.
`X-Identity-Zone-Subdomain`	If using a `zones.<zoneId>.admin` scope/token, indicates what Identity Zone this request goes to by supplying a subdomain.

Request and Response Fields

Path	Type	Constraints	Description
requirePasswordChange	Boolean	Required	Set to `true` in order to force password change for all users. The `passwordNewerThan` property in PasswordPolicy of the IdentityProvider will be updated with current system time. If the user's passwordLastModified is older than this value, the password is expired.

Error Codes

Error Code	Description
403	Forbidden - Insufficient scope
422	Unprocessable Entity - Invalid config

Users

Users can be queried, created and updated via the /Users endpoint.

Get

$ curl 'http://localhost/Users/0d2c1b69-6c9a-4673-a305-3951b526f355' -i -X GET \
    -H 'Accept: application/json' \
    -H 'Authorization: Bearer c72f2ecbfc53465dba58942194edf0ee' \
    -H 'Content-Type: application/json' \
    -H 'If-Match: 0'

GET /Users/0d2c1b69-6c9a-4673-a305-3951b526f355 HTTP/1.1
Accept: application/json
Authorization: Bearer c72f2ecbfc53465dba58942194edf0ee
Content-Type: application/json
If-Match: 0
Host: localhost

HTTP/1.1 200 OK
Content-Security-Policy: script-src 'self'
ETag: "0"
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 2880

{
  "id" : "0d2c1b69-6c9a-4673-a305-3951b526f355",
  "externalId" : "test-user",
  "meta" : {
    "version" : 0,
    "created" : "2024-11-20T08:36:36.256Z",
    "lastModified" : "2024-11-20T08:36:36.256Z"
  },
  "userName" : "[email protected]",
  "name" : {
    "familyName" : "family name",
    "givenName" : "given name"
  },
  "emails" : [ {
    "value" : "[email protected]",
    "primary" : false
  } ],
  "groups" : [ {
    "value" : "52237012-cf9b-43c7-8ad2-6f00432104f2",
    "display" : "user_attributes",
    "type" : "DIRECT"
  }, {
    "value" : "a92053a4-1130-424b-96cc-03de1a4da956",
    "display" : "cloud_controller.read",
    "type" : "DIRECT"
  }, {
    "value" : "d4ae5945-8744-4c7f-a937-2d317ca7a9c4",
    "display" : "approvals.me",
    "type" : "DIRECT"
  }, {
    "value" : "4f00b948-479c-4476-a5e6-ff60cc80b2be",
    "display" : "scim.me",
    "type" : "DIRECT"
  }, {
    "value" : "8c5d5bca-84d1-4bc0-8a0f-42da9267cf3b",
    "display" : "cloud_controller_service_permissions.read",
    "type" : "DIRECT"
  }, {
    "value" : "2e547bb0-6f21-4b4a-bac9-d46d3eb0e450",
    "display" : "oauth.approvals",
    "type" : "DIRECT"
  }, {
    "value" : "0c933f52-ec08-4b8b-9167-456fdd9ec558",
    "display" : "uaa.user",
    "type" : "DIRECT"
  }, {
    "value" : "15a99c12-82b5-4a91-a939-06a3f45aa89d",
    "display" : "openid",
    "type" : "DIRECT"
  }, {
    "value" : "6d8a83f4-4f88-40c4-ba5f-22942fd0e733",
    "display" : "scim.userids",
    "type" : "DIRECT"
  }, {
    "value" : "6721a10c-5304-404c-9626-094dff83ce83",
    "display" : "uaa.offline_token",
    "type" : "DIRECT"
  }, {
    "value" : "b44520eb-c5d4-4e0b-9005-67de2d411931",
    "display" : "profile",
    "type" : "DIRECT"
  }, {
    "value" : "8b52ee42-2309-44dd-bc26-6ec6a0e200c5",
    "display" : "cloud_controller.write",
    "type" : "DIRECT"
  }, {
    "value" : "3f682806-038d-428c-926e-8ab7fea91079",
    "display" : "password.write",
    "type" : "DIRECT"
  }, {
    "value" : "c85dcb56-2d80-470b-ad27-880d2b19cc8e",
    "display" : "roles",
    "type" : "DIRECT"
  } ],
  "approvals" : [ {
    "userId" : "0d2c1b69-6c9a-4673-a305-3951b526f355",
    "clientId" : "client id",
    "scope" : "scim.read",
    "status" : "APPROVED",
    "lastUpdatedAt" : "2024-11-20T08:36:36.261Z",
    "expiresAt" : "2024-11-20T08:36:46.261Z"
  }, {
    "userId" : "0d2c1b69-6c9a-4673-a305-3951b526f355",
    "clientId" : "identity",
    "scope" : "uaa.user",
    "status" : "APPROVED",
    "lastUpdatedAt" : "2024-11-20T08:37:06.262Z",
    "expiresAt" : "2024-11-20T08:37:06.262Z"
  } ],
  "phoneNumbers" : [ {
    "value" : "5555555555"
  } ],
  "active" : true,
  "verified" : true,
  "origin" : "uaa",
  "zoneId" : "uaa",
  "passwordLastModified" : "2024-11-20T08:36:36.000Z",
  "previousLogonTime" : 1732091796263,
  "lastLogonTime" : 1732091796263,
  "schemas" : [ "urn:scim:schemas:core:1.0" ]
}

Request Headers

Name	Description
`Authorization`	Access token with scope `scim.read`, `uaa.admin`, or `zones.uaa.admin` required
`If-Match`	The version of the SCIM object to be deleted. Optional.
`X-Identity-Zone-Id`	May include this header to administer another zone if using `zones.<zoneId>.admin` or `uaa.admin` scope against the default UAA zone.
`X-Identity-Zone-Subdomain`	If using a `zones.<zoneId>.admin` scope/token, indicates what Identity Zone this request goes to by supplying a subdomain.

Response Fields

Path	Type	Description
`schemas`	`Array`	SCIM schemas used, currently always set to `[ "urn:scim:schemas:core:1.0" ]`
`id`	`String`	A guid generated by the UAA to uniquely identity this user.
`userName`	`String`	User name of the user, typically an email address.
`name`	`Object`	A map with the user's first name and last name.
`name.familyName`	`String`	The user's last name.
`name.givenName`	`String`	The user's first name.
`phoneNumbers`	`Array`	The user's phone numbers.
`phoneNumbers[].value`	`String`	The phone number.
`emails`	`Array`	The user's email addresses.
`emails[].value`	`String`	The email address.
`emails[].primary`	`Boolean`	Set to true if this is the user's primary email address.
`groups`	`Array`	A list of groups the user belongs to.
`groups[].value`	`String`	A guid generated by the UAA to uniquely identity this group.
`groups[].display`	`String`	The group display name, also referred to as scope during authorization.
`groups[].type`	`String`	Membership type. `DIRECT` means the user is directly associated with the group. `INDIRECT` means that the membership is derived from a nested group.
`approvals`	`Array`	A list of approval decisions made by this user. Approvals record the user's explicit approval or rejection for an application's request for delegated permissions.
`approvals[].userId`	`String`	The user id on the approval. Will be the same as the id field.
`approvals[].clientId`	`String`	The client id on the approval. Represents the application this approval or denial was for.
`approvals[].scope`	`String`	The scope on the approval. Will be a group display value.
`approvals[].status`	`String`	The status of the approval. Status may be either `APPROVED` or `DENIED`.
`approvals[].lastUpdatedAt`	`String`	Date this approval was last updated.
`approvals[].expiresAt`	`String`	Date this approval will expire.
`active`	`Boolean`	Whether the user is allowed to log in. False acts as a soft delete; the user will not be able to log in.
`verified`	`Boolean`	New users are automatically verified by default. Unverified users can be created by specifying verified: false. Becomes true when the user verifies their email address.
`origin`	`String`	The alias of the Identity Provider that authenticated this user. The value `uaa` indicates a user from the UAA's internal user store.
`zoneId`	`String`	The Identity Zone this user belongs to. The value `uaa` refers to the default zone.
`passwordLastModified`	`String`	The timestamp when this user's password was last changed.
`lastLogonTime`	`Number`	The unix epoch timestamp in milliseconds of when the user last authenticated. This field will be omitted from the response if the user has never authenticated.
`previousLogonTime`	`Number`	The unix epoch timestamp in milliseconds of when the user last authenticated. This field will be omitted from the response if the user has never authenticated.
`externalId`	`String`	External user ID if authenticated through an external identity provider.
`aliasId`	`String`	The ID of the alias user.
`aliasZid`	`String`	The ID of the identity zone in which an alias of this user is maintained.
`meta`	`Object`	SCIM object meta data.
`meta.version`	`Number`	Object version.
`meta.lastModified`	`String`	Object last modified date.
`meta.created`	`String`	Object created date.

Error Codes

Error Code	Description
400	Bad Request - Invalid JSON format or missing fields
401	Unauthorized - Invalid token
403	Forbidden - Insufficient scope (`scim.read` is required to retrieve a user)
404	Not Found - User id not found

Example using uaac to get users:

uaac target http://localhost:8080/uaa

uaac token client get admin -s adminsecret

uaac user get testuser

List

Listing users supports SCIM filtering on the available attributes. By default, users are returned with their group memberships and approvals, a rather expensive operation. To avoid this, perform the search by including the attributes parameter to reduce the results.

$ curl 'http://localhost/Users?filter=id+eq+%2211d49c43-9d25-4048-a962-d466c395dd89%22+or+email+eq+%22Xyf1Xo%40test.org%22&sortBy=email&count=50&sortOrder=ascending&startIndex=1' -i -X GET \
    -H 'Accept: application/json' \
    -H 'Authorization: Bearer 0ded94e133b944e89c4e7603005e6eca'

GET /Users?filter=id+eq+%2211d49c43-9d25-4048-a962-d466c395dd89%22+or+email+eq+%22Xyf1Xo%40test.org%22&sortBy=email&count=50&sortOrder=ascending&startIndex=1 HTTP/1.1
Accept: application/json
Authorization: Bearer 0ded94e133b944e89c4e7603005e6eca
Host: localhost

HTTP/1.1 200 OK
Content-Security-Policy: script-src 'self'
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 2962

{
  "resources" : [ {
    "id" : "11d49c43-9d25-4048-a962-d466c395dd89",
    "externalId" : "test-user",
    "meta" : {
      "version" : 0,
      "created" : "2024-11-20T08:36:36.425Z",
      "lastModified" : "2024-11-20T08:36:36.425Z"
    },
    "userName" : "[email protected]",
    "name" : {
      "familyName" : "family name",
      "givenName" : "given name"
    },
    "emails" : [ {
      "value" : "[email protected]",
      "primary" : false
    } ],
    "groups" : [ {
      "value" : "52237012-cf9b-43c7-8ad2-6f00432104f2",
      "display" : "user_attributes",
      "type" : "DIRECT"
    }, {
      "value" : "a92053a4-1130-424b-96cc-03de1a4da956",
      "display" : "cloud_controller.read",
      "type" : "DIRECT"
    }, {
      "value" : "d4ae5945-8744-4c7f-a937-2d317ca7a9c4",
      "display" : "approvals.me",
      "type" : "DIRECT"
    }, {
      "value" : "4f00b948-479c-4476-a5e6-ff60cc80b2be",
      "display" : "scim.me",
      "type" : "DIRECT"
    }, {
      "value" : "8c5d5bca-84d1-4bc0-8a0f-42da9267cf3b",
      "display" : "cloud_controller_service_permissions.read",
      "type" : "DIRECT"
    }, {
      "value" : "2e547bb0-6f21-4b4a-bac9-d46d3eb0e450",
      "display" : "oauth.approvals",
      "type" : "DIRECT"
    }, {
      "value" : "0c933f52-ec08-4b8b-9167-456fdd9ec558",
      "display" : "uaa.user",
      "type" : "DIRECT"
    }, {
      "value" : "15a99c12-82b5-4a91-a939-06a3f45aa89d",
      "display" : "openid",
      "type" : "DIRECT"
    }, {
      "value" : "6d8a83f4-4f88-40c4-ba5f-22942fd0e733",
      "display" : "scim.userids",
      "type" : "DIRECT"
    }, {
      "value" : "6721a10c-5304-404c-9626-094dff83ce83",
      "display" : "uaa.offline_token",
      "type" : "DIRECT"
    }, {
      "value" : "b44520eb-c5d4-4e0b-9005-67de2d411931",
      "display" : "profile",
      "type" : "DIRECT"
    }, {
      "value" : "8b52ee42-2309-44dd-bc26-6ec6a0e200c5",
      "display" : "cloud_controller.write",
      "type" : "DIRECT"
    }, {
      "value" : "3f682806-038d-428c-926e-8ab7fea91079",
      "display" : "password.write",
      "type" : "DIRECT"
    }, {
      "value" : "c85dcb56-2d80-470b-ad27-880d2b19cc8e",
      "display" : "roles",
      "type" : "DIRECT"
    } ],
    "approvals" : [ {
      "userId" : "11d49c43-9d25-4048-a962-d466c395dd89",
      "clientId" : "client id",
      "scope" : "scim.read",
      "status" : "APPROVED",
      "lastUpdatedAt" : "2024-11-20T08:36:36.430Z",
      "expiresAt" : "2024-11-20T08:36:46.430Z"
    } ],
    "phoneNumbers" : [ {
      "value" : "5555555555"
    } ],
    "active" : true,
    "verified" : true,
    "origin" : "uaa",
    "zoneId" : "uaa",
    "passwordLastModified" : "2024-11-20T08:36:36.000Z",
    "previousLogonTime" : 1732091796431,
    "lastLogonTime" : 1732091796432,
    "schemas" : [ "urn:scim:schemas:core:1.0" ]
  } ],
  "startIndex" : 1,
  "itemsPerPage" : 5,
  "totalResults" : 1,
  "schemas" : [ "urn:scim:schemas:core:1.0" ]
}

Request Headers

Name	Description
`Authorization`	Access token with `scim.read` or `uaa.admin` required
`X-Identity-Zone-Id`	May include this header to administer another zone if using `zones.<zoneId>.admin` or `uaa.admin` scope against the default UAA zone.
`X-Identity-Zone-Subdomain`	If using a `zones.<zoneId>.admin` scope/token, indicates what Identity Zone this request goes to by supplying a subdomain.

Request Parameters

Parameter	Type	Constraints	Description
filter	String	Optional	SCIM filter for searching
sortBy	String	Optional (defaults to `created`)	Sorting field name, like email or id
sortOrder	String	Optional (defaults to `ascending`)	Sort order, ascending/descending
startIndex	Number	Optional (defaults to `1`)	The starting index of the search results when paginated. Index starts with 1.
count	Number	Optional (defaults to `100`)	Max number of results to be returned

Response Fields

Path	Type	Description
`startIndex`	`Number`	The starting index of the search results when paginated. Index starts with 1.
`itemsPerPage`	`Number`	The maximum number of items returned per request.
`totalResults`	`Number`	Number of results in result set.
`schemas`	`Array`	SCIM schemas used, currently always set to `[ "urn:scim:schemas:core:1.0" ]`
`resources`	`Array`	A list of SCIM user objects retrieved by the search.
`resources[].schemas`	`Array`	SCIM schemas used, currently always set to `[ "urn:scim:schemas:core:1.0" ]`
`resources[].id`	`String`	A guid generated by the UAA to uniquely identity this user.
`resources[].userName`	`String`	User name of the user, typically an email address.
`resources[].name`	`Object`	A map with the user's first name and last name.
`resources[].name.familyName`	`String`	The user's last name.
`resources[].name.givenName`	`String`	The user's first name.
`resources[].phoneNumbers`	`Array`	The user's phone numbers.
`resources[].phoneNumbers[].value`	`String`	The phone number.
`resources[].emails`	`Array`	The user's email addresses.
`resources[].emails[].value`	`String`	The email address.
`resources[].emails[].primary`	`Boolean`	Set to true if this is the user's primary email address.
`resources[].groups`	`Array`	A list of groups the user belongs to.
`resources[].groups[].value`	`String`	A guid generated by the UAA to uniquely identity this group.
`resources[].groups[].display`	`String`	The group display name, also referred to as scope during authorization.
`resources[].groups[].type`	`String`	Membership type. `DIRECT` means the user is directly associated with the group. `INDIRECT` means that the membership is derived from a nested group.
`resources[].approvals`	`Array`	A list of approval decisions made by this user. Approvals record the user's explicit approval or rejection for an application's request for delegated permissions.
`resources[].approvals[].userId`	`String`	The user id on the approval. Will be the same as the id field.
`resources[].approvals[].clientId`	`String`	The client id on the approval. Represents the application this approval or denial was for.
`resources[].approvals[].scope`	`String`	The scope on the approval. Will be a group display value.
`resources[].approvals[].status`	`String`	The status of the approval. Status may be either `APPROVED` or `DENIED`.
`resources[].approvals[].lastUpdatedAt`	`String`	Date this approval was last updated.
`resources[].approvals[].expiresAt`	`String`	Date this approval will expire.
`resources[].active`	`Boolean`	Whether the user is allowed to log in. False acts as a soft delete; the user will not be able to log in.
`resources[].lastLogonTime`	`Number`	The unix epoch timestamp in milliseconds of when the user last authenticated. This field will be omitted from the response if the user has never authenticated.
`resources[].previousLogonTime`	`Number`	The unix epoch timestamp in milliseconds of 2nd to last successful user authentication. This field will only be included in the response once the user has authenticated two or more times.
`resources[].verified`	`Boolean`	New users are automatically verified by default. Unverified users can be created by specifying verified: false. Becomes true when the user verifies their email address.
`resources[].origin`	`String`	The alias of the Identity Provider that authenticated this user. The value `uaa` indicates a user from the UAA's internal user store.
`resources[].zoneId`	`String`	The Identity Zone this user belongs to. The value `uaa` refers to the default zone.
`resources[].passwordLastModified`	`String`	The timestamp when this user's password was last changed.
`resources[].externalId`	`String`	External user ID if authenticated through an external identity provider.
`resources[].aliasId`	`String`	The ID of the alias user.
`resources[].aliasZid`	`String`	The ID of the identity zone in which an alias of this user is maintained.
`resources[].meta`	`Object`	SCIM object meta data.
`resources[].meta.version`	`Number`	Object version.
`resources[].meta.lastModified`	`String`	Object last modified date.
`resources[].meta.created`	`String`	Object created date.

Error Codes

Error Code	Description
400	Bad Request - Invalid JSON format or missing fields
401	Unauthorized - Invalid token
403	Forbidden - Insufficient scope (`scim.read` is required to search users)

Example using uaac to view users:

uaac target http://localhost:8080/uaa

uaac token client get admin -s adminsecret

uaac users

List with Attribute Filtering

Listing users supports SCIM filtering on the available attributes. When users are searched we can return only selected amount of data using filtering. The attribute groups will cause the UAA to query the group memberships and include them in the result making the operation more expensive. The attribute approvals will cause the UAA to query the user approvals and include them in the result making the operation more expensive.

$ curl 'http://localhost/Users?attributes=id%2CuserName%2Cemails%2Cactive&filter=id+eq+%2248368e92-85de-4dd7-9211-94de2eab84e0%22&sortBy=email&count=50&sortOrder=ascending&startIndex=1' -i -X GET \
    -H 'Accept: application/json' \
    -H 'Authorization: Bearer 9ab2880323eb440c9e361c9cdcb3719a'

GET /Users?attributes=id%2CuserName%2Cemails%2Cactive&filter=id+eq+%2248368e92-85de-4dd7-9211-94de2eab84e0%22&sortBy=email&count=50&sortOrder=ascending&startIndex=1 HTTP/1.1
Accept: application/json
Authorization: Bearer 9ab2880323eb440c9e361c9cdcb3719a
Host: localhost

HTTP/1.1 200 OK
Content-Security-Policy: script-src 'self'
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 334

{
  "resources" : [ {
    "emails" : [ {
      "value" : "[email protected]",
      "primary" : false
    } ],
    "active" : true,
    "id" : "48368e92-85de-4dd7-9211-94de2eab84e0",
    "userName" : "[email protected]"
  } ],
  "startIndex" : 1,
  "itemsPerPage" : 5,
  "totalResults" : 1,
  "schemas" : [ "urn:scim:schemas:core:1.0" ]
}

Request Headers

Name	Description
`Authorization`	Access token with `scim.read` or `uaa.admin` required
`X-Identity-Zone-Id`	May include this header to administer another zone if using `zones.<zoneId>.admin` or `uaa.admin` scope against the default UAA zone.
`X-Identity-Zone-Subdomain`	If using a `zones.<zoneId>.admin` scope/token, indicates what Identity Zone this request goes to by supplying a subdomain.

Request Parameters

Parameter	Type	Constraints	Description
filter	String	Optional	SCIM filter for searching
sortBy	String	Optional (defaults to `created`)	Sorting field name, like email or id
sortOrder	String	Optional (defaults to `ascending`)	Sort order, ascending/descending
startIndex	Number	Optional (defaults to `1`)	The starting index of the search results when paginated. Index starts with 1.
count	Number	Optional (defaults to `100`)	Max number of results to be returned
attributes	String	Optional	Comma separated list of attribute names to be returned.

Response Fields

Path	Type	Description
`startIndex`	`Number`	The starting index of the search results when paginated. Index starts with 1.
`itemsPerPage`	`Number`	The maximum number of items returned per request.
`totalResults`	`Number`	Number of results in result set.
`schemas`	`Array`	SCIM schemas used, currently always set to `[ "urn:scim:schemas:core:1.0" ]`
`resources`	`Array`	A list of SCIM user objects retrieved by the search.
`resources[].id`	`String`	A guid generated by the UAA to uniquely identity this user.
`resources[].userName`	`String`	User name of the user, typically an email address.
`resources[].emails`	`Array`	The user's email addresses.
`resources[].emails[].value`	`String`	The email address.
`resources[].emails[].primary`	`Boolean`	Set to true if this is the user's primary email address.
`resources[].active`	`Boolean`	Whether the user is allowed to log in. False acts as a soft delete; the user will not be able to log in.

Create

$ curl 'http://localhost/Users' -i -X POST \
    -H 'Accept: application/json' \
    -H 'Authorization: Bearer e61e77614f7a4c2cabafede84339fedf' \
    -H 'Content-Type: application/json' \
    -d '{
  "externalId" : "test-user",
  "meta" : {
    "version" : 0,
    "created" : "2024-11-20T08:36:36.585Z"
  },
  "userName" : "[email protected]",
  "name" : {
    "formatted" : "given name family name",
    "familyName" : "family name",
    "givenName" : "given name"
  },
  "emails" : [ {
    "value" : "[email protected]",
    "primary" : true
  } ],
  "phoneNumbers" : [ {
    "value" : "5555555555"
  } ],
  "active" : true,
  "verified" : true,
  "origin" : "",
  "password" : "secret",
  "schemas" : [ "urn:scim:schemas:core:1.0" ]
}'

POST /Users HTTP/1.1
Accept: application/json
Authorization: Bearer e61e77614f7a4c2cabafede84339fedf
Content-Type: application/json
Content-Length: 537
Host: localhost

{
  "externalId" : "test-user",
  "meta" : {
    "version" : 0,
    "created" : "2024-11-20T08:36:36.585Z"
  },
  "userName" : "[email protected]",
  "name" : {
    "formatted" : "given name family name",
    "familyName" : "family name",
    "givenName" : "given name"
  },
  "emails" : [ {
    "value" : "[email protected]",
    "primary" : true
  } ],
  "phoneNumbers" : [ {
    "value" : "5555555555"
  } ],
  "active" : true,
  "verified" : true,
  "origin" : "",
  "password" : "secret",
  "schemas" : [ "urn:scim:schemas:core:1.0" ]
}

HTTP/1.1 201 Created
Content-Security-Policy: script-src 'self'
ETag: "0"
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 2327

{
  "id" : "11cdf4ce-2fbe-4da7-b10c-4879da3d5aa2",
  "externalId" : "test-user",
  "meta" : {
    "version" : 0,
    "created" : "2024-11-20T08:36:36.591Z",
    "lastModified" : "2024-11-20T08:36:36.591Z"
  },
  "userName" : "[email protected]",
  "name" : {
    "familyName" : "family name",
    "givenName" : "given name"
  },
  "emails" : [ {
    "value" : "[email protected]",
    "primary" : false
  } ],
  "groups" : [ {
    "value" : "52237012-cf9b-43c7-8ad2-6f00432104f2",
    "display" : "user_attributes",
    "type" : "DIRECT"
  }, {
    "value" : "a92053a4-1130-424b-96cc-03de1a4da956",
    "display" : "cloud_controller.read",
    "type" : "DIRECT"
  }, {
    "value" : "d4ae5945-8744-4c7f-a937-2d317ca7a9c4",
    "display" : "approvals.me",
    "type" : "DIRECT"
  }, {
    "value" : "4f00b948-479c-4476-a5e6-ff60cc80b2be",
    "display" : "scim.me",
    "type" : "DIRECT"
  }, {
    "value" : "8c5d5bca-84d1-4bc0-8a0f-42da9267cf3b",
    "display" : "cloud_controller_service_permissions.read",
    "type" : "DIRECT"
  }, {
    "value" : "2e547bb0-6f21-4b4a-bac9-d46d3eb0e450",
    "display" : "oauth.approvals",
    "type" : "DIRECT"
  }, {
    "value" : "0c933f52-ec08-4b8b-9167-456fdd9ec558",
    "display" : "uaa.user",
    "type" : "DIRECT"
  }, {
    "value" : "15a99c12-82b5-4a91-a939-06a3f45aa89d",
    "display" : "openid",
    "type" : "DIRECT"
  }, {
    "value" : "6d8a83f4-4f88-40c4-ba5f-22942fd0e733",
    "display" : "scim.userids",
    "type" : "DIRECT"
  }, {
    "value" : "6721a10c-5304-404c-9626-094dff83ce83",
    "display" : "uaa.offline_token",
    "type" : "DIRECT"
  }, {
    "value" : "b44520eb-c5d4-4e0b-9005-67de2d411931",
    "display" : "profile",
    "type" : "DIRECT"
  }, {
    "value" : "8b52ee42-2309-44dd-bc26-6ec6a0e200c5",
    "display" : "cloud_controller.write",
    "type" : "DIRECT"
  }, {
    "value" : "3f682806-038d-428c-926e-8ab7fea91079",
    "display" : "password.write",
    "type" : "DIRECT"
  }, {
    "value" : "c85dcb56-2d80-470b-ad27-880d2b19cc8e",
    "display" : "roles",
    "type" : "DIRECT"
  } ],
  "approvals" : [ ],
  "phoneNumbers" : [ {
    "value" : "5555555555"
  } ],
  "active" : true,
  "verified" : true,
  "origin" : "uaa",
  "zoneId" : "uaa",
  "passwordLastModified" : "2024-11-20T08:36:36.000Z",
  "schemas" : [ "urn:scim:schemas:core:1.0" ]
}

Request Headers

Name	Description
`Authorization`	Access token with `scim.write` or `uaa.admin` scope required
`X-Identity-Zone-Id`	May include this header to administer another zone if using `zones.<zoneId>.admin` or `uaa.admin` scope against the default UAA zone.
`X-Identity-Zone-Subdomain`	If using a `zones.<zoneId>.admin` scope/token, indicates what Identity Zone this request goes to by supplying a subdomain.

Request Fields

Path	Type	Constraints	Description
userName	String	Required	User name of the user, typically an email address.
password	String	Optional	User's password, required if origin is set to `uaa`. May be be subject to validations if the UAA is configured with a password policy.
name	Object	Required	A map with the user's first name and last name.
name.familyName	String	Optional	The user's last name.
name.givenName	String	Optional	The user's first name.
phoneNumbers	Array	Optional	The user's phone numbers.
phoneNumbers[].value	String	Optional	The phone number.
emails	Array	Required	The user's email addresses.
emails[].value	String	Required	The email address.
emails[].primary	Boolean	Required	Set to true if this is the user's primary email address.
active	Boolean	Optional (defaults to `true`)	Whether the user is allowed to log in. False acts as a soft delete; the user will not be able to log in.
verified	Boolean	Optional (defaults to `true`)	New users are automatically verified by default. Unverified users can be created by specifying verified: false. Becomes true when the user verifies their email address.
origin	String	Optional (defaults to `"uaa"`)	The alias of the Identity Provider that authenticated this user. The value `uaa` indicates a user from the UAA's internal user store.
externalId	String	Optional	External user ID if authenticated through an external identity provider.
aliasId	String	Optional	The ID of the alias user. Must be set to `null`.
aliasZid	String	Optional	The ID of the identity zone in which an alias of this user is maintained. If set, an alias user is created in this zone and `aliasId` is set accordingly. Must reference an existing identity zone that is different to the one referenced in `identityZoneId`. Alias users can only be created from or to the "uaa" identity zone, i.e., one of `identityZoneId` or `aliasZid` must be set to "uaa". Furthermore, alias users can only be created if the IdP referenced in `origin` also has an alias to the same zone as the user.

Response Fields

Path	Type	Description
`schemas`	`Array`	SCIM schemas used, currently always set to `[ "urn:scim:schemas:core:1.0" ]`
`id`	`String`	A guid generated by the UAA to uniquely identity this user.
`userName`	`String`	User name of the user, typically an email address.
`name`	`Object`	A map with the user's first name and last name.
`name.familyName`	`String`	The user's last name.
`name.givenName`	`String`	The user's first name.
`phoneNumbers`	`Array`	The user's phone numbers.
`phoneNumbers[].value`	`String`	The phone number.
`emails`	`Array`	The user's email addresses.
`emails[].value`	`String`	The email address.
`emails[].primary`	`Boolean`	Set to true if this is the user's primary email address.
`groups`	`Array`	A list of groups the user belongs to.
`groups[].value`	`String`	A guid generated by the UAA to uniquely identity this group.
`groups[].display`	`String`	The group display name, also referred to as scope during authorization.
`groups[].type`	`String`	Membership type. `DIRECT` means the user is directly associated with the group. `INDIRECT` means that the membership is derived from a nested group.
`approvals`	`Array`	A list of approval decisions made by this user. Approvals record the user's explicit approval or rejection for an application's request for delegated permissions.
`active`	`Boolean`	Whether the user is allowed to log in. False acts as a soft delete; the user will not be able to log in.
`verified`	`Boolean`	New users are automatically verified by default. Unverified users can be created by specifying verified: false. Becomes true when the user verifies their email address.
`origin`	`String`	The alias of the Identity Provider that authenticated this user. The value `uaa` indicates a user from the UAA's internal user store.
`zoneId`	`String`	The Identity Zone this user belongs to. The value `uaa` refers to the default zone.
`passwordLastModified`	`String`	The timestamp when this user's password was last changed.
`externalId`	`String`	External user ID if authenticated through an external identity provider.
`aliasId`	`String`	The ID of the alias user.
`aliasZid`	`String`	The ID of the identity zone in which an alias of this user is maintained.
`meta`	`Object`	SCIM object meta data.
`meta.version`	`Number`	Object version.
`meta.lastModified`	`String`	Object last modified date.
`meta.created`	`String`	Object created date.

Error Codes

Error Code	Description
400	Bad Request - Invalid JSON format or missing fields
401	Unauthorized - Invalid token
403	Forbidden - Insufficient scope (`scim.write` is required to create a user)
409	Conflict - Username already exists
422	Unprocessable Entity - `alias_zid` set, but error occurred during creation of alias

Example using uaac to view users:

uaac target http://localhost:8080/uaa

uaac token client get admin -s adminsecret

uaac user add testuser --given_name About --family_name Schmidt --emails [email protected] --password secret

Update

$ curl 'http://localhost/Users/4aaf2b58-485c-479a-af47-3cbddd916de5' -i -X PUT \
    -H 'Accept: application/json' \
    -H 'Authorization: Bearer 49afa58d44ab45f8882f75267af1379d' \
    -H 'Content-Type: application/json' \
    -H 'If-Match: 0' \
    -d '{
  "id" : "4aaf2b58-485c-479a-af47-3cbddd916de5",
  "externalId" : "test-user",
  "meta" : {
    "version" : 0,
    "created" : "2024-11-20T08:36:36.496Z",
    "lastModified" : "2024-11-20T08:36:36.496Z"
  },
  "userName" : "[email protected]",
  "name" : {
    "familyName" : "family name",
    "givenName" : "given name"
  },
  "emails" : [ {
    "value" : "[email protected]",
    "primary" : false
  } ],
  "groups" : [ ],
  "approvals" : [ ],
  "phoneNumbers" : [ {
    "value" : "5555555555"
  } ],
  "active" : true,
  "verified" : true,
  "origin" : "uaa",
  "zoneId" : "uaa",
  "passwordLastModified" : "2024-11-20T08:36:36.000Z",
  "schemas" : [ "urn:scim:schemas:core:1.0" ]
}'

PUT /Users/4aaf2b58-485c-479a-af47-3cbddd916de5 HTTP/1.1
Accept: application/json
Authorization: Bearer 49afa58d44ab45f8882f75267af1379d
Content-Type: application/json
If-Match: 0
Content-Length: 684
Host: localhost

{
  "id" : "4aaf2b58-485c-479a-af47-3cbddd916de5",
  "externalId" : "test-user",
  "meta" : {
    "version" : 0,
    "created" : "2024-11-20T08:36:36.496Z",
    "lastModified" : "2024-11-20T08:36:36.496Z"
  },
  "userName" : "[email protected]",
  "name" : {
    "familyName" : "family name",
    "givenName" : "given name"
  },
  "emails" : [ {
    "value" : "[email protected]",
    "primary" : false
  } ],
  "groups" : [ ],
  "approvals" : [ ],
  "phoneNumbers" : [ {
    "value" : "5555555555"
  } ],
  "active" : true,
  "verified" : true,
  "origin" : "uaa",
  "zoneId" : "uaa",
  "passwordLastModified" : "2024-11-20T08:36:36.000Z",
  "schemas" : [ "urn:scim:schemas:core:1.0" ]
}

HTTP/1.1 200 OK
Content-Security-Policy: script-src 'self'
ETag: "1"
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 2804

{
  "id" : "4aaf2b58-485c-479a-af47-3cbddd916de5",
  "externalId" : "test-user",
  "meta" : {
    "version" : 1,
    "created" : "2024-11-20T08:36:36.496Z",
    "lastModified" : "2024-11-20T08:36:36.521Z"
  },
  "userName" : "[email protected]",
  "name" : {
    "familyName" : "family name",
    "givenName" : "given name"
  },
  "emails" : [ {
    "value" : "[email protected]",
    "primary" : false
  } ],
  "groups" : [ {
    "value" : "52237012-cf9b-43c7-8ad2-6f00432104f2",
    "display" : "user_attributes",
    "type" : "DIRECT"
  }, {
    "value" : "a92053a4-1130-424b-96cc-03de1a4da956",
    "display" : "cloud_controller.read",
    "type" : "DIRECT"
  }, {
    "value" : "d4ae5945-8744-4c7f-a937-2d317ca7a9c4",
    "display" : "approvals.me",
    "type" : "DIRECT"
  }, {
    "value" : "4f00b948-479c-4476-a5e6-ff60cc80b2be",
    "display" : "scim.me",
    "type" : "DIRECT"
  }, {
    "value" : "8c5d5bca-84d1-4bc0-8a0f-42da9267cf3b",
    "display" : "cloud_controller_service_permissions.read",
    "type" : "DIRECT"
  }, {
    "value" : "2e547bb0-6f21-4b4a-bac9-d46d3eb0e450",
    "display" : "oauth.approvals",
    "type" : "DIRECT"
  }, {
    "value" : "0c933f52-ec08-4b8b-9167-456fdd9ec558",
    "display" : "uaa.user",
    "type" : "DIRECT"
  }, {
    "value" : "15a99c12-82b5-4a91-a939-06a3f45aa89d",
    "display" : "openid",
    "type" : "DIRECT"
  }, {
    "value" : "6d8a83f4-4f88-40c4-ba5f-22942fd0e733",
    "display" : "scim.userids",
    "type" : "DIRECT"
  }, {
    "value" : "6721a10c-5304-404c-9626-094dff83ce83",
    "display" : "uaa.offline_token",
    "type" : "DIRECT"
  }, {
    "value" : "b44520eb-c5d4-4e0b-9005-67de2d411931",
    "display" : "profile",
    "type" : "DIRECT"
  }, {
    "value" : "8b52ee42-2309-44dd-bc26-6ec6a0e200c5",
    "display" : "cloud_controller.write",
    "type" : "DIRECT"
  }, {
    "value" : "3f682806-038d-428c-926e-8ab7fea91079",
    "display" : "password.write",
    "type" : "DIRECT"
  }, {
    "value" : "c85dcb56-2d80-470b-ad27-880d2b19cc8e",
    "display" : "roles",
    "type" : "DIRECT"
  } ],
  "approvals" : [ {
    "userId" : "4aaf2b58-485c-479a-af47-3cbddd916de5",
    "clientId" : "client id",
    "scope" : "scim.read",
    "status" : "APPROVED",
    "lastUpdatedAt" : "2024-11-20T08:36:36.501Z",
    "expiresAt" : "2024-11-20T08:36:46.501Z"
  }, {
    "userId" : "4aaf2b58-485c-479a-af47-3cbddd916de5",
    "clientId" : "identity",
    "scope" : "uaa.user",
    "status" : "DENIED",
    "lastUpdatedAt" : "2024-11-20T08:37:06.502Z",
    "expiresAt" : "2024-11-20T08:37:06.502Z"
  } ],
  "phoneNumbers" : [ {
    "value" : "5555555555"
  } ],
  "active" : true,
  "verified" : true,
  "origin" : "uaa",
  "zoneId" : "uaa",
  "passwordLastModified" : "2024-11-20T08:36:36.000Z",
  "schemas" : [ "urn:scim:schemas:core:1.0" ]
}

Request Headers

Name	Description
`Authorization`	Access token with `scim.write`, `uaa.admin`, or `openid` required. The `openid` scope only allows the user to update their own first and last name, when `origin` is `uaa`.
`If-Match`	The version of the SCIM object to be updated. Wildcard (*) accepted.
`X-Identity-Zone-Id`	May include this header to administer another zone if using `zones.<zoneId>.admin` or `uaa.admin` scope against the default UAA zone.
`X-Identity-Zone-Subdomain`	If using a `zones.<zoneId>.admin` scope/token, indicates what Identity Zone this request goes to by supplying a subdomain.

Request Fields

Path	Type	Constraints	Description
userName	String	Required	User name of the user, typically an email address.
name	Object	Required	A map with the user's first name and last name.
name.familyName	String	Required	The user's last name.
name.givenName	String	Required	The user's first name.
phoneNumbers	Array	Optional	The user's phone numbers.
phoneNumbers[].value	String	Optional	The phone number.
emails	Array	Required	The user's email addresses.
emails[].value	String	Required	The email address.
emails[].primary	Boolean	Required	Set to true if this is the user's primary email address.
active	Boolean	Optional (defaults to `true`)	Whether the user is allowed to log in. False acts as a soft delete; the user will not be able to log in.
verified	Boolean	Optional (defaults to `true`)	New users are automatically verified by default. Unverified users can be created by specifying verified: false. Becomes true when the user verifies their email address.
origin	String	Optional (defaults to `"uaa"`)	The alias of the Identity Provider that authenticated this user. The value `uaa` indicates a user from the UAA's internal user store. The `origin` value cannot be changed in an update operation.
externalId	String	Optional	External user ID if authenticated through an external identity provider.
aliasId	String	Optional	The ID of the alias user. If the existing user had this field set, it must be set to the same value in the update request. If not, this field must be set to `null`.
aliasZid	String	Optional	The ID of the identity zone in which an alias of this user is maintained. If set, an alias user is created in this zone and `aliasId` is set accordingly. Must reference an existing identity zone that is different to the one referenced in `identityZoneId`. Alias users can only be created from or to the "uaa" identity zone, i.e., one of `identityZoneId` or `aliasZid` must be set to "uaa". Furthermore, alias users can only be created if the IdP referenced in `origin` also has an alias to the same zone as the user. If the existing user had this field set, it must be set to the same value in the update request.

Response Fields

Path	Type	Description
`schemas`	`Array`	SCIM schemas used, currently always set to `[ "urn:scim:schemas:core:1.0" ]`
`id`	`String`	A guid generated by the UAA to uniquely identity this user.
`userName`	`String`	User name of the user, typically an email address.
`name`	`Object`	A map with the user's first name and last name.
`name.familyName`	`String`	The user's last name.
`name.givenName`	`String`	The user's first name.
`phoneNumbers`	`Array`	The user's phone numbers.
`phoneNumbers[].value`	`String`	The phone number.
`emails`	`Array`	The user's email addresses.
`emails[].value`	`String`	The email address.
`emails[].primary`	`Boolean`	Set to true if this is the user's primary email address.
`groups`	`Array`	A list of groups the user belongs to.
`groups[].value`	`String`	A guid generated by the UAA to uniquely identity this group.
`groups[].display`	`String`	The group display name, also referred to as scope during authorization.
`groups[].type`	`String`	Membership type. `DIRECT` means the user is directly associated with the group. `INDIRECT` means that the membership is derived from a nested group.
`approvals`	`Array`	A list of approval decisions made by this user. Approvals record the user's explicit approval or rejection for an application's request for delegated permissions.
`approvals[].userId`	`String`	The user id on the approval. Will be the same as the id field.
`approvals[].clientId`	`String`	The client id on the approval. Represents the application this approval or denial was for.
`approvals[].scope`	`String`	The scope on the approval. Will be a group display value.
`approvals[].status`	`String`	The status of the approval. Status may be either `APPROVED` or `DENIED`.
`approvals[].lastUpdatedAt`	`String`	Date this approval was last updated.
`approvals[].expiresAt`	`String`	Date this approval will expire.
`active`	`Boolean`	Whether the user is allowed to log in. False acts as a soft delete; the user will not be able to log in.
`verified`	`Boolean`	New users are automatically verified by default. Unverified users can be created by specifying verified: false. Becomes true when the user verifies their email address.
`origin`	`String`	The alias of the Identity Provider that authenticated this user. The value `uaa` indicates a user from the UAA's internal user store.
`zoneId`	`String`	The Identity Zone this user belongs to. The value `uaa` refers to the default zone.
`passwordLastModified`	`String`	The timestamp when this user's password was last changed.
`lastLogonTime`	`Number`	The unix epoch timestamp in milliseconds of when the user last authenticated. This field will be omitted from the response if the user has never authenticated.
`previousLogonTime`	`Number`	The unix epoch timestamp in milliseconds of when the user last authenticated. This field will be omitted from the response if the user has never authenticated.
`externalId`	`String`	External user ID if authenticated through an external identity provider.
`aliasId`	`String`	The ID of the alias user.
`aliasZid`	`String`	The ID of the identity zone in which an alias of this user is maintained.
`meta`	`Object`	SCIM object meta data.
`meta.version`	`Number`	Object version.
`meta.lastModified`	`String`	Object last modified date.
`meta.created`	`String`	Object created date.

Error Codes

Error Code	Description
400	Bad Request - Invalid JSON format or missing fields; trying to update user with alias while `aliasEntitiesEnabled` is off
401	Unauthorized - Invalid token
403	Forbidden - Insufficient scope (`scim.write` is required to update a user)
404	Not Found - User id not found
422	Unprocessable Entity - error occurred during creation or update of alias

Example using uaac to view users:

uaac target http://localhost:8080/uaa

uaac token client get admin -s adminsecret

uaac user update testuser --given_name About --family_name Schmidt --emails [email protected] --phones 415-555-1212

Patch

$ curl 'http://localhost/Users/7a12510b-d63d-488a-b7ac-85603fc80e67' -i -X PATCH \
    -H 'Accept: application/json' \
    -H 'Authorization: Bearer 734df7f1c49b46e68decb3325e9060a9' \
    -H 'Content-Type: application/json' \
    -H 'If-Match: 0' \
    -d '{
  "id" : "7a12510b-d63d-488a-b7ac-85603fc80e67",
  "externalId" : "test-user",
  "meta" : {
    "version" : 0,
    "created" : "2024-11-20T08:36:36.785Z",
    "lastModified" : "2024-11-20T08:36:36.785Z"
  },
  "userName" : "[email protected]",
  "name" : {
    "familyName" : "family name",
    "givenName" : "given name"
  },
  "emails" : [ {
    "value" : "[email protected]",
    "primary" : false
  } ],
  "groups" : [ ],
  "approvals" : [ ],
  "phoneNumbers" : [ {
    "value" : "5555555555"
  } ],
  "active" : true,
  "verified" : true,
  "origin" : "uaa",
  "zoneId" : "uaa",
  "passwordLastModified" : "2024-11-20T08:36:36.000Z",
  "schemas" : [ "urn:scim:schemas:core:1.0" ]
}'

PATCH /Users/7a12510b-d63d-488a-b7ac-85603fc80e67 HTTP/1.1
Accept: application/json
Authorization: Bearer 734df7f1c49b46e68decb3325e9060a9
Content-Type: application/json
If-Match: 0
Content-Length: 684
Host: localhost

{
  "id" : "7a12510b-d63d-488a-b7ac-85603fc80e67",
  "externalId" : "test-user",
  "meta" : {
    "version" : 0,
    "created" : "2024-11-20T08:36:36.785Z",
    "lastModified" : "2024-11-20T08:36:36.785Z"
  },
  "userName" : "[email protected]",
  "name" : {
    "familyName" : "family name",
    "givenName" : "given name"
  },
  "emails" : [ {
    "value" : "[email protected]",
    "primary" : false
  } ],
  "groups" : [ ],
  "approvals" : [ ],
  "phoneNumbers" : [ {
    "value" : "5555555555"
  } ],
  "active" : true,
  "verified" : true,
  "origin" : "uaa",
  "zoneId" : "uaa",
  "passwordLastModified" : "2024-11-20T08:36:36.000Z",
  "schemas" : [ "urn:scim:schemas:core:1.0" ]
}

HTTP/1.1 200 OK
Content-Security-Policy: script-src 'self'
ETag: "1"
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 2804

{
  "id" : "7a12510b-d63d-488a-b7ac-85603fc80e67",
  "externalId" : "test-user",
  "meta" : {
    "version" : 1,
    "created" : "2024-11-20T08:36:36.785Z",
    "lastModified" : "2024-11-20T08:36:36.800Z"
  },
  "userName" : "[email protected]",
  "name" : {
    "familyName" : "family name",
    "givenName" : "given name"
  },
  "emails" : [ {
    "value" : "[email protected]",
    "primary" : false
  } ],
  "groups" : [ {
    "value" : "52237012-cf9b-43c7-8ad2-6f00432104f2",
    "display" : "user_attributes",
    "type" : "DIRECT"
  }, {
    "value" : "a92053a4-1130-424b-96cc-03de1a4da956",
    "display" : "cloud_controller.read",
    "type" : "DIRECT"
  }, {
    "value" : "d4ae5945-8744-4c7f-a937-2d317ca7a9c4",
    "display" : "approvals.me",
    "type" : "DIRECT"
  }, {
    "value" : "4f00b948-479c-4476-a5e6-ff60cc80b2be",
    "display" : "scim.me",
    "type" : "DIRECT"
  }, {
    "value" : "8c5d5bca-84d1-4bc0-8a0f-42da9267cf3b",
    "display" : "cloud_controller_service_permissions.read",
    "type" : "DIRECT"
  }, {
    "value" : "2e547bb0-6f21-4b4a-bac9-d46d3eb0e450",
    "display" : "oauth.approvals",
    "type" : "DIRECT"
  }, {
    "value" : "0c933f52-ec08-4b8b-9167-456fdd9ec558",
    "display" : "uaa.user",
    "type" : "DIRECT"
  }, {
    "value" : "15a99c12-82b5-4a91-a939-06a3f45aa89d",
    "display" : "openid",
    "type" : "DIRECT"
  }, {
    "value" : "6d8a83f4-4f88-40c4-ba5f-22942fd0e733",
    "display" : "scim.userids",
    "type" : "DIRECT"
  }, {
    "value" : "6721a10c-5304-404c-9626-094dff83ce83",
    "display" : "uaa.offline_token",
    "type" : "DIRECT"
  }, {
    "value" : "b44520eb-c5d4-4e0b-9005-67de2d411931",
    "display" : "profile",
    "type" : "DIRECT"
  }, {
    "value" : "8b52ee42-2309-44dd-bc26-6ec6a0e200c5",
    "display" : "cloud_controller.write",
    "type" : "DIRECT"
  }, {
    "value" : "3f682806-038d-428c-926e-8ab7fea91079",
    "display" : "password.write",
    "type" : "DIRECT"
  }, {
    "value" : "c85dcb56-2d80-470b-ad27-880d2b19cc8e",
    "display" : "roles",
    "type" : "DIRECT"
  } ],
  "approvals" : [ {
    "userId" : "7a12510b-d63d-488a-b7ac-85603fc80e67",
    "clientId" : "client id",
    "scope" : "scim.read",
    "status" : "APPROVED",
    "lastUpdatedAt" : "2024-11-20T08:36:36.789Z",
    "expiresAt" : "2024-11-20T08:36:46.789Z"
  }, {
    "userId" : "7a12510b-d63d-488a-b7ac-85603fc80e67",
    "clientId" : "identity",
    "scope" : "uaa.user",
    "status" : "DENIED",
    "lastUpdatedAt" : "2024-11-20T08:37:06.790Z",
    "expiresAt" : "2024-11-20T08:37:06.790Z"
  } ],
  "phoneNumbers" : [ {
    "value" : "5555555555"
  } ],
  "active" : true,
  "verified" : true,
  "origin" : "uaa",
  "zoneId" : "uaa",
  "passwordLastModified" : "2024-11-20T08:36:36.000Z",
  "schemas" : [ "urn:scim:schemas:core:1.0" ]
}

Request Headers

Name	Description
`Authorization`	Access token with `scim.write`, `uaa.admin`, or `openid` required. The `openid` scope only allows the user to update their own first and last name, when `origin` is `uaa`.
`If-Match`	The version of the SCIM object to be updated. Wildcard (*) accepted.

Request Fields

Path	Type	Constraints	Description
userName	String	Required	User name of the user, typically an email address.
name	Object	Required	A map with the user's first name and last name.
name.familyName	String	Required	The user's last name.
name.givenName	String	Required	The user's first name.
phoneNumbers	Array	Optional	The user's phone numbers.
phoneNumbers[].value	String	Optional	The phone number.
emails	Array	Required	The user's email addresses.
emails[].value	String	Required	The email address.
emails[].primary	Boolean	Required	Set to true if this is the user's primary email address.
active	Boolean	Optional (defaults to `true`)	Whether the user is allowed to log in. False acts as a soft delete; the user will not be able to log in.
verified	Boolean	Optional (defaults to `true`)	New users are automatically verified by default. Unverified users can be created by specifying verified: false. Becomes true when the user verifies their email address.
origin	String	Optional (defaults to `"uaa"`)	The alias of the Identity Provider that authenticated this user. The value `uaa` indicates a user from the UAA's internal user store. The `origin` value cannot be changed in a patch operation.
externalId	String	Optional	External user ID if authenticated through an external identity provider.
aliasId	String	Optional	The ID of the alias user. If set, this field must have the same value as in the existing user.
aliasZid	String	Optional	The ID of the identity zone in which an alias of this user is maintained. If set, an alias user is created in this zone and `aliasId` is set accordingly. Must reference an existing identity zone that is different to the one referenced in `identityZoneId`. Alias users can only be created from or to the "uaa" identity zone, i.e., one of `identityZoneId` or `aliasZid` must be set to "uaa". Furthermore, alias users can only be created if the IdP referenced in `origin` also has an alias to the same zone as the user. If the existing user had this field set, it must not be set to a different value in the patch request.
meta.attributes	Array	Optional	Names of attributes that shall be deleted

Response Fields

Path	Type	Description
`schemas`	`Array`	SCIM schemas used, currently always set to `[ "urn:scim:schemas:core:1.0" ]`
`id`	`String`	A guid generated by the UAA to uniquely identity this user.
`userName`	`String`	User name of the user, typically an email address.
`name`	`Object`	A map with the user's first name and last name.
`name.familyName`	`String`	The user's last name.
`name.givenName`	`String`	The user's first name.
`phoneNumbers`	`Array`	The user's phone numbers.
`phoneNumbers[].value`	`String`	The phone number.
`emails`	`Array`	The user's email addresses.
`emails[].value`	`String`	The email address.
`emails[].primary`	`Boolean`	Set to true if this is the user's primary email address.
`groups`	`Array`	A list of groups the user belongs to.
`groups[].value`	`String`	A guid generated by the UAA to uniquely identity this group.
`groups[].display`	`String`	The group display name, also referred to as scope during authorization.
`groups[].type`	`String`	Membership type. `DIRECT` means the user is directly associated with the group. `INDIRECT` means that the membership is derived from a nested group.
`approvals`	`Array`	A list of approval decisions made by this user. Approvals record the user's explicit approval or rejection for an application's request for delegated permissions.
`approvals[].userId`	`String`	The user id on the approval. Will be the same as the id field.
`approvals[].clientId`	`String`	The client id on the approval. Represents the application this approval or denial was for.
`approvals[].scope`	`String`	The scope on the approval. Will be a group display value.
`approvals[].status`	`String`	The status of the approval. Status may be either `APPROVED` or `DENIED`.
`approvals[].lastUpdatedAt`	`String`	Date this approval was last updated.
`approvals[].expiresAt`	`String`	Date this approval will expire.
`active`	`Boolean`	Whether the user is allowed to log in. False acts as a soft delete; the user will not be able to log in.
`verified`	`Boolean`	New users are automatically verified by default. Unverified users can be created by specifying verified: false. Becomes true when the user verifies their email address.
`origin`	`String`	The alias of the Identity Provider that authenticated this user. The value `uaa` indicates a user from the UAA's internal user store.
`zoneId`	`String`	The Identity Zone this user belongs to. The value `uaa` refers to the default zone.
`passwordLastModified`	`String`	The timestamp when this user's password was last changed.
`lastLogonTime`	`Number`	The unix epoch timestamp in milliseconds of when the user last authenticated. This field will be omitted from the response if the user has never authenticated.
`previousLogonTime`	`Number`	The unix epoch timestamp in milliseconds of when the user last authenticated. This field will be omitted from the response if the user has never authenticated.
`externalId`	`String`	External user ID if authenticated through an external identity provider.
`aliasId`	`String`	The ID of the alias user.
`aliasZid`	`String`	The ID of the identity zone in which an alias of this user is maintained.
`meta`	`Object`	SCIM object meta data.
`meta.version`	`Number`	Object version.
`meta.lastModified`	`String`	Object last modified date.
`meta.created`	`String`	Object created date.

Error Codes

Error Code	Description
400	Bad Request - Invalid JSON format or missing fields; trying to update user with alias while `aliasEntitiesEnabled` is off
401	Unauthorized - Invalid token
403	Forbidden - Insufficient scope (`scim.write` is required to update a user)
404	Not Found - User id not found

Example using uaac to patch users:

uaac target http://localhost:8080/uaa

uaac token client get admin -s adminsecret

uaac user update testuser --given_name About --family_name Schmidt --emails [email protected] --phones 415-555-1212

Delete

$ curl 'http://localhost/Users/fe75002d-abf4-4a60-bde6-4b14edc28cd5' -i -X DELETE \
    -H 'Accept: application/json' \
    -H 'Authorization: Bearer f3cc0191b588495ba11b5e1d6d5c36e9' \
    -H 'Content-Type: application/json' \
    -H 'If-Match: 0'

DELETE /Users/fe75002d-abf4-4a60-bde6-4b14edc28cd5 HTTP/1.1
Accept: application/json
Authorization: Bearer f3cc0191b588495ba11b5e1d6d5c36e9
Content-Type: application/json
If-Match: 0
Host: localhost

HTTP/1.1 200 OK
Content-Security-Policy: script-src 'self'
ETag: "0"
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 2806

{
  "id" : "fe75002d-abf4-4a60-bde6-4b14edc28cd5",
  "externalId" : "test-user",
  "meta" : {
    "version" : 0,
    "created" : "2024-11-20T08:36:36.173Z",
    "lastModified" : "2024-11-20T08:36:36.173Z"
  },
  "userName" : "[email protected]",
  "name" : {
    "familyName" : "family name",
    "givenName" : "given name"
  },
  "emails" : [ {
    "value" : "[email protected]",
    "primary" : false
  } ],
  "groups" : [ {
    "value" : "52237012-cf9b-43c7-8ad2-6f00432104f2",
    "display" : "user_attributes",
    "type" : "DIRECT"
  }, {
    "value" : "a92053a4-1130-424b-96cc-03de1a4da956",
    "display" : "cloud_controller.read",
    "type" : "DIRECT"
  }, {
    "value" : "d4ae5945-8744-4c7f-a937-2d317ca7a9c4",
    "display" : "approvals.me",
    "type" : "DIRECT"
  }, {
    "value" : "4f00b948-479c-4476-a5e6-ff60cc80b2be",
    "display" : "scim.me",
    "type" : "DIRECT"
  }, {
    "value" : "8c5d5bca-84d1-4bc0-8a0f-42da9267cf3b",
    "display" : "cloud_controller_service_permissions.read",
    "type" : "DIRECT"
  }, {
    "value" : "2e547bb0-6f21-4b4a-bac9-d46d3eb0e450",
    "display" : "oauth.approvals",
    "type" : "DIRECT"
  }, {
    "value" : "0c933f52-ec08-4b8b-9167-456fdd9ec558",
    "display" : "uaa.user",
    "type" : "DIRECT"
  }, {
    "value" : "15a99c12-82b5-4a91-a939-06a3f45aa89d",
    "display" : "openid",
    "type" : "DIRECT"
  }, {
    "value" : "6d8a83f4-4f88-40c4-ba5f-22942fd0e733",
    "display" : "scim.userids",
    "type" : "DIRECT"
  }, {
    "value" : "6721a10c-5304-404c-9626-094dff83ce83",
    "display" : "uaa.offline_token",
    "type" : "DIRECT"
  }, {
    "value" : "b44520eb-c5d4-4e0b-9005-67de2d411931",
    "display" : "profile",
    "type" : "DIRECT"
  }, {
    "value" : "8b52ee42-2309-44dd-bc26-6ec6a0e200c5",
    "display" : "cloud_controller.write",
    "type" : "DIRECT"
  }, {
    "value" : "3f682806-038d-428c-926e-8ab7fea91079",
    "display" : "password.write",
    "type" : "DIRECT"
  }, {
    "value" : "c85dcb56-2d80-470b-ad27-880d2b19cc8e",
    "display" : "roles",
    "type" : "DIRECT"
  } ],
  "approvals" : [ {
    "userId" : "fe75002d-abf4-4a60-bde6-4b14edc28cd5",
    "clientId" : "client id",
    "scope" : "scim.read",
    "status" : "APPROVED",
    "lastUpdatedAt" : "2024-11-20T08:36:36.177Z",
    "expiresAt" : "2024-11-20T08:36:46.177Z"
  }, {
    "userId" : "fe75002d-abf4-4a60-bde6-4b14edc28cd5",
    "clientId" : "identity",
    "scope" : "uaa.user",
    "status" : "APPROVED",
    "lastUpdatedAt" : "2024-11-20T08:37:06.179Z",
    "expiresAt" : "2024-11-20T08:37:06.179Z"
  } ],
  "phoneNumbers" : [ {
    "value" : "5555555555"
  } ],
  "active" : true,
  "verified" : true,
  "origin" : "uaa",
  "zoneId" : "uaa",
  "passwordLastModified" : "2024-11-20T08:36:36.000Z",
  "schemas" : [ "urn:scim:schemas:core:1.0" ]
}

Request Headers

Name	Description
`Authorization`	Access token with `scim.write` or `uaa.admin` required
`If-Match`	The version of the SCIM object to be deleted. Optional.
`X-Identity-Zone-Id`	May include this header to administer another zone if using `zones.<zoneId>.admin` or `uaa.admin` scope against the default UAA zone.
`X-Identity-Zone-Subdomain`	If using a `zones.<zoneId>.admin` scope/token, indicates what Identity Zone this request goes to by supplying a subdomain.

Response Fields

Path	Type	Description
`schemas`	`Array`	SCIM schemas used, currently always set to `[ "urn:scim:schemas:core:1.0" ]`
`id`	`String`	A guid generated by the UAA to uniquely identity this user.
`userName`	`String`	User name of the user, typically an email address.
`name`	`Object`	A map with the user's first name and last name.
`name.familyName`	`String`	The user's last name.
`name.givenName`	`String`	The user's first name.
`phoneNumbers`	`Array`	The user's phone numbers.
`phoneNumbers[].value`	`String`	The phone number.
`emails`	`Array`	The user's email addresses.
`emails[].value`	`String`	The email address.
`emails[].primary`	`Boolean`	Set to true if this is the user's primary email address.
`groups`	`Array`	A list of groups the user belongs to.
`groups[].value`	`String`	A guid generated by the UAA to uniquely identity this group.
`groups[].display`	`String`	The group display name, also referred to as scope during authorization.
`groups[].type`	`String`	Membership type. `DIRECT` means the user is directly associated with the group. `INDIRECT` means that the membership is derived from a nested group.
`approvals`	`Array`	A list of approval decisions made by this user. Approvals record the user's explicit approval or rejection for an application's request for delegated permissions.
`approvals[].userId`	`String`	The user id on the approval. Will be the same as the id field.
`approvals[].clientId`	`String`	The client id on the approval. Represents the application this approval or denial was for.
`approvals[].scope`	`String`	The scope on the approval. Will be a group display value.
`approvals[].status`	`String`	The status of the approval. Status may be either `APPROVED` or `DENIED`.
`approvals[].lastUpdatedAt`	`String`	Date this approval was last updated.
`approvals[].expiresAt`	`String`	Date this approval will expire.
`active`	`Boolean`	Whether the user is allowed to log in. False acts as a soft delete; the user will not be able to log in.
`verified`	`Boolean`	New users are automatically verified by default. Unverified users can be created by specifying verified: false. Becomes true when the user verifies their email address.
`origin`	`String`	The alias of the Identity Provider that authenticated this user. The value `uaa` indicates a user from the UAA's internal user store.
`zoneId`	`String`	The Identity Zone this user belongs to. The value `uaa` refers to the default zone.
`passwordLastModified`	`String`	The timestamp when this user's password was last changed.
`lastLogonTime`	`Number`	The unix epoch timestamp in milliseconds of when the user last authenticated. This field will be omitted from the response if the user has never authenticated.
`previousLogonTime`	`Number`	The unix epoch timestamp in milliseconds of when the user last authenticated. This field will be omitted from the response if the user has never authenticated.
`externalId`	`String`	External user ID if authenticated through an external identity provider.
`aliasId`	`String`	The ID of the alias user.
`aliasZid`	`String`	The ID of the identity zone in which an alias of this user is maintained.
`meta`	`Object`	SCIM object meta data.
`meta.version`	`Number`	Object version.
`meta.lastModified`	`String`	Object last modified date.
`meta.created`	`String`	Object created date.

Error Codes

Error Code	Description
400	Bad Request - Invalid JSON format or missing fields; trying to delete user with alias while `aliasEntitiesEnabled` is off
401	Unauthorized - Invalid token
403	Forbidden - Insufficient scope (`scim.write` is required to delete a user)
404	Not Found - User id not found

Example using uaac to delete users:

uaac target http://localhost:8080/uaa

uaac token client get admin -s adminsecret

uaac user delete testuser

User Info

An OAuth2 protected resource and an OpenID Connect endpoint. Given an appropriate access_token, returns information about a user. Defined fields include various standard user profile fields. The response may include other user information such as group membership.

$ curl 'http://localhost/userinfo' -i -X GET \
    -H 'Authorization: Bearer 0678327b84a04925b47d5082d340cbd9'

GET /userinfo HTTP/1.1
Authorization: Bearer 0678327b84a04925b47d5082d340cbd9
Host: localhost

HTTP/1.1 200 OK
Content-Security-Policy: script-src 'self'
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 411

{
  "user_id" : "deee13d7-0559-4f2a-982c-f2ef420f1d00",
  "user_name" : "[email protected]",
  "given_name" : "PasswordResetUserFirst",
  "family_name" : "PasswordResetUserLast",
  "phone_number" : "+15558880000",
  "email" : "[email protected]",
  "email_verified" : true,
  "previous_logon_time" : null,
  "name" : "PasswordResetUserFirst PasswordResetUserLast",
  "sub" : "deee13d7-0559-4f2a-982c-f2ef420f1d00"
}

Request Headers

Name	Description
`Authorization`	Access token with `openid` required. If the `user_attributes` scope is in the token, the response object will contain custom attributes, if mapped to the external identity provider.If the `roles` scope is present, the response object will contain group memberships from the external identity provider.

Response Fields

Path	Type	Description
`sub`	`String`	Subject Identifier. A locally unique and never reassigned identifier within the Issuer for the End-User, which is intended to be consumed by the Client.
`user_id`	`String`	Unique user identifier.
`email`	`String`	The user's email address.
`email_verified`	`Boolean`	Indicates whether the user has verified their email address.
`user_name`	`String`	User name of the user, typically an email address.
`given_name`	`String`	The user's first name.
`family_name`	`String`	The user's last name.
`name`	`String`	A map with the user's first name and last name.
`phone_number`	`String`	The user's phone number.
`previous_logon_time`	`Null`	The unix epoch timestamp in milliseconds of 2nd to last successful user authentication.

Error Codes

Error Code	Description
400	Bad Request - Invalid JSON format or missing fields
401	Unauthorized - Invalid token
403	Forbidden - Insufficient scope (`openid` is required to get the user info)

Example using uaac to view user info:

uaac target http://localhost:8080/uaa

uaac token authcode get admin -s adminsecret

uaac curl -X GET /userinfo -k

Change user password

$ curl 'http://localhost/Users/b9acd688-4ae3-473c-b36a-eeda699c5ae2/password' -i -X PUT \
    -H 'Accept: application/json' \
    -H 'Authorization: Bearer 64d3dc2aa4294fc982f8c635ba11c2e4' \
    -H 'Content-Type: application/json' \
    -d '{
  "oldPassword" : "secret",
  "password" : "newsecret"
}'

PUT /Users/b9acd688-4ae3-473c-b36a-eeda699c5ae2/password HTTP/1.1
Accept: application/json
Authorization: Bearer 64d3dc2aa4294fc982f8c635ba11c2e4
Content-Type: application/json
Content-Length: 58
Host: localhost

{
  "oldPassword" : "secret",
  "password" : "newsecret"
}

HTTP/1.1 200 OK
Content-Security-Policy: script-src 'self'
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 55

{
  "status" : "ok",
  "message" : "password updated"
}

Request Headers

Name	Description
`Authorization`	Access token with `password.write` or `uaa.admin` required
`X-Identity-Zone-Id`	May include this header to administer another zone if using `zones.<zoneId>.admin` or `uaa.admin` scope against the default UAA zone.
`X-Identity-Zone-Subdomain`	If using a `zones.<zoneId>.admin` scope/token, indicates what Identity Zone this request goes to by supplying a subdomain.

Request Fields

Path	Type	Constraints	Description
oldPassword	String	Required	Old password. Optional when resetting another users password as an admin with `uaa.admin` scope
password	String	Required	New password.

Response Fields

Path	Type	Description
`status`	`String`	Will be 'ok' if password changed successfully.
`message`	`String`	Will be 'password updated' if password changed successfully.

Error Codes

Error Code	Description
400	Bad Request - Invalid JSON format or missing fields
401	Unauthorized - Invalid token
403	Forbidden - Insufficient scope (`scim.write` or a token containing the user id is required)
404	Not Found - User id not found

Example using uaac to view users:

uaac target http://localhost:8080/uaa

uaac token owner get cf testuser -s "" -p "secret"

uaac password change -o secret -p newsecret

Unlock Account

$ curl 'http://localhost/Users/41284448-d11b-4e33-a99f-8b468124d108/status' -i -X PATCH \
    -H 'Content-Type: application/json' \
    -H 'Authorization: Bearer fa5af1a395e949cb885a42946f6e0add' \
    -H 'Accept: application/json' \
    -d '{
  "locked" : false
}'

PATCH /Users/41284448-d11b-4e33-a99f-8b468124d108/status HTTP/1.1
Content-Type: application/json
Authorization: Bearer fa5af1a395e949cb885a42946f6e0add
Accept: application/json
Content-Length: 22
Host: localhost

{
  "locked" : false
}

HTTP/1.1 200 OK
Content-Security-Policy: script-src 'self'
Content-Language: en
Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 22

{
  "locked" : false
}

Path Parameters

/Users/{userId}/status

Parameter	Description
userId	A guid generated by the UAA to uniquely identity this user.

Request Headers

Name	Description
`Authorization`	Access token with `scim.write`, `uaa.account_status.write`, or `uaa.admin` required
`X-Identity-Zone-Id`	May include this header to administer another zone if using `zones.<zoneId>.admin` or `uaa.admin` scope against the default UAA zone.
`X-Identity-Zone-Subdomain`	If using a `zones.<zoneId>.admin` scope/token, indicates what Identity Zone this request goes to by supplying a subdomain.

Request Fields

Path	Type	Constraints	Description
locked	Boolean	Optional	Set to `false` in order to unlock the user when they have been locked out according to the password lock-out policy. Setting to `true` will produce an error, as the user cannot be locked out via the API.

Response Fields

Path	Type	Description
`locked`	`Boolean`	The `locked` value given in the request.

Error Codes

Error Code	Description
400	Bad Request - invalid JSON format or illegal value
401	Unauthorized - Invalid token
403	Forbidden - Insufficient scope (scim.write or uaa.account_status.write)
404	User id not found

Force user password to expire

$ curl 'http://localhost/Users/ecc9fe9a-399c-4e94-b0f7-bb1bbd6f787d/status' -i -X PATCH \
    -H 'Content-Type: application/json' \
    -H 'Authorization: Bearer 6a87ee550b8440db8d3a60042bba1619' \
    -H 'Accept: application/json' \
    -d '{
  "passwordChangeRequired" : true
}'

PATCH /Users/ecc9fe9a-399c-4e94-b0f7-bb1bbd6f787d/status HTTP/1.1
Content-Type: application/json
Authorization: Bearer 6a87ee550b8440db8d3a60042bba1619
Accept: application/json
Content-Length: 37
Host: localhost

{
  "passwordChangeRequired" : true
}

HTTP/1.1 200 OK
Content-Security-Policy: script-src 'self'
Content-Language: en
Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 37

{
  "passwordChangeRequired" : true
}

Path Parameters

/Users/{userId}/status

Parameter	Description
userId	A guid generated by the UAA to uniquely identity this user.

Request Headers

Name	Description
`Authorization`	Access token with `scim.write`, `uaa.account_status.write`, or `uaa.admin` required
`X-Identity-Zone-Id`	May include this header to administer another zone if using `zones.<zoneId>.admin` or `uaa.admin` scope against the default UAA zone.
`X-Identity-Zone-Subdomain`	If using a `zones.<zoneId>.admin` scope/token, indicates what Identity Zone this request goes to by supplying a subdomain.

Request Fields

Path	Type	Constraints	Description
passwordChangeRequired	Boolean	Optional	Set to `true` in order to force internal user’s password to expire

Response Fields

Path	Type	Description
`passwordChangeRequired`	`Boolean`	The `passwordChangeRequired` value given in the request.

Error Codes

Error Code	Description
400	Bad Request - invalid JSON format or illegal value
401	Unauthorized - Invalid token
403	Forbidden - Insufficient scope (`scim.write` or `uaa.account_status.write` required)
404	Not Found - User id not found

Get user verification link

$ curl 'http://localhost/Users/1aa7a8f3-69e6-41be-8afa-463f1a8d8b52/verify-link?redirect_uri=http%3A%2F%2Fredirect.to%2Fapp' -i -X GET \
    -H 'Authorization: Bearer baa2f083f7294dfbb127f5e1e8d95a44' \
    -H 'Accept: application/json'

GET /Users/1aa7a8f3-69e6-41be-8afa-463f1a8d8b52/verify-link?redirect_uri=http%3A%2F%2Fredirect.to%2Fapp HTTP/1.1
Authorization: Bearer baa2f083f7294dfbb127f5e1e8d95a44
Accept: application/json
Host: localhost

HTTP/1.1 200 OK
Content-Security-Policy: script-src 'self'
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 90

{
  "verify_link" : "http://localhost/verify_user?code=VQ5wpY0h-8XGRzVlavCXqaDZDLF247Rn"
}

Path Parameters

/Users/{userId}/verify-link

Parameter	Description
userId	The ID of the user to verify

Request Headers

Name	Description
`Authorization`	The bearer token, with a pre-amble of `Bearer`
`X-Identity-Zone-Id`	May include this header to administer another zone if using `zones.<zoneId>.admin` or `uaa.admin` scope against the default UAA zone.
`X-Identity-Zone-Subdomain`	If using a `zones.<zoneId>.admin` scope/token, indicates what Identity Zone this request goes to by supplying a subdomain.

Request Parameters

Parameter	Type	Constraints	Description
redirect_uri	String	Required	Location where the user will be redirected after verifying by clicking the verification link

Response Fields

Path	Type	Description
`verify_link`	`String`	Location the user must visit and authenticate to verify

Error Codes

Error Code	Description
403	Forbidden - Insufficient scope or internal user management disabled
404	Not Found - User not found

Verify user

$ curl 'http://localhost/Users/927b0050-8037-495a-83ba-c2b8d9e6cdbf/verify' -i -X GET \
    -H 'Authorization: Bearer 47106a18259e40f9ab6ea7ecf54634ea' \
    -H 'If-Match: 12' \
    -H 'Accept: application/json'

GET /Users/927b0050-8037-495a-83ba-c2b8d9e6cdbf/verify HTTP/1.1
Authorization: Bearer 47106a18259e40f9ab6ea7ecf54634ea
If-Match: 12
Accept: application/json
Host: localhost

HTTP/1.1 200 OK
Content-Security-Policy: script-src 'self'
ETag: "12"
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 561

{
  "id" : "927b0050-8037-495a-83ba-c2b8d9e6cdbf",
  "meta" : {
    "version" : 12,
    "created" : "2024-11-20T08:36:36.115Z",
    "lastModified" : "2024-11-20T08:36:36.115Z"
  },
  "userName" : "[email protected]",
  "name" : {
    "familyName" : "d'Orange",
    "givenName" : "William"
  },
  "emails" : [ {
    "value" : "[email protected]",
    "primary" : false
  } ],
  "active" : true,
  "verified" : true,
  "origin" : "uaa",
  "zoneId" : "uaa",
  "passwordLastModified" : "2024-11-20T08:36:36.000Z",
  "schemas" : [ "urn:scim:schemas:core:1.0" ]
}

Path Parameters

/Users/{userId}/verify

Parameter	Description
userId	The ID of the user to verify

Request Headers

Name	Description
`Authorization`	The bearer token, with a pre-amble of `Bearer`
`If-Match`	(Optional) The expected current version of the user, which will prevent update if the version does not match
`X-Identity-Zone-Id`	May include this header to administer another zone if using `zones.<zoneId>.admin` or `uaa.admin` scope against the default UAA zone.
`X-Identity-Zone-Subdomain`	If using a `zones.<zoneId>.admin` scope/token, indicates what Identity Zone this request goes to by supplying a subdomain.

Error Codes

Error Code	Description
400	Bad Request - Incorrect version supplied in If-Match header
403	Forbidden - Insufficient scope or internal user management disabled
404	Not Found - User not found

Lookup User IDs/Usernames

$ curl 'http://localhost/ids/Users?filter=userName+eq+%22bob97tg5B%40test.org%22+or+id+eq+%220c86d534-cb07-41bd-a1fd-d191912d4120%22&sortOrder=descending&startIndex=1&count=10&includeInactive=true' -i -X GET \
    -H 'Authorization: Bearer 0ac14b318dbd4434b678342095c5b273'

GET /ids/Users?filter=userName+eq+%22bob97tg5B%40test.org%22+or+id+eq+%220c86d534-cb07-41bd-a1fd-d191912d4120%22&sortOrder=descending&startIndex=1&count=10&includeInactive=true HTTP/1.1
Authorization: Bearer 0ac14b318dbd4434b678342095c5b273
Host: localhost

HTTP/1.1 200 OK
Content-Security-Policy: script-src 'self'
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 372

{
  "resources" : [ {
    "origin" : "uaa",
    "id" : "0c86d534-cb07-41bd-a1fd-d191912d4120",
    "userName" : "[email protected]"
  }, {
    "origin" : "uaa",
    "id" : "9706694b-ebeb-46f7-aa11-92dbdbe04914",
    "userName" : "[email protected]"
  } ],
  "startIndex" : 1,
  "itemsPerPage" : 5,
  "totalResults" : 2,
  "schemas" : [ "urn:scim:schemas:core:1.0" ]
}

Request Headers

Name	Description
`Authorization`	Bearer token with authorization for `scim.userids` scope

Request Parameters

Parameter	Type	Constraints	Description
filter	String	Required	SCIM filter for users over `userName`, `id`, and `origin`, using only the `eq` comparison operator
sortOrder	String	Optional (defaults to `ascending`)	sort by username in `ascending` or `descending` order
startIndex	Number	Optional (defaults to `1`)	display paged results beginning at specified index
count	Number	Optional (defaults to `100`)	number of results to return per page
includeInactive	Boolean	Optional (defaults to `false`)	include users from inactive identity providers

Response Fields

Path	Type	Description
`totalResults`	`Number`	The number of results which matched the filter
`startIndex`	`Number`	The index of the first item of this page of results
`itemsPerPage`	`Number`	The page size used in producing this page of results
`schemas`	`Array`	`["urn:scim:schemas:core:1.0"]`
`resources[].id`	`String`	The globally unique identifier for this user
`resources[].userName`	`String`	The username
`resources[].origin`	`String`	The origin of the user, e.g. an identity provider alias

Error Codes

Error Code	Description
400	Bad Request - Request was invalid or unparseable
403	Forbidden - Insufficient scope

Invite users

$ curl 'http://localhost/invite_users?client_id=ogtmda&redirect_uri=example.com' -i -X POST \
    -H 'Content-Type: application/json' \
    -H 'Authorization: Bearer 9a77a501a40d4a20b4f91f864aeaa9dd' \
    -d '{
  "emails" : [ "[email protected]", "[email protected]" ]
}'

POST /invite_users?client_id=ogtmda&redirect_uri=example.com HTTP/1.1
Content-Type: application/json
Authorization: Bearer 9a77a501a40d4a20b4f91f864aeaa9dd
Content-Length: 59
Host: localhost

{
  "emails" : [ "[email protected]", "[email protected]" ]
}

HTTP/1.1 200 OK
Content-Security-Policy: script-src 'self'
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 622

{
  "new_invites" : [ {
    "email" : "[email protected]",
    "userId" : "41dbd69c-60df-4532-9745-18d15ae681af",
    "origin" : "uaa",
    "success" : true,
    "errorCode" : null,
    "errorMessage" : null,
    "inviteLink" : "http://localhost/invitations/accept?code=luYSfvndcXP-GfLUlGT1DnRx9y_gtk_F"
  }, {
    "email" : "[email protected]",
    "userId" : "c22a5b70-54d8-4e9e-b98b-ee8c640e3a59",
    "origin" : "uaa",
    "success" : true,
    "errorCode" : null,
    "errorMessage" : null,
    "inviteLink" : "http://localhost/invitations/accept?code=uuTghNPX1XuVw8cDXbk5kw6CSt6n3lYR"
  } ],
  "failed_invites" : [ ]
}

Request Headers

Name	Description
`Authorization`	Bearer token containing `scim.invite`
`X-Identity-Zone-Id`	If using a `zones.<zoneId>.admin` scope/token, indicates what zone this request goes to by supplying a zone_id.
`X-Identity-Zone-Subdomain`	If using a `zones.<zoneId>.admin` scope/token, indicates what zone this request goes to by supplying a subdomain.

Request Fields

Path	Type	Constraints	Description
emails	Array	Required	User is invited by providing an email address. More than one email addresses can be provided.

Request Parameters

Parameter	Type	Constraints	Description
client_id	String	Optional	A unique string representing the registration information provided by the client
redirect_uri	String	Required	The user will be redirected to this uri, when user accepts the invitation. The redirect_uri will be validated against allowed redirect_uri for the client.

Response Fields

Path	Type	Description
`new_invites[].email`	`String`	Primary email id of the invited user
`new_invites[].userId`	`String`	A unique string for the invited user
`new_invites[].origin`	`String`	Unique alias of the provider
`new_invites[].success`	`Boolean`	Flag to determine whether the invitation was sent successfully
`new_invites[].errorCode`	`String`	Error code in case of failure to send invitation
`new_invites[].errorMessage`	`String`	Error message in case of failure to send invitation
`new_invites[].inviteLink`	`String`	Invitation link to invite users
`failed_invites`	`Array`	List of invites having exception in sending the invitation

Error Code	Description
403	Forbidden - Insufficient scope

Groups

Create

$ curl 'http://localhost/Groups' -i -X POST \
    -H 'Content-Type: application/json' \
    -H 'Authorization: Bearer 73a8036d0faa47be9f72c2cfeca14368' \
    -d '{
  "displayName" : "Cool Group Name",
  "description" : "the cool group",
  "members" : [ {
    "origin" : "uaa",
    "type" : "USER",
    "value" : "d3b77240-170d-49dc-82a5-aa86c334bca9"
  } ]
}'

POST /Groups HTTP/1.1
Content-Type: application/json
Authorization: Bearer 73a8036d0faa47be9f72c2cfeca14368
Content-Length: 196
Host: localhost

{
  "displayName" : "Cool Group Name",
  "description" : "the cool group",
  "members" : [ {
    "origin" : "uaa",
    "type" : "USER",
    "value" : "d3b77240-170d-49dc-82a5-aa86c334bca9"
  } ]
}

HTTP/1.1 201 Created
Content-Security-Policy: script-src 'self'
ETag: "0"
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 441

{
  "id" : "5716e035-7306-4df4-a425-6109a590b247",
  "meta" : {
    "version" : 0,
    "created" : "2024-11-20T08:36:35.574Z",
    "lastModified" : "2024-11-20T08:36:35.574Z"
  },
  "displayName" : "Cool Group Name",
  "zoneId" : "uaa",
  "description" : "the cool group",
  "members" : [ {
    "origin" : "uaa",
    "type" : "USER",
    "value" : "d3b77240-170d-49dc-82a5-aa86c334bca9"
  } ],
  "schemas" : [ "urn:scim:schemas:core:1.0" ]
}

Request Headers

Name	Description
`Authorization`	Bearer token with scope `scim.write`
`X-Identity-Zone-Id`	May include this header to administer another zone if using `zones.<zoneId>.admin` or `uaa.admin` scope against the default UAA zone.
`X-Identity-Zone-Subdomain`	If using a `zones.<zoneId>.admin` scope/token, indicates what zone this request goes to by supplying a subdomain.

Request Fields

Path	Type	Constraints	Description
displayName	String	Required	An identifier, unique within the identity zone
description	String	Optional	Human readable description of the group, displayed e.g. when approving scopes
members	Array	Optional	Members to be included in the group
members[].value	String	Required for each item in `members`	The globally-unique ID of the member entity, either a user ID or another group ID
members[].type	String	Optional (defaults to `"USER"`)	Either `"USER"` or `"GROUP"`
members[].origin	String	Optional (defaults to `"uaa"`)	The alias of the identity provider that authenticated this user. `"uaa"` is an internal UAA user. This value will NOT change during an update (put request) if the membership already exists under a different origin.

Response Fields

Path	Type	Description
`id`	`String`	The globally unique group ID
`displayName`	`String`	The identifier specified upon creation of the group, unique within the identity zone
`description`	`String`	Human readable description of the group, displayed e.g. when approving scopes
`members`	`Array`	Array of group members
`members[].value`	`String`	Globally unique identifier of the member, either a user ID or another group ID
`members[].type`	`String`	Either `"USER"` or `"GROUP"`
`members[].origin`	`String`	The alias of the identity provider that authenticated this user. `"uaa"` is an internal UAA user.
`zoneId`	`String`	Identifier for the identity zone to which the group belongs
`meta.version`	`Number`	The version of the group entity
`meta.created`	`String`	The time the group was created
`meta.lastModified`	`String`	The time the group was last updated
`schemas`	`Array`	`[ "urn:scim:schemas:core:1.0" ]`

Error Code	Description
400	Bad Request - Invalid member ID
403	Forbidden - Insufficient scope

Retrieve

$ curl 'http://localhost/Groups/5716e035-7306-4df4-a425-6109a590b247' -i -X GET \
    -H 'Authorization: Bearer 5798d0bdaa3941b983184d8dae06bb28'

GET /Groups/5716e035-7306-4df4-a425-6109a590b247 HTTP/1.1
Authorization: Bearer 5798d0bdaa3941b983184d8dae06bb28
Host: localhost

HTTP/1.1 200 OK
Content-Security-Policy: script-src 'self'
ETag: "2"
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 454

{
  "id" : "5716e035-7306-4df4-a425-6109a590b247",
  "meta" : {
    "version" : 2,
    "created" : "2024-11-20T08:36:35.574Z",
    "lastModified" : "2024-11-20T08:36:35.612Z"
  },
  "displayName" : "Cooler Group Name for Update",
  "zoneId" : "uaa",
  "description" : "the cool group",
  "members" : [ {
    "origin" : "uaa",
    "type" : "USER",
    "value" : "d3b77240-170d-49dc-82a5-aa86c334bca9"
  } ],
  "schemas" : [ "urn:scim:schemas:core:1.0" ]
}

Path Parameters

/Groups/{groupId}

Parameter	Description
groupId	Globally unique identifier of the group to retrieve

Request Headers

Name	Description
`Authorization`	Bearer token with scope `scim.read`
`X-Identity-Zone-Id`	May include this header to administer another zone if using `zones.<zoneId>.admin` or `uaa.admin` scope against the default UAA zone.
`X-Identity-Zone-Subdomain`	If using a `zones.<zoneId>.admin` scope/token, indicates what zone this request goes to by supplying a subdomain.

Response Fields

Path	Type	Description
`id`	`String`	The globally unique group ID
`displayName`	`String`	The identifier specified upon creation of the group, unique within the identity zone
`description`	`String`	Human readable description of the group, displayed e.g. when approving scopes
`members`	`Array`	Array of group members
`members[].value`	`String`	Globally unique identifier of the member, either a user ID or another group ID
`members[].type`	`String`	Either `"USER"` or `"GROUP"`
`members[].origin`	`String`	The alias of the identity provider that authenticated this user. `"uaa"` is an internal UAA user.
`zoneId`	`String`	Identifier for the identity zone to which the group belongs
`meta.version`	`Number`	The version of the group entity
`meta.created`	`String`	The time the group was created
`meta.lastModified`	`String`	The time the group was last updated
`schemas`	`Array`	`[ "urn:scim:schemas:core:1.0" ]`

Error Code	Description
403	Forbidden - Insufficient scope

Update

$ curl 'http://localhost/Groups/5716e035-7306-4df4-a425-6109a590b247' -i -X PUT \
    -H 'Content-Type: application/json' \
    -H 'Authorization: Bearer 73a8036d0faa47be9f72c2cfeca14368' \
    -H 'If-Match: 0' \
    -d '{
  "displayName" : "Cooler Group Name for Update",
  "description" : "the cool group",
  "members" : [ {
    "origin" : "uaa",
    "type" : "USER",
    "value" : "d3b77240-170d-49dc-82a5-aa86c334bca9"
  } ]
}'

PUT /Groups/5716e035-7306-4df4-a425-6109a590b247 HTTP/1.1
Content-Type: application/json
Authorization: Bearer 73a8036d0faa47be9f72c2cfeca14368
If-Match: 0
Content-Length: 209
Host: localhost

{
  "displayName" : "Cooler Group Name for Update",
  "description" : "the cool group",
  "members" : [ {
    "origin" : "uaa",
    "type" : "USER",
    "value" : "d3b77240-170d-49dc-82a5-aa86c334bca9"
  } ]
}

HTTP/1.1 200 OK
Content-Security-Policy: script-src 'self'
ETag: "1"
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 454

{
  "id" : "5716e035-7306-4df4-a425-6109a590b247",
  "meta" : {
    "version" : 1,
    "created" : "2024-11-20T08:36:35.574Z",
    "lastModified" : "2024-11-20T08:36:35.592Z"
  },
  "displayName" : "Cooler Group Name for Update",
  "zoneId" : "uaa",
  "description" : "the cool group",
  "members" : [ {
    "origin" : "uaa",
    "type" : "USER",
    "value" : "d3b77240-170d-49dc-82a5-aa86c334bca9"
  } ],
  "schemas" : [ "urn:scim:schemas:core:1.0" ]
}

Path Parameters

/Groups/{groupId}

Parameter	Description
groupId	Globally unique identifier of the group to update

Request Headers

Name	Description
`Authorization`	Bearer token with scope `scim.write` or `groups.update`
`If-Match`	The version of the SCIM object to be updated. Wildcard (*) accepted.
`X-Identity-Zone-Id`	May include this header to administer another zone if using `zones.<zoneId>.admin` or `uaa.admin` scope against the default UAA zone.
`X-Identity-Zone-Subdomain`	If using a `zones.<zoneId>.admin` scope/token, indicates what zone this request goes to by supplying a subdomain.

Request Fields

Path	Type	Constraints	Description
displayName	String	Required	An identifier, unique within the identity zone
description	String	Optional	Human readable description of the group, displayed e.g. when approving scopes
members	Array	Optional	Members to be included in the group
members[].value	String	Required for each item in `members`	The globally-unique ID of the member entity, either a user ID or another group ID
members[].type	String	Optional (defaults to `"USER"`)	Either `"USER"` or `"GROUP"`
members[].origin	String	Optional (defaults to `"uaa"`)	The alias of the identity provider that authenticated this user. `"uaa"` is an internal UAA user. This value will NOT change during an update (put request) if the membership already exists under a different origin.

Response Fields

Path	Type	Description
`id`	`String`	The globally unique group ID
`displayName`	`String`	The identifier specified upon creation of the group, unique within the identity zone
`description`	`String`	Human readable description of the group, displayed e.g. when approving scopes
`members`	`Array`	Array of group members
`members[].value`	`String`	Globally unique identifier of the member, either a user ID or another group ID
`members[].type`	`String`	Either `"USER"` or `"GROUP"`
`members[].origin`	`String`	The alias of the identity provider that authenticated this user. `"uaa"` is an internal UAA user.
`zoneId`	`String`	Identifier for the identity zone to which the group belongs
`meta.version`	`Number`	The version of the group entity
`meta.created`	`String`	The time the group was created
`meta.lastModified`	`String`	The time the group was last updated
`schemas`	`Array`	`[ "urn:scim:schemas:core:1.0" ]`

Error Code	Description
400	Bad Request - Incorrect version supplied in If-Match header
403	Forbidden - Insufficient scope
409	Conflict

Patch

Updating partial elements of a group is documented at SCIM Specification

$ curl 'http://localhost/Groups/5716e035-7306-4df4-a425-6109a590b247' -i -X PATCH \
    -H 'Content-Type: application/json' \
    -H 'Authorization: Bearer 73a8036d0faa47be9f72c2cfeca14368' \
    -H 'If-Match: *' \
    -d '{
  "displayName" : "Cooler Group Name for Update",
  "description" : "the cool group",
  "members" : [ {
    "origin" : "uaa",
    "type" : "USER",
    "value" : "d3b77240-170d-49dc-82a5-aa86c334bca9"
  } ]
}'

PATCH /Groups/5716e035-7306-4df4-a425-6109a590b247 HTTP/1.1
Content-Type: application/json
Authorization: Bearer 73a8036d0faa47be9f72c2cfeca14368
If-Match: *
Content-Length: 209
Host: localhost

{
  "displayName" : "Cooler Group Name for Update",
  "description" : "the cool group",
  "members" : [ {
    "origin" : "uaa",
    "type" : "USER",
    "value" : "d3b77240-170d-49dc-82a5-aa86c334bca9"
  } ]
}

HTTP/1.1 200 OK
Content-Security-Policy: script-src 'self'
ETag: "2"
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 454

{
  "id" : "5716e035-7306-4df4-a425-6109a590b247",
  "meta" : {
    "version" : 2,
    "created" : "2024-11-20T08:36:35.574Z",
    "lastModified" : "2024-11-20T08:36:35.612Z"
  },
  "displayName" : "Cooler Group Name for Update",
  "zoneId" : "uaa",
  "description" : "the cool group",
  "members" : [ {
    "origin" : "uaa",
    "type" : "USER",
    "value" : "d3b77240-170d-49dc-82a5-aa86c334bca9"
  } ],
  "schemas" : [ "urn:scim:schemas:core:1.0" ]
}

Path Parameters

/Groups/{groupId}

Parameter	Description
groupId	Globally unique identifier of the group to update

Request Headers

Name	Description
`Authorization`	Bearer token with scope `scim.write` or `groups.update`
`If-Match`	The version of the SCIM object to be updated. Wildcard (*) accepted.

Request Fields

Path	Type	Constraints	Description
displayName	String	Required	An identifier, unique within the identity zone
description	String	Optional	Human readable description of the group, displayed e.g. when approving scopes
members	Array	Optional	Members to be included in the group
members[].value	String	Required for each item in `members`	The globally-unique ID of the member entity, either a user ID or another group ID
members[].type	String	Optional (defaults to `"USER"`)	Either `"USER"` or `"GROUP"`
members[].origin	String	Optional (defaults to `"uaa"`)	The alias of the identity provider that authenticated this user. `"uaa"` is an internal UAA user. This value will NOT change during an update (put request) if the membership already exists under a different origin.
members[].operation	String	Optional	"delete" if the corresponding member shall be deleted
meta.attributes	Array	Optional	Names of attributes that shall be deleted

Response Fields

Path	Type	Description
`id`	`String`	The globally unique group ID
`displayName`	`String`	The identifier specified upon creation of the group, unique within the identity zone
`description`	`String`	Human readable description of the group, displayed e.g. when approving scopes
`members`	`Array`	Array of group members
`members[].value`	`String`	Globally unique identifier of the member, either a user ID or another group ID
`members[].type`	`String`	Either `"USER"` or `"GROUP"`
`members[].origin`	`String`	The alias of the identity provider that authenticated this user. `"uaa"` is an internal UAA user.
`zoneId`	`String`	Identifier for the identity zone to which the group belongs
`meta.version`	`Number`	The version of the group entity
`meta.created`	`String`	The time the group was created
`meta.lastModified`	`String`	The time the group was last updated
`schemas`	`Array`	`[ "urn:scim:schemas:core:1.0" ]`

Error Code	Description
400	Bad Request - Incorrect version supplied in If-Match header
403	Forbidden - Insufficient scope
409	Conflict

Delete

$ curl 'http://localhost/Groups/5716e035-7306-4df4-a425-6109a590b247' -i -X DELETE \
    -H 'Authorization: Bearer 73a8036d0faa47be9f72c2cfeca14368'

DELETE /Groups/5716e035-7306-4df4-a425-6109a590b247 HTTP/1.1
Authorization: Bearer 73a8036d0faa47be9f72c2cfeca14368
Host: localhost

HTTP/1.1 200 OK
Content-Security-Policy: script-src 'self'
ETag: "2"
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 454

{
  "id" : "5716e035-7306-4df4-a425-6109a590b247",
  "meta" : {
    "version" : 2,
    "created" : "2024-11-20T08:36:35.574Z",
    "lastModified" : "2024-11-20T08:36:35.612Z"
  },
  "displayName" : "Cooler Group Name for Update",
  "zoneId" : "uaa",
  "description" : "the cool group",
  "members" : [ {
    "origin" : "uaa",
    "type" : "USER",
    "value" : "d3b77240-170d-49dc-82a5-aa86c334bca9"
  } ],
  "schemas" : [ "urn:scim:schemas:core:1.0" ]
}

Path Parameters

/Groups/{groupId}

Parameter	Description
groupId	The globally unique identifier of the group

Request Headers

Name	Description
`Authorization`	Bearer token with scope `scim.write`
`If-Match`	The version of the SCIM object to be updated. Wildcard (*) accepted.
`X-Identity-Zone-Id`	May include this header to administer another zone if using `zones.<zoneId>.admin` or `uaa.admin` scope against the default UAA zone.
`X-Identity-Zone-Subdomain`	If using a `zones.<zoneId>.admin` scope/token, indicates what zone this request goes to by supplying a subdomain.

Response Fields

Path	Type	Description
`id`	`String`	The globally unique group ID
`displayName`	`String`	The identifier specified upon creation of the group, unique within the identity zone
`description`	`String`	Human readable description of the group, displayed e.g. when approving scopes
`members`	`Array`	Array of group members
`members[].value`	`String`	Globally unique identifier of the member, either a user ID or another group ID
`members[].type`	`String`	Either `"USER"` or `"GROUP"`
`members[].origin`	`String`	The alias of the identity provider that authenticated this user. `"uaa"` is an internal UAA user.
`zoneId`	`String`	Identifier for the identity zone to which the group belongs
`meta.version`	`Number`	The version of the group entity
`meta.created`	`String`	The time the group was created
`meta.lastModified`	`String`	The time the group was last updated
`schemas`	`Array`	`[ "urn:scim:schemas:core:1.0" ]`

Error Code	Description
400	Bad Request - Incorrect version supplied in If-Match header
403	Forbidden - Insufficient scope
409	Conflict

List

$ curl 'http://localhost/Groups?filter=id+eq+%225716e035-7306-4df4-a425-6109a590b247%22+or+displayName+eq+%22Cooler+Group+Name+for+Update%22&sortBy=lastModified&count=50&sortOrder=descending&startIndex=1' -i -X GET \
    -H 'Authorization: Bearer 5798d0bdaa3941b983184d8dae06bb28'

GET /Groups?filter=id+eq+%225716e035-7306-4df4-a425-6109a590b247%22+or+displayName+eq+%22Cooler+Group+Name+for+Update%22&sortBy=lastModified&count=50&sortOrder=descending&startIndex=1 HTTP/1.1
Authorization: Bearer 5798d0bdaa3941b983184d8dae06bb28
Host: localhost

HTTP/1.1 200 OK
Content-Security-Policy: script-src 'self'
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 621

{
  "resources" : [ {
    "id" : "5716e035-7306-4df4-a425-6109a590b247",
    "meta" : {
      "version" : 2,
      "created" : "2024-11-20T08:36:35.574Z",
      "lastModified" : "2024-11-20T08:36:35.612Z"
    },
    "displayName" : "Cooler Group Name for Update",
    "zoneId" : "uaa",
    "description" : "the cool group",
    "members" : [ {
      "origin" : "uaa",
      "type" : "USER",
      "value" : "d3b77240-170d-49dc-82a5-aa86c334bca9"
    } ],
    "schemas" : [ "urn:scim:schemas:core:1.0" ]
  } ],
  "startIndex" : 1,
  "itemsPerPage" : 5,
  "totalResults" : 1,
  "schemas" : [ "urn:scim:schemas:core:1.0" ]
}

Request Headers

Name	Description
`Authorization`	Bearer token with scope `scim.read`
`X-Identity-Zone-Id`	If using a `zones.<zoneId>.admin` scope/token, indicates what zone this request goes to by supplying a zone_id.
`X-Identity-Zone-Id`	May include this header to administer another zone if using `zones.<zoneId>.admin` or `uaa.admin` scope against the default UAA zone.
`X-Identity-Zone-Subdomain`	If using a `zones.<zoneId>.admin` scope/token, indicates what zone this request goes to by supplying a subdomain.

Request Parameters

Parameter	Type	Constraints	Description
filter	String	Optional (defaults to `id pr`)	A SCIM filter over groups
sortBy	String	Optional (defaults to `created`)	The field of the SCIM group to sort by
sortOrder	Number	Optional (defaults to `ascending`)	Sort in `ascending` or `descending` order
startIndex	Number	Optional (defaults to `1`)	The index of the first result of this page within all matches
count	Number	Optional (defaults to `100`)	Maximum number of results to return in a single page

Response Fields

Path	Type	Description
`resources[].id`	`String`	The globally unique group ID
`resources[].displayName`	`String`	The identifier specified upon creation of the group, unique within the identity zone
`resources[].description`	`String`	Human readable description of the group, displayed e.g. when approving scopes
`resources[].members`	`Array`	Array of group members
`resources[].members[].value`	`String`	Globally unique identifier of the member, either a user ID or another group ID
`resources[].members[].type`	`String`	Either `"USER"` or `"GROUP"`
`resources[].members[].origin`	`String`	The alias of the identity provider that authenticated this user. `"uaa"` is an internal UAA user.
`resources[].zoneId`	`String`	Identifier for the identity zone to which the group belongs
`resources[].meta.version`	`Number`	The version of the group entity
`resources[].meta.created`	`String`	The time the group was created
`resources[].meta.lastModified`	`String`	The time the group was last updated
`resources[].schemas`	`Array`	`[ "urn:scim:schemas:core:1.0" ]`
`itemsPerPage`	`Number`	The page-size used to produce the current page of results
`startIndex`	`Number`	The index of the first result of this page within all matches
`totalResults`	`Number`	The number of groups that matched the given filter
`schemas`	`Array`	`[ "urn:scim:schemas:core:1.0" ]`

Error Code	Description
400	Bad Request - Invalid attributes
403	Forbidden - Insufficient scope

Check Membership

$ curl 'http://localhost/Groups/5716e035-7306-4df4-a425-6109a590b247/members/d3b77240-170d-49dc-82a5-aa86c334bca9' -i -X GET \
    -H 'Authorization: Bearer 5798d0bdaa3941b983184d8dae06bb28'

GET /Groups/5716e035-7306-4df4-a425-6109a590b247/members/d3b77240-170d-49dc-82a5-aa86c334bca9 HTTP/1.1
Authorization: Bearer 5798d0bdaa3941b983184d8dae06bb28
Host: localhost

HTTP/1.1 200 OK
Content-Security-Policy: script-src 'self'
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 93

{
  "origin" : "uaa",
  "type" : "USER",
  "value" : "d3b77240-170d-49dc-82a5-aa86c334bca9"
}

Path Parameters

/Groups/{groupId}/members/{memberId}

Parameter	Description
groupId	The globally unique identifier of the group
memberId	The globally unique identifier the user or group which is a member of the specified by `groupId`

Request Headers

Name	Description
`Authorization`	Bearer token with scope `scim.read`
`X-Identity-Zone-Id`	May include this header to administer another zone if using `zones.<zoneId>.admin` or `uaa.admin` scope against the default UAA zone.
`X-Identity-Zone-Subdomain`	If using a `zones.<zoneId>.admin` scope/token, indicates what zone this request goes to by supplying a subdomain.

Response Fields

Path	Type	Description
`value`	`String`	The globally unique identifier the user or group which is a member of the specified by `groupId`
`type`	`String`	Either `"USER"` or `"GROUP"`, indicating what type of entity the group membership refers to, and whether `value` denotes a user ID or group ID
`origin`	`String`	The originating IDP of the entity, or `"uaa"` for groups and internal users

Error Code	Description
400	Bad Request - Invalid member ID
403	Forbidden - Insufficient scope
404	Not Found - Group does not exist, or the entity is not a member

Add Member

$ curl 'http://localhost/Groups/5716e035-7306-4df4-a425-6109a590b247/members' -i -X POST \
    -H 'Content-Type: application/json' \
    -H 'Authorization: Bearer 73a8036d0faa47be9f72c2cfeca14368' \
    -d '{"origin":"uaa","type":"USER","value":"d3b77240-170d-49dc-82a5-aa86c334bca9"}'

POST /Groups/5716e035-7306-4df4-a425-6109a590b247/members HTTP/1.1
Content-Type: application/json
Authorization: Bearer 73a8036d0faa47be9f72c2cfeca14368
Content-Length: 77
Host: localhost

{"origin":"uaa","type":"USER","value":"d3b77240-170d-49dc-82a5-aa86c334bca9"}

HTTP/1.1 201 Created
Content-Security-Policy: script-src 'self'
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 93

{
  "origin" : "uaa",
  "type" : "USER",
  "value" : "d3b77240-170d-49dc-82a5-aa86c334bca9"
}

Path Parameters

/Groups/{groupId}/members

Parameter	Description
groupId	The globally unique identifier of the group

Request Headers

Name	Description
`Authorization`	Bearer token with scope `scim.write`
`X-Identity-Zone-Id`	May include this header to administer another zone if using `zones.<zoneId>.admin` or `uaa.admin` scope against the default UAA zone.
`X-Identity-Zone-Subdomain`	If using a `zones.<zoneId>.admin` scope/token, indicates what zone this request goes to by supplying a subdomain.

Request Fields

Path	Type	Constraints	Description
value	String	Required	The globally unique identifier the user or group which is a member of the specified by `groupId`
type	String	Required	Either `"USER"` or `"GROUP"`, indicating what type of entity the group membership refers to, and whether `value` denotes a user ID or group ID
origin	String	Required	The originating IDP of the entity, or `"uaa"` for groups and internal users

Response Fields

Path	Type	Description
`value`	`String`	The globally unique identifier the user or group which is a member of the specified by `groupId`
`type`	`String`	Either `"USER"` or `"GROUP"`, indicating what type of entity the group membership refers to, and whether `value` denotes a user ID or group ID
`origin`	`String`	The originating IDP of the entity, or `"uaa"` for groups and internal users

Error Code	Description
400	Bad Request - Invalid member ID
403	Forbidden - Insufficient scope
404	Not Found - Specified group or member entity does not exist

Remove Member

$ curl 'http://localhost/Groups/5716e035-7306-4df4-a425-6109a590b247/members/d3b77240-170d-49dc-82a5-aa86c334bca9' -i -X DELETE \
    -H 'Authorization: Bearer 73a8036d0faa47be9f72c2cfeca14368'

DELETE /Groups/5716e035-7306-4df4-a425-6109a590b247/members/d3b77240-170d-49dc-82a5-aa86c334bca9 HTTP/1.1
Authorization: Bearer 73a8036d0faa47be9f72c2cfeca14368
Host: localhost

HTTP/1.1 200 OK
Content-Security-Policy: script-src 'self'
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 93

{
  "origin" : "uaa",
  "type" : "USER",
  "value" : "d3b77240-170d-49dc-82a5-aa86c334bca9"
}

Path Parameters

/Groups/{groupId}/members/{memberId}

Parameter	Description
groupId	The globally unique identifier of the group
memberId	The globally unique identifier of the entity, i.e. the user or group, to be removed from membership in the group specified by `groupId`

Request Headers

Name	Description
`Authorization`	Bearer token with scope `scim.write`
`X-Identity-Zone-Id`	May include this header to administer another zone if using `zones.<zoneId>.admin` or `uaa.admin` scope against the default UAA zone.
`X-Identity-Zone-Subdomain`	If using a `zones.<zoneId>.admin` scope/token, indicates what zone this request goes to by supplying a subdomain.

Response Fields

Path	Type	Description
`origin`	`String`	The originating IDP of the entity
`type`	`String`	Either `"USER"` or `"GROUP"`, indicating what type of entity the group membership refers to
`value`	`String`	The globally unique identifier of the user or group which has been removed from the group specified by `groupId`

Error Code	Description
400	Bad Request - Incorrect version supplied in If-Match header
403	Forbidden - Insufficient scope
404	Not Found - Group does not exist, or the entity is not a member
409	Conflict

List Members

$ curl 'http://localhost/Groups/5716e035-7306-4df4-a425-6109a590b247/members?returnEntities=true' -i -X GET \
    -H 'Authorization: Bearer 5798d0bdaa3941b983184d8dae06bb28'

GET /Groups/5716e035-7306-4df4-a425-6109a590b247/members?returnEntities=true HTTP/1.1
Authorization: Bearer 5798d0bdaa3941b983184d8dae06bb28
Host: localhost

HTTP/1.1 200 OK
Content-Security-Policy: script-src 'self'
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 707

[ {
  "origin" : "uaa",
  "type" : "USER",
  "entity" : {
    "id" : "d3b77240-170d-49dc-82a5-aa86c334bca9",
    "meta" : {
      "version" : 0,
      "created" : "2024-11-20T08:36:35.561Z",
      "lastModified" : "2024-11-20T08:36:35.561Z"
    },
    "userName" : "jNV5Xz",
    "name" : {
      "familyName" : "cool-familyName",
      "givenName" : "cool-name"
    },
    "emails" : [ {
      "value" : "[email protected]",
      "primary" : false
    } ],
    "active" : true,
    "verified" : true,
    "origin" : "uaa",
    "zoneId" : "uaa",
    "passwordLastModified" : "2024-11-20T08:36:35.000Z",
    "schemas" : [ "urn:scim:schemas:core:1.0" ]
  },
  "value" : "d3b77240-170d-49dc-82a5-aa86c334bca9"
} ]

Path Parameters

/Groups/{groupId}/members

Parameter	Description
groupId	The globally unique identifier of the group

Request Headers

Name	Description
`Authorization`	Bearer token with scope `scim.read`
`X-Identity-Zone-Id`	May include this header to administer another zone if using `zones.<zoneId>.admin` or `uaa.admin` scope against the default UAA zone.
`X-Identity-Zone-Subdomain`	If using a `zones.<zoneId>.admin` scope/token, indicates what zone this request goes to by supplying a subdomain.

Request Parameters

Parameter	Type	Constraints	Description
returnEntities	Boolean	Optional (defaults to `false`)	Set to `true` to return the SCIM entities which have membership in the group

Response Fields

Path	Type	Description
`[].value`	`String`	The globally unique identifier the user or group which is a member of the specified by `groupId`
`[].type`	`String`	Either `"USER"` or `"GROUP"`, indicating what type of entity the group membership refers to, and whether `value` denotes a user ID or group ID
`[].origin`	`String`	The originating IDP of the entity, or `"uaa"` for groups and internal users
`[].entity.*`	`Varies`	Present only if requested with `returnEntities`; user or group details for each entity that is a member of this group

Error Code	Description
400	Bad Request - Invalid attributes
403	Forbidden - Insufficient scope
404	Not Found - Specified group does not exist

External Group Mappings

Map

$ curl 'http://localhost/Groups/External' -i -X POST \
    -H 'Content-Type: application/json' \
    -H 'Authorization: Bearer 64f5cccf976948f28ab5005f9c78b661' \
    -d '{
  "meta" : {
    "version" : 0,
    "created" : "2024-11-20T08:36:35.298Z"
  },
  "groupId" : "c76a3770-38ed-44f1-9a30-31a2c9a128c9",
  "externalGroup" : "External group",
  "origin" : "ldap",
  "schemas" : [ "urn:scim:schemas:core:1.0" ]
}'

POST /Groups/External HTTP/1.1
Content-Type: application/json
Authorization: Bearer 64f5cccf976948f28ab5005f9c78b661
Content-Length: 242
Host: localhost

{
  "meta" : {
    "version" : 0,
    "created" : "2024-11-20T08:36:35.298Z"
  },
  "groupId" : "c76a3770-38ed-44f1-9a30-31a2c9a128c9",
  "externalGroup" : "External group",
  "origin" : "ldap",
  "schemas" : [ "urn:scim:schemas:core:1.0" ]
}

HTTP/1.1 201 Created
Content-Security-Policy: script-src 'self'
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 362

{
  "meta" : {
    "version" : 0,
    "created" : "2024-11-20T08:36:35.303Z",
    "lastModified" : "2024-11-20T08:36:35.303Z"
  },
  "groupId" : "c76a3770-38ed-44f1-9a30-31a2c9a128c9",
  "externalGroup" : "external group",
  "displayName" : "Group For Testing Creating External Group Mapping",
  "origin" : "ldap",
  "schemas" : [ "urn:scim:schemas:core:1.0" ]
}

Request Headers

Name	Description
`Authorization`	Bearer token with authorization for `scim.write` scope
`X-Identity-Zone-Id`	May include this header to administer another zone if using `zones.<zoneId>.admin` or `uaa.admin` scope against the default UAA zone.
`X-Identity-Zone-Id`	If using a `zones.<zoneId>.admin` scope/token, indicates what zone this request goes to by supplying a zone_id.

Request Fields

Path	Type	Constraints	Description
groupId	String	Required	The globally unique group ID
externalGroup	String	Required	The identifier for the group in external identity provider that needs to be mapped to internal UAA groups
origin	String	Optional (defaults to `"ldap"`)	Unique alias of the identity provider
meta.version	Number	Optional (defaults to `0`)	The version of the group entity

Response Fields

Path	Type	Description
`groupId`	`String`	The globally unique group ID
`externalGroup`	`String`	The identifier for the group in external identity provider that needs to be mapped to internal UAA groups
`displayName`	`String`	The identifier specified upon creation of the group, unique within the identity zone
`origin`	`String`	Unique alias of the identity provider
`meta.version`	`Number`	The version of the group entity
`meta.created`	`String`	The time the group mapping was created
`meta.lastModified`	`String`	The time the group mapping was last updated
`schemas`	`Array`	`["urn:scim:schemas:core:1.0"]`

Error Code	Description
400	Bad Request - External group or origin should not be null
403	Forbidden - Insufficient scope
404	Not Found - Incorrect group ID provided

Unmap

By group ID

$ curl 'http://localhost/Groups/External/groupId/5d7e1aca-3734-405a-a274-3181271dacf5/externalGroup/external%20group/origin/ldap' -i -X DELETE \
    -H 'Authorization: Bearer 0ff19360229f45b38dde21d48259a657'

DELETE /Groups/External/groupId/5d7e1aca-3734-405a-a274-3181271dacf5/externalGroup/external%20group/origin/ldap HTTP/1.1
Authorization: Bearer 0ff19360229f45b38dde21d48259a657
Host: localhost

HTTP/1.1 200 OK
Content-Security-Policy: script-src 'self'
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 362

{
  "meta" : {
    "version" : 0,
    "created" : "2024-11-20T08:36:35.159Z",
    "lastModified" : "2024-11-20T08:36:35.159Z"
  },
  "groupId" : "5d7e1aca-3734-405a-a274-3181271dacf5",
  "externalGroup" : "external group",
  "displayName" : "Group For Testing Deleting External Group Mapping",
  "origin" : "ldap",
  "schemas" : [ "urn:scim:schemas:core:1.0" ]
}

Path Parameters

/Groups/External/groupId/{groupId}/externalGroup/{externalGroup}/origin/{origin}

Parameter	Description
groupId	The globally unique group ID
externalGroup	The identifier for the group in external identity provider that needs to be mapped to internal UAA groups
origin	Unique alias of the identity provider

Request Headers

Name	Description
`Authorization`	Bearer token with authorization for `scim.write` scope
`X-Identity-Zone-Id`	May include this header to administer another zone if using `zones.<zoneId>.admin` or `uaa.admin` scope against the default UAA zone.
`X-Identity-Zone-Id`	If using a `zones.<zoneId>.admin` scope/token, indicates what zone this request goes to by supplying a zone_id.

Response Fields

Path	Type	Description
`groupId`	`String`	The globally unique group ID
`externalGroup`	`String`	The identifier for the group in external identity provider that needs to be mapped to internal UAA groups
`displayName`	`String`	The identifier specified upon creation of the group, unique within the identity zone
`origin`	`String`	Unique alias of the identity provider
`meta.version`	`Number`	The version of the group entity
`meta.created`	`String`	The time the group mapping was created
`meta.lastModified`	`String`	The time the group mapping was last updated
`schemas`	`Array`	`["urn:scim:schemas:core:1.0"]`

Error Code	Description
403	Forbidden - Insufficient scope
404	Not Found - No such group ID, external group, origin combination

By group display name

$ curl 'http://localhost/Groups/External/displayName/Group%20For%20Testing%20Deleting%20External%20Group%20Mapping%20By%20Name/externalGroup/external%20group/origin/ldap' -i -X DELETE \
    -H 'Authorization: Bearer b310aab1e2ba4e56b701ec68950ed57e'

DELETE /Groups/External/displayName/Group%20For%20Testing%20Deleting%20External%20Group%20Mapping%20By%20Name/externalGroup/external%20group/origin/ldap HTTP/1.1
Authorization: Bearer b310aab1e2ba4e56b701ec68950ed57e
Host: localhost

HTTP/1.1 200 OK
Content-Security-Policy: script-src 'self'
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 370

{
  "meta" : {
    "version" : 0,
    "created" : "2024-11-20T08:36:35.360Z",
    "lastModified" : "2024-11-20T08:36:35.360Z"
  },
  "groupId" : "0bf8545a-9335-40d9-9c48-73f1cf5c2492",
  "externalGroup" : "external group",
  "displayName" : "Group For Testing Deleting External Group Mapping By Name",
  "origin" : "ldap",
  "schemas" : [ "urn:scim:schemas:core:1.0" ]
}

Path Parameters

/Groups/External/displayName/{displayName}/externalGroup/{externalGroup}/origin/{origin}

Parameter	Description
displayName	The identifier specified upon creation of the group, unique within the identity zone
externalGroup	The identifier for the group in external identity provider that needs to be mapped to internal UAA groups
origin	Unique alias of the identity provider

Request Headers

Name	Description
`Authorization`	Bearer token with authorization for `scim.write` scope
`X-Identity-Zone-Id`	May include this header to administer another zone if using `zones.<zoneId>.admin` or `uaa.admin` scope against the default UAA zone.
`X-Identity-Zone-Id`	If using a `zones.<zoneId>.admin` scope/token, indicates what zone this request goes to by supplying a zone_id.

Response Fields

Path	Type	Description
`groupId`	`String`	The globally unique group ID
`externalGroup`	`String`	The identifier for the group in external identity provider that needs to be mapped to internal UAA groups
`displayName`	`String`	The identifier specified upon creation of the group, unique within the identity zone
`origin`	`String`	Unique alias of the identity provider
`meta.version`	`Number`	The version of the group entity
`meta.created`	`String`	The time the group mapping was created
`meta.lastModified`	`String`	The time the group mapping was last updated
`schemas`	`Array`	`["urn:scim:schemas:core:1.0"]`

Error Code	Description
403	Forbidden - Insufficient scope
404	Not Found - No such group display name, external group, origin combination

List

$ curl 'http://localhost/Groups/External?startIndex=1&count=50&origin=ldap&externalGroup=&filter=' -i -X GET \
    -H 'Authorization: Bearer 746f4ffdda8b472da9033c4dbdcc9792'

GET /Groups/External?startIndex=1&count=50&origin=ldap&externalGroup=&filter= HTTP/1.1
Authorization: Bearer 746f4ffdda8b472da9033c4dbdcc9792
Host: localhost

HTTP/1.1 200 OK
Content-Security-Policy: script-src 'self'
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 1284

{
  "resources" : [ {
    "displayName" : "internal.read",
    "externalGroup" : "cn=developers,ou=scopes,dc=test,dc=com",
    "groupId" : "32c7393e-7a4a-4b85-b8bc-086bab757c0f",
    "origin" : "ldap"
  }, {
    "displayName" : "internal.everything",
    "externalGroup" : "cn=superusers,ou=scopes,dc=test,dc=com",
    "groupId" : "44fefbb0-a7f5-4427-b7c4-0739a92b51aa",
    "origin" : "ldap"
  }, {
    "displayName" : "internal.superuser",
    "externalGroup" : "cn=superusers,ou=scopes,dc=test,dc=com",
    "groupId" : "8a99d107-e9aa-4a08-8139-8cd789a0bd7e",
    "origin" : "ldap"
  }, {
    "displayName" : "Group For Testing Retrieving External Group Mappings",
    "externalGroup" : "external group",
    "groupId" : "af3db740-b124-44c7-9888-befe632cc7b0",
    "origin" : "ldap"
  }, {
    "displayName" : "organizations.acme",
    "externalGroup" : "cn=test_org,ou=people,o=springsource,o=org",
    "groupId" : "e777921e-3926-486c-a8e9-b6f3b98e95e6",
    "origin" : "ldap"
  }, {
    "displayName" : "internal.write",
    "externalGroup" : "cn=operators,ou=scopes,dc=test,dc=com",
    "groupId" : "e7f9c301-2671-468e-8a64-1b973552f57f",
    "origin" : "ldap"
  } ],
  "startIndex" : 1,
  "itemsPerPage" : 6,
  "totalResults" : 6,
  "schemas" : [ "urn:scim:schemas:core:1.0" ]
}

Request Headers

Name	Description
`Authorization`	Bearer token with authorization for `scim.read` scope
`X-Identity-Zone-Id`	May include this header to administer another zone if using `zones.<zoneId>.admin` or `uaa.admin` scope against the default UAA zone.
`X-Identity-Zone-Id`	If using a `zones.<zoneId>.admin` scope/token, indicates what zone this request goes to by supplying a zone_id.

Response Fields

Path	Type	Description
`resources[].groupId`	`String`	The globally unique group ID
`resources[].displayName`	`String`	The identifier specified upon creation of the group, unique within the identity zone
`resources[].externalGroup`	`String`	The identifier for the group in external identity provider that needs to be mapped to internal UAA groups
`resources[].origin`	`String`	Unique alias of the identity provider
`startIndex`	`Number`	The index of the first item of this page of results
`itemsPerPage`	`Number`	The page size used in producing this page of results
`totalResults`	`Number`	The number of results which matched the filter
`schemas`	`Array`	`["urn:scim:schemas:core:1.0"]`

Error Code	Description
400	Bad Request - Invalid request parameters
403	Forbidden - Insufficient scope

Clients

Create

$ curl 'http://localhost/oauth/clients' -i -X POST \
    -H 'Content-Type: application/json' \
    -H 'Authorization: Bearer 43e2ebd2b6824785b5a52f630c64920a' \
    -H 'Accept: application/json' \
    -d '{
  "scope" : [ "clients.read", "clients.write" ],
  "client_id" : "dtvaZe",
  "client_secret" : "secret",
  "resource_ids" : [ ],
  "authorized_grant_types" : [ "client_credentials" ],
  "redirect_uri" : [ "http://test1.com", "http://ant.path.wildcard/**/passback/*" ],
  "authorities" : [ "clients.read", "clients.write" ],
  "token_salt" : "VpxChK",
  "autoapprove" : true,
  "allowedproviders" : [ "uaa", "ldap", "my-saml-provider" ],
  "name" : "My Client Name"
}'

POST /oauth/clients HTTP/1.1
Content-Type: application/json
Authorization: Bearer 43e2ebd2b6824785b5a52f630c64920a
Accept: application/json
Content-Length: 468
Host: localhost

{
  "scope" : [ "clients.read", "clients.write" ],
  "client_id" : "dtvaZe",
  "client_secret" : "secret",
  "resource_ids" : [ ],
  "authorized_grant_types" : [ "client_credentials" ],
  "redirect_uri" : [ "http://test1.com", "http://ant.path.wildcard/**/passback/*" ],
  "authorities" : [ "clients.read", "clients.write" ],
  "token_salt" : "VpxChK",
  "autoapprove" : true,
  "allowedproviders" : [ "uaa", "ldap", "my-saml-provider" ],
  "name" : "My Client Name"
}

HTTP/1.1 201 Created
Content-Security-Policy: script-src 'self'
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 517

{
  "scope" : [ "clients.read", "clients.write" ],
  "client_id" : "dtvaZe",
  "resource_ids" : [ "none" ],
  "authorized_grant_types" : [ "client_credentials" ],
  "redirect_uri" : [ "http://ant.path.wildcard/**/passback/*", "http://test1.com" ],
  "autoapprove" : [ "true" ],
  "authorities" : [ "clients.read", "clients.write" ],
  "token_salt" : "VpxChK",
  "allowedproviders" : [ "uaa", "ldap", "my-saml-provider" ],
  "name" : "My Client Name",
  "lastModified" : 1732091787136,
  "required_user_groups" : [ ]
}

Request Headers

Name	Description
`Authorization`	Bearer token containing `clients.write`, `clients.admin` or `zones.{zone.id}.admin`
`X-Identity-Zone-Id`	If using a `zones.<zoneId>.admin` scope/token, indicates what zone this request goes to by supplying a zone_id.
`X-Identity-Zone-Subdomain`	If using a `zones.<zoneId>.admin` scope/token, indicates what zone this request goes to by supplying a subdomain.

Request Fields

Path	Type	Constraints	Description
client_id	String	Required	Client identifier, unique within identity zone
authorized_grant_types	Array	Optional	List of grant types that can be used to obtain a token with this client. Can include `authorization_code`, `password`, `implicit`, and/or `client_credentials`.
redirect_uri	Array	Optional	Allowed URI pattern for redirect during authorization. Wildcard patterns can be specified using the Ant-style pattern. Null/Empty value is forbidden.
scope	Array	Optional (defaults to `"uaa.none"`)	Scopes allowed for the client
resource_ids	Array	Optional (defaults to `[]`)	Resources the client is allowed access to
authorities	Array	Optional (defaults to `"uaa.none"`)	Scopes which the client is able to grant when creating a client
autoapprove	[Boolean, Array]	Optional (defaults to `[]`)	Scopes that do not require user approval
allowpublic	Boolean	Optional (defaults to `false`)	If true, allow to omit client_secret for authorization_code flow in combination with PKCE
access_token_validity	Number	Optional	time in seconds to access token expiration after it is issued
refresh_token_validity	Number	Optional	time in seconds to refresh token expiration after it is issued
allowedproviders	Array	Optional	A list of origin keys (alias) for identity providers the client is limited to. Null implies any identity provider is allowed.
name	String	Optional	A human readable name for the client
token_salt	String	Optional	A random string used to generate the client's revokation key. Change this value to revoke all active tokens for the client
createdwith	String	Optional	What scope the bearer token had when client was created
approvals_deleted	Boolean	Optional	Were the approvals deleted for the client, and an audit event sent
required_user_groups	Array	Optional	A list of group names. If a user doesn't belong to all the required groups, the user will not be authenticated and no tokens will be issued to this client for that user. If this field is not set, authentication and token issuance will proceed normally.
client_secret	String	Required if the client allows `authorization_code` or `client_credentials` grant type	A secret string used for authenticating as this client.
secondary_client_secret	String	Optional	An optional, secondary secret string used for authenticating as this client to support secret rotation.

Response Fields

Path	Type	Description
`client_id`	`String`	Client identifier, unique within identity zone
`authorized_grant_types`	`Array`	List of grant types that can be used to obtain a token with this client. Can include `authorization_code`, `password`, `implicit`, and/or `client_credentials`.
`redirect_uri`	`Array`	Allowed URI pattern for redirect during authorization. Wildcard patterns can be specified using the Ant-style pattern. Null/Empty value is forbidden.
`scope`	`Array`	Scopes allowed for the client
`resource_ids`	`Array`	Resources the client is allowed access to
`authorities`	`Array`	Scopes which the client is able to grant when creating a client
`autoapprove`	`[Boolean, Array]`	Scopes that do not require user approval
`allowpublic`	`Boolean`	If true, allow to omit client_secret for authorization_code flow in combination with PKCE
`access_token_validity`	`Number`	time in seconds to access token expiration after it is issued
`refresh_token_validity`	`Number`	time in seconds to refresh token expiration after it is issued
`allowedproviders`	`Array`	A list of origin keys (alias) for identity providers the client is limited to. Null implies any identity provider is allowed.
`name`	`String`	A human readable name for the client
`token_salt`	`String`	A random string used to generate the client's revokation key. Change this value to revoke all active tokens for the client
`createdwith`	`String`	What scope the bearer token had when client was created
`approvals_deleted`	`Boolean`	Were the approvals deleted for the client, and an audit event sent
`required_user_groups`	`Array`	A list of group names. If a user doesn't belong to all the required groups, the user will not be authenticated and no tokens will be issued to this client for that user. If this field is not set, authentication and token issuance will proceed normally.
`lastModified`	`Number`	Epoch (milliseconds) of the moment the client information was last altered

Retrieve

$ curl 'http://localhost/oauth/clients/xVjfNN' -i -X GET \
    -H 'Authorization: Bearer 20cfcf5b7ade42ad8c8765d55de0449a' \
    -H 'Accept: application/json'

GET /oauth/clients/xVjfNN HTTP/1.1
Authorization: Bearer 20cfcf5b7ade42ad8c8765d55de0449a
Accept: application/json
Host: localhost

HTTP/1.1 200 OK
Content-Security-Policy: script-src 'self'
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 517

{
  "scope" : [ "clients.read", "clients.write" ],
  "client_id" : "xVjfNN",
  "resource_ids" : [ "none" ],
  "authorized_grant_types" : [ "client_credentials" ],
  "redirect_uri" : [ "http://ant.path.wildcard/**/passback/*", "http://test1.com" ],
  "autoapprove" : [ "true" ],
  "authorities" : [ "clients.read", "clients.write" ],
  "token_salt" : "C8Qppy",
  "allowedproviders" : [ "uaa", "ldap", "my-saml-provider" ],
  "name" : "My Client Name",
  "lastModified" : 1732091787314,
  "required_user_groups" : [ ]
}

Path Parameters

/oauth/clients/{client_id}

Parameter	Description
client_id	Client identifier, unique within identity zone

Request Headers

Name	Description
`Authorization`	Bearer token containing `clients.read`, `clients.admin` or `zones.{zone.id}.admin`
`X-Identity-Zone-Id`	If using a `zones.<zoneId>.admin` scope/token, indicates what zone this request goes to by supplying a zone_id.
`X-Identity-Zone-Subdomain`	If using a `zones.<zoneId>.admin` scope/token, indicates what zone this request goes to by supplying a subdomain.

Response Fields

Path	Type	Description
`client_id`	`String`	Client identifier, unique within identity zone
`authorized_grant_types`	`Array`	List of grant types that can be used to obtain a token with this client. Can include `authorization_code`, `password`, `implicit`, and/or `client_credentials`.
`redirect_uri`	`Array`	Allowed URI pattern for redirect during authorization. Wildcard patterns can be specified using the Ant-style pattern. Null/Empty value is forbidden.
`scope`	`Array`	Scopes allowed for the client
`resource_ids`	`Array`	Resources the client is allowed access to
`authorities`	`Array`	Scopes which the client is able to grant when creating a client
`autoapprove`	`[Boolean, Array]`	Scopes that do not require user approval
`allowpublic`	`Boolean`	If true, allow to omit client_secret for authorization_code flow in combination with PKCE
`access_token_validity`	`Number`	time in seconds to access token expiration after it is issued
`refresh_token_validity`	`Number`	time in seconds to refresh token expiration after it is issued
`allowedproviders`	`Array`	A list of origin keys (alias) for identity providers the client is limited to. Null implies any identity provider is allowed.
`name`	`String`	A human readable name for the client
`token_salt`	`String`	A random string used to generate the client's revokation key. Change this value to revoke all active tokens for the client
`createdwith`	`String`	What scope the bearer token had when client was created
`approvals_deleted`	`Boolean`	Were the approvals deleted for the client, and an audit event sent
`required_user_groups`	`Array`	A list of group names. If a user doesn't belong to all the required groups, the user will not be authenticated and no tokens will be issued to this client for that user. If this field is not set, authentication and token issuance will proceed normally.
`lastModified`	`Number`	Epoch (milliseconds) of the moment the client information was last altered

Update

$ curl 'http://localhost/oauth/clients/O-01ji' -i -X PUT \
    -H 'Content-Type: application/json' \
    -H 'Authorization: Bearer 5ad7215299e944a7b0356cb897f10631' \
    -H 'Accept: application/json' \
    -d '{
  "scope" : [ "clients.new", "clients.autoapprove" ],
  "client_id" : "O-01ji",
  "authorized_grant_types" : [ "client_credentials" ],
  "redirect_uri" : [ "http://redirect.url" ],
  "autoapprove" : [ "clients.autoapprove" ]
}'

PUT /oauth/clients/O-01ji HTTP/1.1
Content-Type: application/json
Authorization: Bearer 5ad7215299e944a7b0356cb897f10631
Accept: application/json
Content-Length: 228
Host: localhost

{
  "scope" : [ "clients.new", "clients.autoapprove" ],
  "client_id" : "O-01ji",
  "authorized_grant_types" : [ "client_credentials" ],
  "redirect_uri" : [ "http://redirect.url" ],
  "autoapprove" : [ "clients.autoapprove" ]
}

HTTP/1.1 200 OK
Content-Security-Policy: script-src 'self'
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 498

{
  "scope" : [ "clients.new", "clients.autoapprove" ],
  "client_id" : "O-01ji",
  "resource_ids" : [ "none" ],
  "authorized_grant_types" : [ "client_credentials" ],
  "redirect_uri" : [ "http://redirect.url" ],
  "autoapprove" : [ "clients.autoapprove" ],
  "authorities" : [ "clients.read", "clients.write" ],
  "token_salt" : "egeclL",
  "allowedproviders" : [ "uaa", "ldap", "my-saml-provider" ],
  "name" : "My Client Name",
  "lastModified" : 1732091786768,
  "required_user_groups" : [ ]
}

Path Parameters

/oauth/clients/{client_id}

Parameter	Description
client_id	Client identifier, unique within identity zone

Request Headers

Name	Description
`Authorization`	Bearer token containing `clients.write`, `clients.admin` or `zones.{zone.id}.admin`
`X-Identity-Zone-Id`	If using a `zones.<zoneId>.admin` scope/token, indicates what zone this request goes to by supplying a zone_id.
`X-Identity-Zone-Subdomain`	If using a `zones.<zoneId>.admin` scope/token, indicates what zone this request goes to by supplying a subdomain.

Request Fields

Path	Type	Constraints	Description
client_id	String	Required	Client identifier, unique within identity zone
authorized_grant_types	Array	Optional	List of grant types that can be used to obtain a token with this client. Can include `authorization_code`, `password`, `implicit`, and/or `client_credentials`.
redirect_uri	Array	Optional	Allowed URI pattern for redirect during authorization. Wildcard patterns can be specified using the Ant-style pattern. Null/Empty value is forbidden.
scope	Array	Optional (defaults to `"uaa.none"`)	Scopes allowed for the client
resource_ids	Array	Optional (defaults to `[]`)	Resources the client is allowed access to
authorities	Array	Optional (defaults to `"uaa.none"`)	Scopes which the client is able to grant when creating a client
autoapprove	[Boolean, Array]	Optional (defaults to `[]`)	Scopes that do not require user approval
allowpublic	Boolean	Optional (defaults to `false`)	If true, allow to omit client_secret for authorization_code flow in combination with PKCE
access_token_validity	Number	Optional	time in seconds to access token expiration after it is issued
refresh_token_validity	Number	Optional	time in seconds to refresh token expiration after it is issued
allowedproviders	Array	Optional	A list of origin keys (alias) for identity providers the client is limited to. Null implies any identity provider is allowed.
name	String	Optional	A human readable name for the client
token_salt	String	Optional	A random string used to generate the client's revokation key. Change this value to revoke all active tokens for the client
createdwith	String	Optional	What scope the bearer token had when client was created
approvals_deleted	Boolean	Optional	Were the approvals deleted for the client, and an audit event sent
required_user_groups	Array	Optional	A list of group names. If a user doesn't belong to all the required groups, the user will not be authenticated and no tokens will be issued to this client for that user. If this field is not set, authentication and token issuance will proceed normally.

Response Fields

Path	Type	Description
`client_id`	`String`	Client identifier, unique within identity zone
`authorized_grant_types`	`Array`	List of grant types that can be used to obtain a token with this client. Can include `authorization_code`, `password`, `implicit`, and/or `client_credentials`.
`redirect_uri`	`Array`	Allowed URI pattern for redirect during authorization. Wildcard patterns can be specified using the Ant-style pattern. Null/Empty value is forbidden.
`scope`	`Array`	Scopes allowed for the client
`resource_ids`	`Array`	Resources the client is allowed access to
`authorities`	`Array`	Scopes which the client is able to grant when creating a client
`autoapprove`	`[Boolean, Array]`	Scopes that do not require user approval
`allowpublic`	`Boolean`	If true, allow to omit client_secret for authorization_code flow in combination with PKCE
`access_token_validity`	`Number`	time in seconds to access token expiration after it is issued
`refresh_token_validity`	`Number`	time in seconds to refresh token expiration after it is issued
`allowedproviders`	`Array`	A list of origin keys (alias) for identity providers the client is limited to. Null implies any identity provider is allowed.
`name`	`String`	A human readable name for the client
`token_salt`	`String`	A random string used to generate the client's revokation key. Change this value to revoke all active tokens for the client
`createdwith`	`String`	What scope the bearer token had when client was created
`approvals_deleted`	`Boolean`	Were the approvals deleted for the client, and an audit event sent
`required_user_groups`	`Array`	A list of group names. If a user doesn't belong to all the required groups, the user will not be authenticated and no tokens will be issued to this client for that user. If this field is not set, authentication and token issuance will proceed normally.
`lastModified`	`Number`	Epoch (milliseconds) of the moment the client information was last altered

Delete

$ curl 'http://localhost/oauth/clients/BYbIkK' -i -X DELETE \
    -H 'Authorization: Bearer aaeac1af2ad441cbb1bec4dd4f0b48e6' \
    -H 'Accept: application/json'

DELETE /oauth/clients/BYbIkK HTTP/1.1
Authorization: Bearer aaeac1af2ad441cbb1bec4dd4f0b48e6
Accept: application/json
Host: localhost

HTTP/1.1 200 OK
Content-Security-Policy: script-src 'self'
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 517

{
  "scope" : [ "clients.read", "clients.write" ],
  "client_id" : "BYbIkK",
  "resource_ids" : [ "none" ],
  "authorized_grant_types" : [ "client_credentials" ],
  "redirect_uri" : [ "http://ant.path.wildcard/**/passback/*", "http://test1.com" ],
  "autoapprove" : [ "true" ],
  "authorities" : [ "clients.read", "clients.write" ],
  "token_salt" : "hXVQoK",
  "allowedproviders" : [ "uaa", "ldap", "my-saml-provider" ],
  "name" : "My Client Name",
  "lastModified" : 1732091786846,
  "required_user_groups" : [ ]
}

Path Parameters

/oauth/clients/{client_id}

Parameter	Description
client_id	Client identifier, unique within identity zone

Request Headers

Name	Description
`Authorization`	Bearer token containing `clients.write`, `clients.admin` or `zones.{zone.id}.admin`
`X-Identity-Zone-Id`	If using a `zones.<zoneId>.admin` scope/token, indicates what zone this request goes to by supplying a zone_id.
`X-Identity-Zone-Subdomain`	If using a `zones.<zoneId>.admin` scope/token, indicates what zone this request goes to by supplying a subdomain.

Response Fields

Path	Type	Description
`client_id`	`String`	Client identifier, unique within identity zone
`authorized_grant_types`	`Array`	List of grant types that can be used to obtain a token with this client. Can include `authorization_code`, `password`, `implicit`, and/or `client_credentials`.
`redirect_uri`	`Array`	Allowed URI pattern for redirect during authorization. Wildcard patterns can be specified using the Ant-style pattern. Null/Empty value is forbidden.
`scope`	`Array`	Scopes allowed for the client
`resource_ids`	`Array`	Resources the client is allowed access to
`authorities`	`Array`	Scopes which the client is able to grant when creating a client
`autoapprove`	`[Boolean, Array]`	Scopes that do not require user approval
`allowpublic`	`Boolean`	If true, allow to omit client_secret for authorization_code flow in combination with PKCE
`access_token_validity`	`Number`	time in seconds to access token expiration after it is issued
`refresh_token_validity`	`Number`	time in seconds to refresh token expiration after it is issued
`allowedproviders`	`Array`	A list of origin keys (alias) for identity providers the client is limited to. Null implies any identity provider is allowed.
`name`	`String`	A human readable name for the client
`token_salt`	`String`	A random string used to generate the client's revokation key. Change this value to revoke all active tokens for the client
`createdwith`	`String`	What scope the bearer token had when client was created
`approvals_deleted`	`Boolean`	Were the approvals deleted for the client, and an audit event sent
`required_user_groups`	`Array`	A list of group names. If a user doesn't belong to all the required groups, the user will not be authenticated and no tokens will be issued to this client for that user. If this field is not set, authentication and token issuance will proceed normally.
`lastModified`	`Number`	Epoch (milliseconds) of the moment the client information was last altered

Change Secret

$ curl 'http://localhost/oauth/clients/CukTL4/secret' -i -X PUT \
    -H 'Content-Type: application/json' \
    -H 'Authorization: Bearer 0cc80946a1d842f2b1233607598d17c7' \
    -H 'Accept: application/json' \
    -d '{
  "clientId" : "CukTL4",
  "secret" : "new_secret"
}'

PUT /oauth/clients/CukTL4/secret HTTP/1.1
Content-Type: application/json
Authorization: Bearer 0cc80946a1d842f2b1233607598d17c7
Accept: application/json
Content-Length: 54
Host: localhost

{
  "clientId" : "CukTL4",
  "secret" : "new_secret"
}

HTTP/1.1 200 OK
Content-Security-Policy: script-src 'self'
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 53

{
  "status" : "ok",
  "message" : "secret updated"
}

Path Parameters

/oauth/clients/{client_id}/secret

Parameter	Description
client_id	Client identifier, unique within identity zone

Request Headers

Name	Description
`Authorization`	Bearer token containing `clients.write`, `clients.admin` or `zones.{zone.id}.admin`
`X-Identity-Zone-Id`	If using a `zones.<zoneId>.admin` scope/token, indicates what zone this request goes to by supplying a zone_id.
`X-Identity-Zone-Subdomain`	If using a `zones.<zoneId>.admin` scope/token, indicates what zone this request goes to by supplying a subdomain.

Request Fields

Path	Type	Constraints	Description
clientId	String	Required	Client identifier, unique within identity zone
oldSecret	String	Optional if authenticated as an admin client. Required otherwise.	A valid client secret before updating
secret	String	Required	The new client secret
changeMode	String	Optional (defaults to `"UPDATE"`)	If change mode is set to `ADD`, the new `secret` will be added to the existing one and if the change mode is set to `DELETE`, the old secret will be deleted to support secret rotation. Currently only two client secrets are supported at any given time.

Change Client JWT

This configuration can be done if client authentication is performed with method private_key_jwt instead of secret based client authentication. See details for client authentication with OAuth2. The authentication with a client JWT (parameter client_assertion) is similar to the user authentication with a user JWT (JWT bearer, e.g. RFC 7522). Client JWT is available and specified from either the OAuth2 standard, defined in RFC 7523, and from OpenID Connect. UAA supports currently only OpenID Connect standard.

The client can send a client_assertion for authentication instead of client_secret or Authorization header. The signature of the JWT from client_assertion is validated according to OpenID Connect standard either with the jwks_uri or the internal jwks public keys.

$ curl 'http://localhost/oauth/clients/Q1K6wC/clientjwt' -i -X PUT \
    -H 'Content-Type: application/json' \
    -H 'Authorization: Bearer 178bdc3d3ced4dd0a65cc448ca23c7b1' \
    -H 'Accept: application/json' \
    -d '{
  "jwks_uri" : "http://localhost:8080/uaa/token_keys",
  "client_id" : "Q1K6wC"
}'

PUT /oauth/clients/Q1K6wC/clientjwt HTTP/1.1
Content-Type: application/json
Authorization: Bearer 178bdc3d3ced4dd0a65cc448ca23c7b1
Accept: application/json
Content-Length: 83
Host: localhost

{
  "jwks_uri" : "http://localhost:8080/uaa/token_keys",
  "client_id" : "Q1K6wC"
}

HTTP/1.1 200 OK
Content-Security-Policy: script-src 'self'
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 72

{
  "status" : "ok",
  "message" : "Client jwt configuration is added"
}

Path Parameters

/oauth/clients/{client_id}/clientjwt

Parameter	Description
client_id	Client identifier, unique within identity zone

Request Headers

Name	Description
`Authorization`	Bearer token containing `clients.trust`, `clients.admin` or `zones.{zone.id}.admin`
`X-Identity-Zone-Id`	If using a `zones.<zoneId>.admin` scope/token, indicates what zone this request goes to by supplying a zone_id.
`X-Identity-Zone-Subdomain`	If using a `zones.<zoneId>.admin` scope/token, indicates what zone this request goes to by supplying a subdomain.

Request Fields

Path	Type	Constraints	Description
client_id	String	Required	Client identifier, unique within identity zone
jwks	String	Optional only, if jwks_uri is used. Required otherwise.	A valid JSON string according JSON Web Key Set standard, see RFC 7517, e.g. content of /token_keys endpoint from UAA
jwks_uri	String	Optional only, if jwks is used. Required otherwise.	A valid URI to token keys endpoint. Must be compliant to jwks_uri from OpenID Discovery.
kid	String	Optional only, if a single JWK should be deleted, else ignored.	If change mode is set to `DELETE`, it specifies `the id of the key` that will be deleted. The kid parameter is only applicable when jwks configuration is used.
changeMode	String	Optional (defaults to `"ADD"`)	If change mode is set to `ADD`, the new `JWKS` will be added to the existing configuration and if the change mode is set to `DELETE`, the old `JWKS` will be deleted. The option `UPDATE` enables changes to the complete trust setting and allows switching between `JWKS` and `JWKS_URI`.

List

$ curl 'http://localhost/oauth/clients?filter=client_id+eq+%22bro0yl%22&sortBy=client_id&sortOrder=descending&startIndex=1&count=10' -i -X GET \
    -H 'Authorization: Bearer acd442f0c8f34c968b46876b95acefe2' \
    -H 'Accept: application/json'

GET /oauth/clients?filter=client_id+eq+%22bro0yl%22&sortBy=client_id&sortOrder=descending&startIndex=1&count=10 HTTP/1.1
Authorization: Bearer acd442f0c8f34c968b46876b95acefe2
Accept: application/json
Host: localhost

HTTP/1.1 200 OK
Content-Security-Policy: script-src 'self'
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 672

{
  "resources" : [ {
    "scope" : [ "clients.read", "clients.write" ],
    "client_id" : "bro0yl",
    "resource_ids" : [ "none" ],
    "authorized_grant_types" : [ "client_credentials" ],
    "redirect_uri" : [ "http://ant.path.wildcard/**/passback/*", "http://test1.com" ],
    "autoapprove" : [ "true" ],
    "authorities" : [ "clients.read", "clients.write" ],
    "token_salt" : "l7naN6",
    "allowedproviders" : [ "uaa", "ldap", "my-saml-provider" ],
    "name" : "My Client Name",
    "lastModified" : 1732091787223
  } ],
  "startIndex" : 1,
  "itemsPerPage" : 1,
  "totalResults" : 1,
  "schemas" : [ "http://cloudfoundry.org/schema/scim/oauth-clients-1.0" ]
}

Request Headers

Name	Description
`Authorization`	Bearer token containing `clients.read`, `clients.admin` or `zones.{zone.id}.admin`
`X-Identity-Zone-Id`	If using a `zones.<zoneId>.admin` scope/token, indicates what zone this request goes to by supplying a zone_id.
`X-Identity-Zone-Subdomain`	If using a `zones.<zoneId>.admin` scope/token, indicates what zone this request goes to by supplying a subdomain.

Request Parameters

Parameter	Type	Constraints	Description
filter	String	Optional (defaults to `client_id pr`)	SCIM filter for querying clients
sortBy	String	Optional (defaults to `client_id`)	Field to sort results by
sortOrder	String	Optional (defaults to `ascending`)	Sort results in `ascending` or `descending` order
startIndex	Number	Optional (defaults to `1`)	Index of the first result on which to begin the page
count	Number	Optional (defaults to `100`)	Number of results per page

Response Fields

Path	Type	Description
`resources[].client_id`	`String`	Client identifier, unique within identity zone
`resources[].authorized_grant_types`	`Array`	List of grant types that can be used to obtain a token with this client. Can include `authorization_code`, `password`, `implicit`, and/or `client_credentials`.
`resources[].redirect_uri`	`Array`	Allowed URI pattern for redirect during authorization. Wildcard patterns can be specified using the Ant-style pattern. Null/Empty value is forbidden.
`resources[].scope`	`Array`	Scopes allowed for the client
`resources[].resource_ids`	`Array`	Resources the client is allowed access to
`resources[].authorities`	`Array`	Scopes which the client is able to grant when creating a client
`resources[].autoapprove`	`[Boolean, Array]`	Scopes that do not require user approval
`resources[].allowpublic`	`Boolean`	If true, allow to omit client_secret for authorization_code flow in combination with PKCE
`resources[].access_token_validity`	`Number`	time in seconds to access token expiration after it is issued
`resources[].refresh_token_validity`	`Number`	time in seconds to refresh token expiration after it is issued
`resources[].allowedproviders`	`Array`	A list of origin keys (alias) for identity providers the client is limited to. Null implies any identity provider is allowed.
`resources[].name`	`String`	A human readable name for the client
`resources[].token_salt`	`String`	A random string used to generate the client's revokation key. Change this value to revoke all active tokens for the client
`resources[].createdwith`	`String`	What scope the bearer token had when client was created
`resources[].approvals_deleted`	`Boolean`	Were the approvals deleted for the client, and an audit event sent
`resources[].required_user_groups`	`Array`	A list of group names. If a user doesn't belong to all the required groups, the user will not be authenticated and no tokens will be issued to this client for that user. If this field is not set, authentication and token issuance will proceed normally.
`resources[].lastModified`	`Number`	Epoch (milliseconds) of the moment the client information was last altered
`startIndex`	`Number`	Index of the first result on this page
`itemsPerPage`	`Number`	Number of results per page
`totalResults`	`Number`	Total number of results that matched the query
`schemas`	`Array`	`["urn:scim:schemas:core:1.0"]`

Batch Create

$ curl 'http://localhost/oauth/clients/tx' -i -X POST \
    -H 'Content-Type: application/json' \
    -H 'Authorization: Bearer 2e66ae23918e452dbbbe27c04365dd5e' \
    -H 'Accept: application/json' \
    -d '[ {
  "scope" : [ "clients.read", "clients.write" ],
  "client_id" : "-Odni4",
  "client_secret" : "secret",
  "resource_ids" : [ ],
  "authorized_grant_types" : [ "client_credentials" ],
  "redirect_uri" : [ "http://test1.com", "http://ant.path.wildcard/**/passback/*" ],
  "authorities" : [ "clients.read", "clients.write" ],
  "token_salt" : "0sTCTU",
  "autoapprove" : true,
  "allowedproviders" : [ "uaa", "ldap", "my-saml-provider" ],
  "name" : "My Client Name"
}, {
  "scope" : [ "clients.read", "clients.write" ],
  "client_id" : "sZzdUE",
  "client_secret" : "secret",
  "resource_ids" : [ ],
  "authorized_grant_types" : [ "client_credentials" ],
  "redirect_uri" : [ "http://test1.com", "http://ant.path.wildcard/**/passback/*" ],
  "authorities" : [ "clients.read", "clients.write" ],
  "token_salt" : "sZrKOw",
  "autoapprove" : true,
  "allowedproviders" : [ "uaa", "ldap", "my-saml-provider" ],
  "name" : "My Client Name"
} ]'

POST /oauth/clients/tx HTTP/1.1
Content-Type: application/json
Authorization: Bearer 2e66ae23918e452dbbbe27c04365dd5e
Accept: application/json
Content-Length: 942
Host: localhost

[ {
  "scope" : [ "clients.read", "clients.write" ],
  "client_id" : "-Odni4",
  "client_secret" : "secret",
  "resource_ids" : [ ],
  "authorized_grant_types" : [ "client_credentials" ],
  "redirect_uri" : [ "http://test1.com", "http://ant.path.wildcard/**/passback/*" ],
  "authorities" : [ "clients.read", "clients.write" ],
  "token_salt" : "0sTCTU",
  "autoapprove" : true,
  "allowedproviders" : [ "uaa", "ldap", "my-saml-provider" ],
  "name" : "My Client Name"
}, {
  "scope" : [ "clients.read", "clients.write" ],
  "client_id" : "sZzdUE",
  "client_secret" : "secret",
  "resource_ids" : [ ],
  "authorized_grant_types" : [ "client_credentials" ],
  "redirect_uri" : [ "http://test1.com", "http://ant.path.wildcard/**/passback/*" ],
  "authorities" : [ "clients.read", "clients.write" ],
  "token_salt" : "sZrKOw",
  "autoapprove" : true,
  "allowedproviders" : [ "uaa", "ldap", "my-saml-provider" ],
  "name" : "My Client Name"
} ]

HTTP/1.1 201 Created
Content-Security-Policy: script-src 'self'
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 1040

[ {
  "scope" : [ "clients.read", "clients.write" ],
  "client_id" : "-Odni4",
  "resource_ids" : [ "none" ],
  "authorized_grant_types" : [ "client_credentials" ],
  "redirect_uri" : [ "http://ant.path.wildcard/**/passback/*", "http://test1.com" ],
  "autoapprove" : [ "true" ],
  "authorities" : [ "clients.read", "clients.write" ],
  "token_salt" : "0sTCTU",
  "allowedproviders" : [ "uaa", "ldap", "my-saml-provider" ],
  "name" : "My Client Name",
  "lastModified" : 1732091786926,
  "required_user_groups" : [ ]
}, {
  "scope" : [ "clients.read", "clients.write" ],
  "client_id" : "sZzdUE",
  "resource_ids" : [ "none" ],
  "authorized_grant_types" : [ "client_credentials" ],
  "redirect_uri" : [ "http://ant.path.wildcard/**/passback/*", "http://test1.com" ],
  "autoapprove" : [ "true" ],
  "authorities" : [ "clients.read", "clients.write" ],
  "token_salt" : "sZrKOw",
  "allowedproviders" : [ "uaa", "ldap", "my-saml-provider" ],
  "name" : "My Client Name",
  "lastModified" : 1732091786927,
  "required_user_groups" : [ ]
} ]

Request Headers

Name	Description
`Authorization`	Bearer token containing `clients.write`, `clients.admin` or `zones.{zone.id}.admin`
`X-Identity-Zone-Id`	If using a `zones.<zoneId>.admin` scope/token, indicates what zone this request goes to by supplying a zone_id.
`X-Identity-Zone-Subdomain`	If using a `zones.<zoneId>.admin` scope/token, indicates what zone this request goes to by supplying a subdomain.

Request Fields

Path	Type	Constraints	Description
[].client_id	String	Required	Client identifier, unique within identity zone
[].authorized_grant_types	Array	Optional	List of grant types that can be used to obtain a token with this client. Can include `authorization_code`, `password`, `implicit`, and/or `client_credentials`.
[].redirect_uri	Array	Optional	Allowed URI pattern for redirect during authorization. Wildcard patterns can be specified using the Ant-style pattern. Null/Empty value is forbidden.
[].scope	Array	Optional (defaults to `"uaa.none"`)	Scopes allowed for the client
[].resource_ids	Array	Optional (defaults to `[]`)	Resources the client is allowed access to
[].authorities	Array	Optional (defaults to `"uaa.none"`)	Scopes which the client is able to grant when creating a client
[].autoapprove	[Boolean, Array]	Optional (defaults to `[]`)	Scopes that do not require user approval
[].allowpublic	Boolean	Optional (defaults to `false`)	If true, allow to omit client_secret for authorization_code flow in combination with PKCE
[].access_token_validity	Number	Optional	time in seconds to access token expiration after it is issued
[].refresh_token_validity	Number	Optional	time in seconds to refresh token expiration after it is issued
[].allowedproviders	Array	Optional	A list of origin keys (alias) for identity providers the client is limited to. Null implies any identity provider is allowed.
[].name	String	Optional	A human readable name for the client
[].token_salt	String	Optional	A random string used to generate the client's revokation key. Change this value to revoke all active tokens for the client
[].createdwith	String	Optional	What scope the bearer token had when client was created
[].approvals_deleted	Boolean	Optional	Were the approvals deleted for the client, and an audit event sent
[].required_user_groups	Array	Optional	A list of group names. If a user doesn't belong to all the required groups, the user will not be authenticated and no tokens will be issued to this client for that user. If this field is not set, authentication and token issuance will proceed normally.
[].client_secret	String	Required if the client allows `authorization_code` or `client_credentials` grant type	A secret string used for authenticating as this client.

Response Fields

Path	Type	Description
`[].client_id`	`String`	Client identifier, unique within identity zone
`[].authorized_grant_types`	`Array`	List of grant types that can be used to obtain a token with this client. Can include `authorization_code`, `password`, `implicit`, and/or `client_credentials`.
`[].redirect_uri`	`Array`	Allowed URI pattern for redirect during authorization. Wildcard patterns can be specified using the Ant-style pattern. Null/Empty value is forbidden.
`[].scope`	`Array`	Scopes allowed for the client
`[].resource_ids`	`Array`	Resources the client is allowed access to
`[].authorities`	`Array`	Scopes which the client is able to grant when creating a client
`[].autoapprove`	`[Boolean, Array]`	Scopes that do not require user approval
`[].allowpublic`	`Boolean`	If true, allow to omit client_secret for authorization_code flow in combination with PKCE
`[].access_token_validity`	`Number`	time in seconds to access token expiration after it is issued
`[].refresh_token_validity`	`Number`	time in seconds to refresh token expiration after it is issued
`[].allowedproviders`	`Array`	A list of origin keys (alias) for identity providers the client is limited to. Null implies any identity provider is allowed.
`[].name`	`String`	A human readable name for the client
`[].token_salt`	`String`	A random string used to generate the client's revokation key. Change this value to revoke all active tokens for the client
`[].createdwith`	`String`	What scope the bearer token had when client was created
`[].approvals_deleted`	`Boolean`	Were the approvals deleted for the client, and an audit event sent
`[].required_user_groups`	`Array`	A list of group names. If a user doesn't belong to all the required groups, the user will not be authenticated and no tokens will be issued to this client for that user. If this field is not set, authentication and token issuance will proceed normally.
`[].lastModified`	`Number`	Epoch (milliseconds) of the moment the client information was last altered

Batch Update

$ curl 'http://localhost/oauth/clients/tx' -i -X PUT \
    -H 'Content-Type: application/json' \
    -H 'Authorization: Bearer 2e66ae23918e452dbbbe27c04365dd5e' \
    -H 'Accept: application/json' \
    -d '[ {
  "scope" : [ "clients.read", "clients.write" ],
  "client_id" : "-Odni4",
  "resource_ids" : [ ],
  "authorized_grant_types" : [ "client_credentials" ],
  "redirect_uri" : [ "http://test1.com", "http://ant.path.wildcard/**/passback/*" ],
  "authorities" : [ "clients.read", "clients.write" ],
  "token_salt" : "0sTCTU",
  "autoapprove" : true,
  "allowedproviders" : [ "uaa", "ldap", "my-saml-provider" ],
  "name" : "My Client Name"
}, {
  "scope" : [ "clients.read", "clients.write" ],
  "client_id" : "sZzdUE",
  "resource_ids" : [ ],
  "authorized_grant_types" : [ "client_credentials" ],
  "redirect_uri" : [ "http://test1.com", "http://ant.path.wildcard/**/passback/*" ],
  "authorities" : [ "clients.read", "new.authority", "clients.write" ],
  "token_salt" : "sZrKOw",
  "autoapprove" : true,
  "allowedproviders" : [ "uaa", "ldap", "my-saml-provider" ],
  "name" : "My Client Name"
} ]'

PUT /oauth/clients/tx HTTP/1.1
Content-Type: application/json
Authorization: Bearer 2e66ae23918e452dbbbe27c04365dd5e
Accept: application/json
Content-Length: 899
Host: localhost

[ {
  "scope" : [ "clients.read", "clients.write" ],
  "client_id" : "-Odni4",
  "resource_ids" : [ ],
  "authorized_grant_types" : [ "client_credentials" ],
  "redirect_uri" : [ "http://test1.com", "http://ant.path.wildcard/**/passback/*" ],
  "authorities" : [ "clients.read", "clients.write" ],
  "token_salt" : "0sTCTU",
  "autoapprove" : true,
  "allowedproviders" : [ "uaa", "ldap", "my-saml-provider" ],
  "name" : "My Client Name"
}, {
  "scope" : [ "clients.read", "clients.write" ],
  "client_id" : "sZzdUE",
  "resource_ids" : [ ],
  "authorized_grant_types" : [ "client_credentials" ],
  "redirect_uri" : [ "http://test1.com", "http://ant.path.wildcard/**/passback/*" ],
  "authorities" : [ "clients.read", "new.authority", "clients.write" ],
  "token_salt" : "sZrKOw",
  "autoapprove" : true,
  "allowedproviders" : [ "uaa", "ldap", "my-saml-provider" ],
  "name" : "My Client Name"
} ]

HTTP/1.1 200 OK
Content-Security-Policy: script-src 'self'
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 1057

[ {
  "scope" : [ "clients.read", "clients.write" ],
  "client_id" : "-Odni4",
  "resource_ids" : [ "none" ],
  "authorized_grant_types" : [ "client_credentials" ],
  "redirect_uri" : [ "http://ant.path.wildcard/**/passback/*", "http://test1.com" ],
  "autoapprove" : [ "true" ],
  "authorities" : [ "clients.read", "clients.write" ],
  "token_salt" : "0sTCTU",
  "allowedproviders" : [ "uaa", "ldap", "my-saml-provider" ],
  "name" : "My Client Name",
  "lastModified" : 1732091786926,
  "required_user_groups" : [ ]
}, {
  "scope" : [ "clients.read", "clients.write" ],
  "client_id" : "sZzdUE",
  "resource_ids" : [ "none" ],
  "authorized_grant_types" : [ "client_credentials" ],
  "redirect_uri" : [ "http://ant.path.wildcard/**/passback/*", "http://test1.com" ],
  "autoapprove" : [ "true" ],
  "authorities" : [ "clients.read", "new.authority", "clients.write" ],
  "token_salt" : "sZrKOw",
  "allowedproviders" : [ "uaa", "ldap", "my-saml-provider" ],
  "name" : "My Client Name",
  "lastModified" : 1732091786927,
  "required_user_groups" : [ ]
} ]

Request Headers

Name	Description
`Authorization`	Bearer token containing `clients.write`, `clients.admin` or `zones.{zone.id}.admin`
`X-Identity-Zone-Id`	If using a `zones.<zoneId>.admin` scope/token, indicates what zone this request goes to by supplying a zone_id.
`X-Identity-Zone-Subdomain`	If using a `zones.<zoneId>.admin` scope/token, indicates what zone this request goes to by supplying a subdomain.

Request Fields

Path	Type	Constraints	Description
[].client_id	String	Required	Client identifier, unique within identity zone
[].authorized_grant_types	Array	Optional	List of grant types that can be used to obtain a token with this client. Can include `authorization_code`, `password`, `implicit`, and/or `client_credentials`.
[].redirect_uri	Array	Optional	Allowed URI pattern for redirect during authorization. Wildcard patterns can be specified using the Ant-style pattern. Null/Empty value is forbidden.
[].scope	Array	Optional (defaults to `"uaa.none"`)	Scopes allowed for the client
[].resource_ids	Array	Optional (defaults to `[]`)	Resources the client is allowed access to
[].authorities	Array	Optional (defaults to `"uaa.none"`)	Scopes which the client is able to grant when creating a client
[].autoapprove	[Boolean, Array]	Optional (defaults to `[]`)	Scopes that do not require user approval
[].allowpublic	Boolean	Optional (defaults to `false`)	If true, allow to omit client_secret for authorization_code flow in combination with PKCE
[].access_token_validity	Number	Optional	time in seconds to access token expiration after it is issued
[].refresh_token_validity	Number	Optional	time in seconds to refresh token expiration after it is issued
[].allowedproviders	Array	Optional	A list of origin keys (alias) for identity providers the client is limited to. Null implies any identity provider is allowed.
[].name	String	Optional	A human readable name for the client
[].token_salt	String	Optional	A random string used to generate the client's revokation key. Change this value to revoke all active tokens for the client
[].createdwith	String	Optional	What scope the bearer token had when client was created
[].approvals_deleted	Boolean	Optional	Were the approvals deleted for the client, and an audit event sent
[].required_user_groups	Array	Optional	A list of group names. If a user doesn't belong to all the required groups, the user will not be authenticated and no tokens will be issued to this client for that user. If this field is not set, authentication and token issuance will proceed normally.

Response Fields

Path	Type	Description
`[].client_id`	`String`	Client identifier, unique within identity zone
`[].authorized_grant_types`	`Array`	List of grant types that can be used to obtain a token with this client. Can include `authorization_code`, `password`, `implicit`, and/or `client_credentials`.
`[].redirect_uri`	`Array`	Allowed URI pattern for redirect during authorization. Wildcard patterns can be specified using the Ant-style pattern. Null/Empty value is forbidden.
`[].scope`	`Array`	Scopes allowed for the client
`[].resource_ids`	`Array`	Resources the client is allowed access to
`[].authorities`	`Array`	Scopes which the client is able to grant when creating a client
`[].autoapprove`	`[Boolean, Array]`	Scopes that do not require user approval
`[].allowpublic`	`Boolean`	If true, allow to omit client_secret for authorization_code flow in combination with PKCE
`[].access_token_validity`	`Number`	time in seconds to access token expiration after it is issued
`[].refresh_token_validity`	`Number`	time in seconds to refresh token expiration after it is issued
`[].allowedproviders`	`Array`	A list of origin keys (alias) for identity providers the client is limited to. Null implies any identity provider is allowed.
`[].name`	`String`	A human readable name for the client
`[].token_salt`	`String`	A random string used to generate the client's revokation key. Change this value to revoke all active tokens for the client
`[].createdwith`	`String`	What scope the bearer token had when client was created
`[].approvals_deleted`	`Boolean`	Were the approvals deleted for the client, and an audit event sent
`[].required_user_groups`	`Array`	A list of group names. If a user doesn't belong to all the required groups, the user will not be authenticated and no tokens will be issued to this client for that user. If this field is not set, authentication and token issuance will proceed normally.
`[].lastModified`	`Number`	Epoch (milliseconds) of the moment the client information was last altered

Batch Secret Change

$ curl 'http://localhost/oauth/clients/tx/secret' -i -X POST \
    -H 'Content-Type: application/json' \
    -H 'Authorization: Bearer 2e66ae23918e452dbbbe27c04365dd5e' \
    -H 'Accept: application/json' \
    -d '[ {
  "clientId" : "-Odni4",
  "secret" : "new_secret"
}, {
  "clientId" : "sZzdUE",
  "secret" : "new_secret"
} ]'

POST /oauth/clients/tx/secret HTTP/1.1
Content-Type: application/json
Authorization: Bearer 2e66ae23918e452dbbbe27c04365dd5e
Accept: application/json
Content-Length: 114
Host: localhost

[ {
  "clientId" : "-Odni4",
  "secret" : "new_secret"
}, {
  "clientId" : "sZzdUE",
  "secret" : "new_secret"
} ]

HTTP/1.1 200 OK
Content-Security-Policy: script-src 'self'
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 1117

[ {
  "scope" : [ "clients.read", "clients.write" ],
  "client_id" : "-Odni4",
  "resource_ids" : [ "none" ],
  "authorized_grant_types" : [ "client_credentials" ],
  "redirect_uri" : [ "http://ant.path.wildcard/**/passback/*", "http://test1.com" ],
  "autoapprove" : [ "true" ],
  "authorities" : [ "clients.read", "clients.write" ],
  "token_salt" : "0sTCTU",
  "allowedproviders" : [ "uaa", "ldap", "my-saml-provider" ],
  "name" : "My Client Name",
  "lastModified" : 1732091786965,
  "required_user_groups" : [ ],
  "approvals_deleted" : true
}, {
  "scope" : [ "clients.read", "clients.write" ],
  "client_id" : "sZzdUE",
  "resource_ids" : [ "none" ],
  "authorized_grant_types" : [ "client_credentials" ],
  "redirect_uri" : [ "http://ant.path.wildcard/**/passback/*", "http://test1.com" ],
  "autoapprove" : [ "true" ],
  "authorities" : [ "clients.read", "new.authority", "clients.write" ],
  "token_salt" : "sZrKOw",
  "allowedproviders" : [ "uaa", "ldap", "my-saml-provider" ],
  "name" : "My Client Name",
  "lastModified" : 1732091786966,
  "required_user_groups" : [ ],
  "approvals_deleted" : true
} ]

Request Headers

Name	Description
`Authorization`	Bearer token containing `clients.write`, `clients.admin` or `zones.{zone.id}.admin`
`X-Identity-Zone-Id`	If using a `zones.<zoneId>.admin` scope/token, indicates what zone this request goes to by supplying a zone_id.
`X-Identity-Zone-Subdomain`	If using a `zones.<zoneId>.admin` scope/token, indicates what zone this request goes to by supplying a subdomain.

Request Fields

Path	Type	Constraints	Description
[].clientId	String	Required	Client identifier, unique within identity zone
[].oldSecret	String	Optional if authenticated as an admin client. Required otherwise.	A valid client secret before updating
[].secret	String	Required	The new client secret
[].changeMode	String	Optional (defaults to `"UPDATE"`)	If change mode is set to `ADD`, the new `secret` will be added to the existing one and if the change mode is set to `DELETE`, the old secret will be deleted to support secret rotation. Currently only two client secrets are supported at any given time.

Response Fields

Path	Type	Description
`[].client_id`	`String`	Client identifier, unique within identity zone
`[].authorized_grant_types`	`Array`	List of grant types that can be used to obtain a token with this client. Can include `authorization_code`, `password`, `implicit`, and/or `client_credentials`.
`[].redirect_uri`	`Array`	Allowed URI pattern for redirect during authorization. Wildcard patterns can be specified using the Ant-style pattern. Null/Empty value is forbidden.
`[].scope`	`Array`	Scopes allowed for the client
`[].resource_ids`	`Array`	Resources the client is allowed access to
`[].authorities`	`Array`	Scopes which the client is able to grant when creating a client
`[].autoapprove`	`[Boolean, Array]`	Scopes that do not require user approval
`[].allowpublic`	`Boolean`	If true, allow to omit client_secret for authorization_code flow in combination with PKCE
`[].access_token_validity`	`Number`	time in seconds to access token expiration after it is issued
`[].refresh_token_validity`	`Number`	time in seconds to refresh token expiration after it is issued
`[].allowedproviders`	`Array`	A list of origin keys (alias) for identity providers the client is limited to. Null implies any identity provider is allowed.
`[].name`	`String`	A human readable name for the client
`[].token_salt`	`String`	A random string used to generate the client's revokation key. Change this value to revoke all active tokens for the client
`[].createdwith`	`String`	What scope the bearer token had when client was created
`[].approvals_deleted`	`Boolean`	Were the approvals deleted for the client, and an audit event sent
`[].required_user_groups`	`Array`	A list of group names. If a user doesn't belong to all the required groups, the user will not be authenticated and no tokens will be issued to this client for that user. If this field is not set, authentication and token issuance will proceed normally.
`[].lastModified`	`Number`	Epoch (milliseconds) of the moment the client information was last altered
`[].approvals_deleted`	`Boolean`	Indicates whether the approvals associated with the client were deleted as a result of this action

Mixed Actions

$ curl 'http://localhost/oauth/clients/tx/modify' -i -X POST \
    -H 'Content-Type: application/json' \
    -H 'Authorization: Bearer 2e66ae23918e452dbbbe27c04365dd5e' \
    -H 'Accept: application/json' \
    -d '[ {
  "action" : "secret",
  "client_secret" : "new_secret",
  "client_id" : "-Odni4"
}, {
  "action" : "delete",
  "client_id" : "sZzdUE"
}, {
  "scope" : [ "clients.read", "clients.write" ],
  "client_id" : "8oYRmk",
  "client_secret" : "secret",
  "resource_ids" : [ ],
  "authorized_grant_types" : [ "client_credentials" ],
  "redirect_uri" : [ "http://test1.com", "http://ant.path.wildcard/**/passback/*" ],
  "action" : "add",
  "authorities" : [ "clients.read", "clients.write" ],
  "token_salt" : "eVMT0S",
  "autoapprove" : true,
  "allowedproviders" : [ "uaa", "ldap", "my-saml-provider" ],
  "name" : "My Client Name",
  "approvals_deleted" : false
} ]'

POST /oauth/clients/tx/modify HTTP/1.1
Content-Type: application/json
Authorization: Bearer 2e66ae23918e452dbbbe27c04365dd5e
Accept: application/json
Content-Length: 663
Host: localhost

[ {
  "action" : "secret",
  "client_secret" : "new_secret",
  "client_id" : "-Odni4"
}, {
  "action" : "delete",
  "client_id" : "sZzdUE"
}, {
  "scope" : [ "clients.read", "clients.write" ],
  "client_id" : "8oYRmk",
  "client_secret" : "secret",
  "resource_ids" : [ ],
  "authorized_grant_types" : [ "client_credentials" ],
  "redirect_uri" : [ "http://test1.com", "http://ant.path.wildcard/**/passback/*" ],
  "action" : "add",
  "authorities" : [ "clients.read", "clients.write" ],
  "token_salt" : "eVMT0S",
  "autoapprove" : true,
  "allowedproviders" : [ "uaa", "ldap", "my-saml-provider" ],
  "name" : "My Client Name",
  "approvals_deleted" : false
} ]

HTTP/1.1 200 OK
Content-Security-Policy: script-src 'self'
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 1343

[ {
  "scope" : [ ],
  "client_id" : "-Odni4",
  "resource_ids" : [ ],
  "authorized_grant_types" : [ ],
  "action" : "secret",
  "authorities" : [ ],
  "approvals_deleted" : false
}, {
  "scope" : [ "clients.read", "clients.write" ],
  "client_id" : "sZzdUE",
  "resource_ids" : [ "none" ],
  "authorized_grant_types" : [ "client_credentials" ],
  "redirect_uri" : [ "http://ant.path.wildcard/**/passback/*", "http://test1.com" ],
  "autoapprove" : [ "true" ],
  "action" : "delete",
  "authorities" : [ "clients.read", "new.authority", "clients.write" ],
  "token_salt" : "sZrKOw",
  "allowedproviders" : [ "uaa", "ldap", "my-saml-provider" ],
  "name" : "My Client Name",
  "lastModified" : 1732091786966,
  "required_user_groups" : [ ],
  "approvals_deleted" : true
}, {
  "scope" : [ "clients.read", "clients.write" ],
  "client_id" : "8oYRmk",
  "resource_ids" : [ "none" ],
  "authorized_grant_types" : [ "client_credentials" ],
  "redirect_uri" : [ "http://ant.path.wildcard/**/passback/*", "http://test1.com" ],
  "autoapprove" : [ "true" ],
  "action" : "add",
  "authorities" : [ "clients.read", "clients.write" ],
  "token_salt" : "eVMT0S",
  "allowedproviders" : [ "uaa", "ldap", "my-saml-provider" ],
  "name" : "My Client Name",
  "approvals_deleted" : false,
  "lastModified" : 1732091787042,
  "required_user_groups" : [ ]
} ]

Request Headers

Name	Description
`Authorization`	Bearer token containing `clients.write`, `clients.admin` or `zones.{zone.id}.admin`
`X-Identity-Zone-Id`	If using a `zones.<zoneId>.admin` scope/token, indicates what zone this request goes to by supplying a zone_id.
`X-Identity-Zone-Subdomain`	If using a `zones.<zoneId>.admin` scope/token, indicates what zone this request goes to by supplying a subdomain.

Request Fields

Path	Type	Constraints	Description
[].client_id	String	Required	Client identifier, unique within identity zone
[].authorized_grant_types	Array	Optional	List of grant types that can be used to obtain a token with this client. Can include `authorization_code`, `password`, `implicit`, and/or `client_credentials`.
[].redirect_uri	Array	Optional	Allowed URI pattern for redirect during authorization. Wildcard patterns can be specified using the Ant-style pattern. Null/Empty value is forbidden.
[].scope	Array	Optional (defaults to `"uaa.none"`)	Scopes allowed for the client
[].resource_ids	Array	Optional (defaults to `[]`)	Resources the client is allowed access to
[].authorities	Array	Optional (defaults to `"uaa.none"`)	Scopes which the client is able to grant when creating a client
[].autoapprove	[Boolean, Array]	Optional (defaults to `[]`)	Scopes that do not require user approval
[].allowpublic	Boolean	Optional (defaults to `false`)	If true, allow to omit client_secret for authorization_code flow in combination with PKCE
[].access_token_validity	Number	Optional	time in seconds to access token expiration after it is issued
[].refresh_token_validity	Number	Optional	time in seconds to refresh token expiration after it is issued
[].allowedproviders	Array	Optional	A list of origin keys (alias) for identity providers the client is limited to. Null implies any identity provider is allowed.
[].name	String	Optional	A human readable name for the client
[].token_salt	String	Optional	A random string used to generate the client's revokation key. Change this value to revoke all active tokens for the client
[].createdwith	String	Optional	What scope the bearer token had when client was created
[].approvals_deleted	Boolean	Optional	Were the approvals deleted for the client, and an audit event sent
[].required_user_groups	Array	Optional	A list of group names. If a user doesn't belong to all the required groups, the user will not be authenticated and no tokens will be issued to this client for that user. If this field is not set, authentication and token issuance will proceed normally.
[].client_secret	String	Required if the client allows `authorization_code` or `client_credentials` grant type	A secret string used for authenticating as this client.
[].action	String	Always required.	Set to `secret` to change client secret, `delete` to delete the client or `add` to add the client

Response Fields

Path	Type	Description
`[].client_id`	`String`	Client identifier, unique within identity zone
`[].authorized_grant_types`	`Array`	List of grant types that can be used to obtain a token with this client. Can include `authorization_code`, `password`, `implicit`, and/or `client_credentials`.
`[].redirect_uri`	`Array`	Allowed URI pattern for redirect during authorization. Wildcard patterns can be specified using the Ant-style pattern. Null/Empty value is forbidden.
`[].scope`	`Array`	Scopes allowed for the client
`[].resource_ids`	`Array`	Resources the client is allowed access to
`[].authorities`	`Array`	Scopes which the client is able to grant when creating a client
`[].autoapprove`	`[Boolean, Array]`	Scopes that do not require user approval
`[].allowpublic`	`Boolean`	If true, allow to omit client_secret for authorization_code flow in combination with PKCE
`[].access_token_validity`	`Number`	time in seconds to access token expiration after it is issued
`[].refresh_token_validity`	`Number`	time in seconds to refresh token expiration after it is issued
`[].allowedproviders`	`Array`	A list of origin keys (alias) for identity providers the client is limited to. Null implies any identity provider is allowed.
`[].name`	`String`	A human readable name for the client
`[].token_salt`	`String`	A random string used to generate the client's revokation key. Change this value to revoke all active tokens for the client
`[].createdwith`	`String`	What scope the bearer token had when client was created
`[].approvals_deleted`	`Boolean`	Were the approvals deleted for the client, and an audit event sent
`[].required_user_groups`	`Array`	A list of group names. If a user doesn't belong to all the required groups, the user will not be authenticated and no tokens will be issued to this client for that user. If this field is not set, authentication and token issuance will proceed normally.
`[].lastModified`	`Number`	Epoch (milliseconds) of the moment the client information was last altered
`[].action`	`String`	Set to `secret` to change client secret, `delete` to delete the client or `add` to add the client

Batch Delete

$ curl 'http://localhost/oauth/clients/tx/delete' -i -X POST \
    -H 'Content-Type: application/json' \
    -H 'Authorization: Bearer 2e66ae23918e452dbbbe27c04365dd5e' \
    -H 'Accept: application/json' \
    -d '[ {
  "client_id" : "-Odni4"
}, {
  "client_id" : "8oYRmk"
} ]'

POST /oauth/clients/tx/delete HTTP/1.1
Content-Type: application/json
Authorization: Bearer 2e66ae23918e452dbbbe27c04365dd5e
Accept: application/json
Content-Length: 62
Host: localhost

[ {
  "client_id" : "-Odni4"
}, {
  "client_id" : "8oYRmk"
} ]

HTTP/1.1 200 OK
Content-Security-Policy: script-src 'self'
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 1100

[ {
  "scope" : [ "clients.read", "clients.write" ],
  "client_id" : "-Odni4",
  "resource_ids" : [ "none" ],
  "authorized_grant_types" : [ "client_credentials" ],
  "redirect_uri" : [ "http://ant.path.wildcard/**/passback/*", "http://test1.com" ],
  "autoapprove" : [ "true" ],
  "authorities" : [ "clients.read", "clients.write" ],
  "token_salt" : "0sTCTU",
  "allowedproviders" : [ "uaa", "ldap", "my-saml-provider" ],
  "name" : "My Client Name",
  "lastModified" : 1732091786965,
  "required_user_groups" : [ ],
  "approvals_deleted" : true
}, {
  "scope" : [ "clients.read", "clients.write" ],
  "client_id" : "8oYRmk",
  "resource_ids" : [ "none" ],
  "authorized_grant_types" : [ "client_credentials" ],
  "redirect_uri" : [ "http://ant.path.wildcard/**/passback/*", "http://test1.com" ],
  "autoapprove" : [ "true" ],
  "authorities" : [ "clients.read", "clients.write" ],
  "token_salt" : "eVMT0S",
  "allowedproviders" : [ "uaa", "ldap", "my-saml-provider" ],
  "name" : "My Client Name",
  "approvals_deleted" : true,
  "lastModified" : 1732091787042,
  "required_user_groups" : [ ]
} ]

Request Headers

Name	Description
`Authorization`	Bearer token containing `clients.write`, `clients.admin` or `zones.{zone.id}.admin`
`X-Identity-Zone-Id`	If using a `zones.<zoneId>.admin` scope/token, indicates what zone this request goes to by supplying a zone_id.
`X-Identity-Zone-Subdomain`	If using a `zones.<zoneId>.admin` scope/token, indicates what zone this request goes to by supplying a subdomain.

Request Fields

Path	Type	Constraints	Description
[].client_id	String	Required	Client identifier, unique within identity zone

Response Fields

Path	Type	Description
`[].client_id`	`String`	Client identifier, unique within identity zone
`[].authorized_grant_types`	`Array`	List of grant types that can be used to obtain a token with this client. Can include `authorization_code`, `password`, `implicit`, and/or `client_credentials`.
`[].redirect_uri`	`Array`	Allowed URI pattern for redirect during authorization. Wildcard patterns can be specified using the Ant-style pattern. Null/Empty value is forbidden.
`[].scope`	`Array`	Scopes allowed for the client
`[].resource_ids`	`Array`	Resources the client is allowed access to
`[].authorities`	`Array`	Scopes which the client is able to grant when creating a client
`[].autoapprove`	`[Boolean, Array]`	Scopes that do not require user approval
`[].allowpublic`	`Boolean`	If true, allow to omit client_secret for authorization_code flow in combination with PKCE
`[].access_token_validity`	`Number`	time in seconds to access token expiration after it is issued
`[].refresh_token_validity`	`Number`	time in seconds to refresh token expiration after it is issued
`[].allowedproviders`	`Array`	A list of origin keys (alias) for identity providers the client is limited to. Null implies any identity provider is allowed.
`[].name`	`String`	A human readable name for the client
`[].token_salt`	`String`	A random string used to generate the client's revokation key. Change this value to revoke all active tokens for the client
`[].createdwith`	`String`	What scope the bearer token had when client was created
`[].approvals_deleted`	`Boolean`	Were the approvals deleted for the client, and an audit event sent
`[].required_user_groups`	`Array`	A list of group names. If a user doesn't belong to all the required groups, the user will not be authenticated and no tokens will be issued to this client for that user. If this field is not set, authentication and token issuance will proceed normally.
`[].lastModified`	`Number`	Epoch (milliseconds) of the moment the client information was last altered
`[].approvals_deleted`	`Boolean`	Indicates whether the approvals associated with the client were deleted as a result of this action

Metadata

Retrieve

$ curl 'http://localhost/oauth/clients/y46Bpwfm/meta' -i -X GET \
    -H 'Authorization: Bearer 2c4b6173d1434298928115d88669fff0' \
    -H 'Accept: application/json'

GET /oauth/clients/y46Bpwfm/meta HTTP/1.1
Authorization: Bearer 2c4b6173d1434298928115d88669fff0
Accept: application/json
Host: localhost

HTTP/1.1 200 OK
Content-Security-Policy: script-src 'self'
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 199

{
  "clientId" : "y46Bpwfm",
  "showOnHomePage" : true,
  "appLaunchUrl" : "http://myloginpage.com",
  "appIcon" : "aWNvbiBmb3IgY2xpZW50IDQ=",
  "createdBy" : "8718eda2-d1d6-4829-b462-afe7f19b1508"
}

Path Parameters

/oauth/clients/{clientId}/meta

Parameter	Description
clientId	Client identifier, unique within identity zone

Request Headers

Name	Description
`Authorization`	Bearer token

Response Fields

Path	Type	Description
`clientId`	`String`	Client identifier, unique within identity zone
`showOnHomePage`	`Boolean`	Flag to control visibility on home page
`appLaunchUrl`	`String`	URL to which the app is linked to
`appIcon`	`String`	Base64 encoded image file
`createdBy`	`String`	The user guid of the resource owner who created this client

Error Code	Description
404	Not Found - clientId doesn't exists

List

$ curl 'http://localhost/oauth/clients/meta' -i -X GET \
    -H 'Authorization: Bearer e2390136c5c44528b86c926e1a435de4' \
    -H 'Accept: application/json'

GET /oauth/clients/meta HTTP/1.1
Authorization: Bearer e2390136c5c44528b86c926e1a435de4
Accept: application/json
Host: localhost

HTTP/1.1 200 OK
Content-Security-Policy: script-src 'self'
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 2749

[ {
  "clientId" : "1KsmsZep",
  "showOnHomePage" : true,
  "appLaunchUrl" : "http://client3.com/app",
  "appIcon" : "Y2xpZW50IDMgaWNvbg=="
}, {
  "clientId" : "Ko0zMkfx",
  "showOnHomePage" : false,
  "appLaunchUrl" : "http://client4.com/app",
  "appIcon" : "aWNvbiBmb3IgY2xpZW50IDQ="
}, {
  "clientId" : "admin",
  "showOnHomePage" : false,
  "appIcon" : ""
}, {
  "clientId" : "app",
  "clientName" : "The Ultimate Oauth App",
  "showOnHomePage" : false,
  "appIcon" : ""
}, {
  "clientId" : "appspecial",
  "clientName" : "The Ultimate Oauth App",
  "showOnHomePage" : false,
  "appIcon" : ""
}, {
  "clientId" : "cf",
  "showOnHomePage" : false,
  "appIcon" : ""
}, {
  "clientId" : "client_with_allowpublic_and_jwks_uri_trust",
  "showOnHomePage" : false,
  "appIcon" : ""
}, {
  "clientId" : "client_with_bcrypt_prefix",
  "showOnHomePage" : false,
  "appIcon" : ""
}, {
  "clientId" : "client_with_jwks_trust",
  "showOnHomePage" : false,
  "appIcon" : ""
}, {
  "clientId" : "client_without_openid",
  "showOnHomePage" : false,
  "appIcon" : ""
}, {
  "clientId" : "dKWgdjL6",
  "showOnHomePage" : false,
  "appLaunchUrl" : "http://changed.app.launch/url",
  "appIcon" : "",
  "createdBy" : "8718eda2-d1d6-4829-b462-afe7f19b1508"
}, {
  "clientId" : "dashboard",
  "showOnHomePage" : false,
  "appIcon" : ""
}, {
  "clientId" : "hO11oTMd",
  "showOnHomePage" : true,
  "appLaunchUrl" : "http://myloginpage.com",
  "appIcon" : "aWNvbiBmb3IgY2xpZW50IDQ=",
  "createdBy" : "8718eda2-d1d6-4829-b462-afe7f19b1508"
}, {
  "clientId" : "identity",
  "showOnHomePage" : false,
  "appIcon" : ""
}, {
  "clientId" : "jku_test",
  "showOnHomePage" : false,
  "appIcon" : ""
}, {
  "clientId" : "jku_test_without_autoapprove",
  "showOnHomePage" : false,
  "appIcon" : ""
}, {
  "clientId" : "login",
  "showOnHomePage" : false,
  "appIcon" : ""
}, {
  "clientId" : "notifications",
  "showOnHomePage" : false,
  "appIcon" : ""
}, {
  "clientId" : "oauth_showcase_authorization_code",
  "showOnHomePage" : false,
  "appIcon" : ""
}, {
  "clientId" : "oauth_showcase_client_credentials",
  "showOnHomePage" : false,
  "appIcon" : ""
}, {
  "clientId" : "oauth_showcase_implicit_grant",
  "showOnHomePage" : false,
  "appIcon" : ""
}, {
  "clientId" : "oauth_showcase_password_grant",
  "showOnHomePage" : false,
  "appIcon" : ""
}, {
  "clientId" : "oauth_showcase_saml2_bearer",
  "showOnHomePage" : false,
  "appIcon" : ""
}, {
  "clientId" : "oauth_showcase_user_token",
  "showOnHomePage" : false,
  "appIcon" : ""
}, {
  "clientId" : "oauth_showcase_user_token_public",
  "showOnHomePage" : false,
  "appIcon" : ""
}, {
  "clientId" : "some_client_that_contains_redirect_uri_matching_request_param",
  "showOnHomePage" : false,
  "appIcon" : ""
} ]

Request Headers

Name	Description
`Authorization`	Bearer token

Response Fields

Path	Type	Description
`[].clientId`	`String`	Client identifier, unique within identity zone
`[].clientName`	`String`	Human readable display name for the client
`[].showOnHomePage`	`Boolean`	Flag to control visibility on home page
`[].appLaunchUrl`	`String`	URL to which the app is linked to
`[].appIcon`	`String`	Base64 encoded image file
`[].createdBy`	`String`	The user guid of the resource owner who created this client

Update

$ curl 'http://localhost/oauth/clients/dKWgdjL6/meta' -i -X PUT \
    -H 'Content-Type: application/json' \
    -H 'Authorization: Bearer 45533d8d478f4152ac13bea347bb9a4f' \
    -H 'If-Match: 0' \
    -H 'Accept: application/json' \
    -d '{"clientId":"dKWgdjL6","showOnHomePage":false,"appLaunchUrl":"http://changed.app.launch/url"}'

PUT /oauth/clients/dKWgdjL6/meta HTTP/1.1
Content-Type: application/json
Authorization: Bearer 45533d8d478f4152ac13bea347bb9a4f
If-Match: 0
Accept: application/json
Content-Length: 93
Host: localhost

{"clientId":"dKWgdjL6","showOnHomePage":false,"appLaunchUrl":"http://changed.app.launch/url"}

HTTP/1.1 200 OK
Content-Security-Policy: script-src 'self'
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 183

{
  "clientId" : "dKWgdjL6",
  "showOnHomePage" : false,
  "appLaunchUrl" : "http://changed.app.launch/url",
  "appIcon" : "",
  "createdBy" : "8718eda2-d1d6-4829-b462-afe7f19b1508"
}

Request Headers

Name	Description
`Authorization`	Bearer token containing `clients.read`, `clients.admin` or `zones.{zone.id}.admin`
`X-Identity-Zone-Id`	May include this header to administer another zone if using `zones.<zone.id>.admin` or `uaa.admin` scope against the default UAA zone.

Response Fields

Path	Type	Description
`clientId`	`String`	Client identifier, unique within identity zone
`showOnHomePage`	`Boolean`	Flag to control visibility on home page
`appLaunchUrl`	`String`	URL to which the app is linked to
`appIcon`	`String`	Base64 encoded image file
`createdBy`	`String`	The user guid of the resource owner who created this client

Error Code	Description
404	Not Found - clientId doesn't exists
400	Bad Request

Server Information

The UAA provides several endpoints to describe the server as well as handle various login tasks.

Server Information

This endpoint has two identical endpoints

/info
/login

Both return the same result and both support both JSON and HTML output. The HTML output is intended for browser user agents to display a login page.

$ curl 'http://localhost/info?origin=oidc-provider' -i -X GET \
    -H 'Accept: application/json'

GET /info?origin=oidc-provider HTTP/1.1
Accept: application/json
Host: localhost

HTTP/1.1 200 OK
Content-Security-Policy: script-src 'self'
Content-Language: en
Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
Content-Length: 498

{
  "app" : {
    "version" : "77.19.0"
  },
  "links" : {
    "uaa" : "http://localhost:8080/uaa",
    "passwd" : "/forgot_password",
    "login" : "http://localhost:8080/uaa",
    "register" : "/create_account"
  },
  "zone_name" : "uaa",
  "entityID" : "cloudfoundry-saml-login",
  "commit_id" : "git-metadata-not-found",
  "idpDefinitions" : { },
  "prompts" : {
    "username" : [ "text", "Email" ],
    "password" : [ "password", "Password" ]
  },
  "timestamp" : "2024-11-20T08:33:24+0000"
}

Request Headers

Name	Description
`Accept`	When set to accept application/json the server will return prompts and server info in JSON format.

Request Parameters

Parameter	Type	Constraints	Description
origin	String	Optional	Use the configured prompts of the OpenID Connect Provider with the given origin key in the response. Fallback to zone values if no prompts are configured or origin is invalid.

Response Fields

Path	Type	Description
`app.version`	`String`	The UAA version
`commit_id`	`String`	The GIT sha for the UAA version
`timestamp`	`String`	JSON timestamp for the commit of the UAA version
`idpDefinitions`	`Object`	A list of alias/url pairs of SAML IDP providers configured. Each url is the starting point to initiate the authentication process for the SAML identity provider.
`idpDefinitions.*`	`Varies`	The URL to initiate the authentication process for the SAML identity provider.
`links`	`Object`	A list of alias/url pairs of configured action URLs for the UAA
`links.login`	`String`	The link to the login host alias of the UAA
`links.uaa`	`String`	The link to the uaa alias host of the UAA
`links.passwd`	`String`	The link to the 'Forgot Password' functionality. Can be external or internal to the UAA
`links.register`	`String`	The link to the 'Create Account' functionality. Can be external or internal to the UAA
`entityID`	`String`	The UAA is always a SAML service provider. This field contains the configured entityID
`prompts`	`Object`	A list of name/value pairs of configured prompts that the UAA will login a user. Format for each prompt is [type, display name] where type can be 'text' or 'password'
`prompts.username`	`Array`	Information about the username prompt.
`prompts.password`	`Array`	Information about the password prompt.
`prompts.passcode`	`Array`	If a SAML identity provider is configured, this prompt contains a URL to where the user can initiate the SAML authentication flow.
`zone_name`	`String`	The name of the zone invoked
`showLoginLinks`	`Boolean`	Set to true if there are SAML or OAUTH/OIDC providers with a visible link on the login page.

OpenID Connect Discovery

Provide OpenID Connect metadata related to the specified server. This URI Discovery Mechanism for the Provider Configuration is defined in OpenID Discovery Configuration standard.

OpenID Well-Known Configuration

An OpenID Discovery Configuration Document MUST be queried using an HTTP GET request at path /.well-known/openid-configuration.

$ curl 'http://localhost/.well-known/openid-configuration' -i -X GET \
    -H 'Accept: application/json'

GET /.well-known/openid-configuration HTTP/1.1
Accept: application/json
Host: localhost

HTTP/1.1 200 OK
Content-Security-Policy: script-src 'self'
Content-Type: application/json
Content-Length: 1375

{
  "issuer" : "http://localhost:8080/uaa/oauth/token",
  "authorization_endpoint" : "http://localhost/oauth/authorize",
  "token_endpoint" : "http://localhost/oauth/token",
  "token_endpoint_auth_methods_supported" : [ "client_secret_basic", "client_secret_post", "private_key_jwt" ],
  "token_endpoint_auth_signing_alg_values_supported" : [ "RS256", "HS256" ],
  "userinfo_endpoint" : "http://localhost/userinfo",
  "jwks_uri" : "http://localhost/token_keys",
  "end_session_endpoint" : "http://localhost/logout.do",
  "scopes_supported" : [ "openid", "profile", "email", "phone", "roles", "user_attributes" ],
  "response_types_supported" : [ "code", "code id_token", "id_token", "token id_token" ],
  "subject_types_supported" : [ "public" ],
  "id_token_signing_alg_values_supported" : [ "RS256", "HS256" ],
  "id_token_encryption_alg_values_supported" : [ "none" ],
  "claim_types_supported" : [ "normal" ],
  "claims_supported" : [ "sub", "user_name", "origin", "iss", "auth_time", "amr", "acr", "client_id", "aud", "zid", "grant_type", "user_id", "azp", "scope", "exp", "iat", "jti", "rev_sig", "cid", "given_name", "family_name", "phone_number", "email" ],
  "claims_parameter_supported" : false,
  "service_documentation" : "http://docs.cloudfoundry.org/api/uaa/",
  "ui_locales_supported" : [ "en-US" ],
  "code_challenge_methods_supported" : [ "S256", "plain" ]
}

Response Fields

Path	Type	Description
`issuer`	`String`	URL using the https scheme with no query or fragment component that the OP asserts as its Issuer Identifier.
`authorization_endpoint`	`String`	URL of authorization endpoint.
`token_endpoint`	`String`	URL of token endpoint.
`userinfo_endpoint`	`String`	URL of the OP's UserInfo Endpoint.
`jwks_uri`	`String`	URL of the OP's JSON Web Key Set document.
`end_session_endpoint`	`String`	URL of the logout endpoint.
`scopes_supported`	`Array`	JSON array containing a list of the OAuth 2.0 scope values that this server supports.
`subject_types_supported`	`Array`	JSON array containing a list of the Subject Identifier types that this OP supports.
`token_endpoint_auth_methods_supported`	`Array`	JSON array containing a list of Client Authentication methods supported by this Token Endpoint.
`token_endpoint_auth_signing_alg_values_supported`	`Array`	JSON array containing a list of the JWS signing algorithms.
`response_types_supported`	`Array`	JSON array containing a list of the OAuth 2.0 response_type values that this OP supports.
`id_token_signing_alg_values_supported`	`Array`	JSON array containing a list of the JWS signing algorithms (alg values) supported by the OP for the ID Token to encode the Claims in a JWT.
`id_token_encryption_alg_values_supported`	`Array`	JSON array containing a list of the JWE encryption algorithms (alg values) supported by the OP.
`claim_types_supported`	`Array`	JSON array containing a list of the Claim Types that the OpenID Provider supports.
`claims_supported`	`Array`	JSON array containing a list of the Claim Names of the Claims that the OpenID Provider MAY be able to supply values for.
`claims_parameter_supported`	`Boolean`	Boolean value specifying whether the OP supports use of the claims parameter.
`service_documentation`	`String`	URL of a page containing human-readable information that developers might want or need to know when using the OpenID Provider.
`code_challenge_methods_supported`	`Array`	UAA 75.5.0JSON array containing a list of PKCE code challenge methods supported by this authorization endpoint.
`ui_locales_supported`	`Array`	Languages and scripts supported for the user interface.

Passcode

A user that has been authenticated, can request a one time authentication code, pass code, to be used during a token password grant. Password grants are often used in non browser environments, and authenticating a user with SAML, may be difficult.

$ curl 'http://localhost/passcode' -i -X GET \
    -H 'Accept: application/json' \
    -H 'Cookie: JSESSIONID=13'

GET /passcode HTTP/1.1
Accept: application/json
Cookie: JSESSIONID=13
Host: localhost

HTTP/1.1 200 OK
Content-Security-Policy: script-src 'self'
Strict-Transport-Security: max-age=31536000
Set-Cookie: X-Uaa-Csrf=j9FKCsGN1SDeILqmFyfQ5H; Path=/; Max-Age=86400; Expires=Thu, 21 Nov 2024 08:36:19 GMT; HttpOnly; SameSite=Lax
Content-Language: en
Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 34

"kG3_nSrd045j9_1E-CVpmDjW74K2wm54"

Request Headers

Name	Description
`Cookie`	JSESSIONID cookie to match the server side session of the authenticated user.

Get authentication code

Similar to /passcode, the difference with an autologin authentication code, is that the authentication of the user takes place during the generation of the temporary authentication code. The autologin authentication code can be used to log the user in with an HTTP redirect. The UAA will establish an authenticated server side session and expire the code. To generate the temporary authentication code, a POST against /autologin is required.

$ curl 'http://localhost/autologin' -i -u 'admin:adminsecret' -X POST \
    -H 'Content-Type: application/json' \
    -H 'Accept: application/json' \
    -d '{"username":"marissa","password":"koala"}'

POST /autologin HTTP/1.1
Content-Type: application/json
Authorization: Basic YWRtaW46YWRtaW5zZWNyZXQ=
Accept: application/json
Content-Length: 41
Host: localhost

{"username":"marissa","password":"koala"}

HTTP/1.1 200 OK
Content-Security-Policy: script-src 'self'
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 80

{
  "code" : "aWhfimMpd96-PVjpY7r3ECjMo1EdLQ1M",
  "path" : "/oauth/authorize"
}

Request Headers

Name	Description
`Authorization`	Basic authorization header for the client making the autologin request
`Content-Type`	Set to application/json
`Accept`	Set to application/json

Request Body

Path	Type	Constraints	Description
username	String	Required	The username for the autologin request
password	String	Required	The password for the autologin request

Response Body

Path	Type	Description
`code`	`String`	The code used to authenticate the user.
`path`	`String`	Not used. Hardcoded to /oauth/authorize

To exchange the code for an authenticated session, simply issue a redirect to /autologin using the code and client_id. If successful the user will be redirected to the home page, unless the user had tried to access a protected URL and the UAA remembers the URL that was accessed.

$ curl 'http://localhost/autologin?code=t8eX4oFsJmXUjwstO8pgpZXiIx6C84oa&client_id=admin' -i -X GET

GET /autologin?code=t8eX4oFsJmXUjwstO8pgpZXiIx6C84oa&client_id=admin HTTP/1.1
Host: localhost

HTTP/1.1 302 Found
Content-Security-Policy: script-src 'self'
Set-Cookie: Current-User=%7B%22userId%22%3A%224078c78d-2018-4b1a-9ed8-4979d5cab5ad%22%7D; Path=/; Max-Age=1800; Expires=Wed, 20 Nov 2024 09:06:19 GMT; SameSite=Strict
Content-Language: en
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Location: home

Request Parameters

Parameter	Type	Constraints	Description
code	String	Required	The code generated from the POST /autologin
client_id	String	Required	The client_id that generated the autologin code

The UAA provides endpoints that facilitate the use of an external login server. A server that handles the UI for browser based actions.

Change Password Flow

Request Reset Password Code

This endpoint returns an onetime code that can be used to change a user's password. The actual password change can take place by invoking an API endpoint, /password_change, or by a UI flow through the /reset_password endpoint.

$ curl 'http://localhost/password_resets?client_id=login&redirect_uri=http%3A%2F%2Fgo.to.my.app%2Fafter%2Freset' -i -X POST \
    -H 'Content-Type: application/json' \
    -H 'Authorization: Bearer eyJqa3UiOiJodHRwczovL2xvY2FsaG9zdDo4MDgwL3VhYS90b2tlbl9rZXlzIiwia2lkIjoibGVnYWN5LXRva2VuLWtleSIsInR5cCI6IkpXVCIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiJsb2dpbiIsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC91YWEvb2F1dGgvdG9rZW4iLCJhdXRob3JpdGllcyI6WyJjbGllbnRzLnJlYWQiLCJlbWFpbHMud3JpdGUiLCJzY2ltLnVzZXJpZHMiLCJwYXNzd29yZC53cml0ZSIsImlkcHMud3JpdGUiLCJub3RpZmljYXRpb25zLndyaXRlIiwib2F1dGgubG9naW4iLCJzY2ltLndyaXRlIiwiY3JpdGljYWxfbm90aWZpY2F0aW9ucy53cml0ZSJdLCJjbGllbnRfaWQiOiJsb2dpbiIsImF1ZCI6WyJsb2dpbiIsIm9hdXRoIl0sInppZCI6InVhYSIsImdyYW50X3R5cGUiOiJjbGllbnRfY3JlZGVudGlhbHMiLCJhenAiOiJsb2dpbiIsInNjb3BlIjpbIm9hdXRoLmxvZ2luIl0sImV4cCI6MTczMjEzNDk4NywiaWF0IjoxNzMyMDkxNzg3LCJqdGkiOiJkOTQxNTM0NDY4MjE0ZmQwOTRkNThiNTEyYWU3MWMwNiIsInJldl9zaWciOiJlMGU5ODE2MyIsImNpZCI6ImxvZ2luIn0.iQpVqNnxaVhKa1qcvTkrS0QidP2dhmxucrsq3QmfpQ05SXtNU-rtq-4ePOUlqifMZz_y6Umo7QvRX5nnAkQY_NZEYD4GueNwhDnexuYydhsDZgtyV3SV13AscVjIlYAWXjaNmpDE0LKIQNHOizqzZNpfs1gc9_9nuSO4HvGFEHDpAUfLR_z8UAyWB0_1A3mTGs2ao0OId6gpI48OuIRbmAjLuxHscRCKTyZPjmmK1AJbYHyFbH929aQBKLBLSrCacZypnZP0SYLQU7eQKkOgfHw0jxC4akvzEXZikaLOD_MN_QKDSgfI8VPaCcz_99LmjskUuKbA7m6k88BZJmPjpA' \
    -H 'Accept: application/json' \
    -d '[email protected]'

POST /password_resets?client_id=login&redirect_uri=http%3A%2F%2Fgo.to.my.app%2Fafter%2Freset HTTP/1.1
Content-Type: application/json
Authorization: Bearer eyJqa3UiOiJodHRwczovL2xvY2FsaG9zdDo4MDgwL3VhYS90b2tlbl9rZXlzIiwia2lkIjoibGVnYWN5LXRva2VuLWtleSIsInR5cCI6IkpXVCIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiJsb2dpbiIsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC91YWEvb2F1dGgvdG9rZW4iLCJhdXRob3JpdGllcyI6WyJjbGllbnRzLnJlYWQiLCJlbWFpbHMud3JpdGUiLCJzY2ltLnVzZXJpZHMiLCJwYXNzd29yZC53cml0ZSIsImlkcHMud3JpdGUiLCJub3RpZmljYXRpb25zLndyaXRlIiwib2F1dGgubG9naW4iLCJzY2ltLndyaXRlIiwiY3JpdGljYWxfbm90aWZpY2F0aW9ucy53cml0ZSJdLCJjbGllbnRfaWQiOiJsb2dpbiIsImF1ZCI6WyJsb2dpbiIsIm9hdXRoIl0sInppZCI6InVhYSIsImdyYW50X3R5cGUiOiJjbGllbnRfY3JlZGVudGlhbHMiLCJhenAiOiJsb2dpbiIsInNjb3BlIjpbIm9hdXRoLmxvZ2luIl0sImV4cCI6MTczMjEzNDk4NywiaWF0IjoxNzMyMDkxNzg3LCJqdGkiOiJkOTQxNTM0NDY4MjE0ZmQwOTRkNThiNTEyYWU3MWMwNiIsInJldl9zaWciOiJlMGU5ODE2MyIsImNpZCI6ImxvZ2luIn0.iQpVqNnxaVhKa1qcvTkrS0QidP2dhmxucrsq3QmfpQ05SXtNU-rtq-4ePOUlqifMZz_y6Umo7QvRX5nnAkQY_NZEYD4GueNwhDnexuYydhsDZgtyV3SV13AscVjIlYAWXjaNmpDE0LKIQNHOizqzZNpfs1gc9_9nuSO4HvGFEHDpAUfLR_z8UAyWB0_1A3mTGs2ao0OId6gpI48OuIRbmAjLuxHscRCKTyZPjmmK1AJbYHyFbH929aQBKLBLSrCacZypnZP0SYLQU7eQKkOgfHw0jxC4akvzEXZikaLOD_MN_QKDSgfI8VPaCcz_99LmjskUuKbA7m6k88BZJmPjpA
Accept: application/json
Content-Length: 20
Host: localhost

user-tkno5[email protected]

HTTP/1.1 201 Created
Content-Security-Policy: script-src 'self'
Content-Type: application/json
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Length: 103

{
  "code" : "vcKtsn8DY-rJea-ZFjVUIpDqxIn16bcG",
  "user_id" : "4b8b30e6-6a0c-4cdc-a56e-d233fe191ce2"
}

Request Headers

Name	Description
`Authorization`	Bearer token with the scope `oauth.login` present.
`X-Identity-Zone-Id`	If using a `zones.<zoneId>.admin` scope/token, indicates what zone this request goes to by supplying a zone_id.
`X-Identity-Zone-Subdomain`	If using a `zones.<zoneId>.admin` scope/token, indicates what zone this request goes to by supplying a subdomain.

Request Parameters

Parameter	Type	Constraints	Description
client_id	String	Optional	Optional client_id
redirect_uri	String	Optional	Optional redirect_uri to be used if the `/reset_password` flow is completed.

Request Body

The required request body of this request is the user's username, typically an email address, in form of a JSON string.

Response Body

Path	Type	Description
`code`	`String`	The code to used to invoke the `/password_change` endpoint with or to initiate the `/reset_password` flow.
`user_id`	`String`	The UUID identifying the user.