/realm-config/agents/OAuth2Client
Invoke this PingOne Advanced Identity Cloud-specific endpoint to create, list, and delete OAuth 2.0 clients.
Create an OAuth 2.0 client
This example registers a basic OAuth 2.0 client named myClient in the alpha realm.
Provide the SSO token of the tenant administrator as a header,
and append the name of the client to the URL:
$ curl \
--request PUT \
--header "Accept-API-Version: resource=1.0" \
--header "Content-Type: application/json" \
--header "Accept: application/json" \
--header "<session-cookie-name>: AQIC5wM...3MTYxOA..*" \
--data '{
"coreOAuth2ClientConfig":{
"agentgroup":"",
"status":{
"inherited":true,
"value":"string"
},
"userpassword":"forgerock",
"clientType":{
"inherited":false,
"value":"Confidential"
},
"redirectionUris":{
"inherited":false,
"value":[
"https://www.example.com:443/callback"
]
},
"scopes":{
"inherited":false,
"value":[
"write",
"read"
]
},
"defaultScopes":{
"inherited":true,
"value":[
"write"
]
},
"clientName":{
"inherited":true,
"value":[
"My Test Client"
]
}
},
"advancedOAuth2ClientConfig":{
"name":{
"inherited":false,
"value":[
null
]
},
"grantTypes":{
"inherited":true,
"value":[
"authorization_code",
"client_credentials"
]
},
"tokenEndpointAuthMethod":{
"inherited":true,
"value":"client_secret_basic"
}
}
}' \
"https://<tenant-env-fqdn>/am/json/realms/root/realms/alpha/realm-config/agents/OAuth2Client/myClient"Display output
{
"_id": "myClient",
"_rev": "720283894",
"overrideOAuth2ClientConfig": {
"issueRefreshToken": true,
"validateScopePluginType": "PROVIDER",
"tokenEncryptionEnabled": false,
"evaluateScopePluginType": "PROVIDER",
"oidcMayActScript": "[Empty]",
"oidcClaimsScript": "[Empty]",
"scopesPolicySet": "oauth2Scopes",
"accessTokenModificationPluginType": "PROVIDER",
"authorizeEndpointDataProviderClass": "org.forgerock.oauth2.core.plugins.registry.DefaultEndpointDataProvider",
"oidcClaimsPluginType": "PROVIDER",
"providerOverridesEnabled": false,
"authorizeEndpointDataProviderScript": "[Empty]",
"statelessTokensEnabled": false,
"authorizeEndpointDataProviderPluginType": "PROVIDER",
"remoteConsentServiceId": null,
"enableRemoteConsent": false,
"validateScopeClass": "org.forgerock.oauth2.core.plugins.registry.DefaultScopeValidator",
"usePolicyEngineForScope": false,
"evaluateScopeClass": "org.forgerock.oauth2.core.plugins.registry.DefaultScopeEvaluator",
"overrideableOIDCClaims": [],
"accessTokenMayActScript": "[Empty]",
"evaluateScopeScript": "[Empty]",
"clientsCanSkipConsent": false,
"accessTokenModificationScript": "[Empty]",
"issueRefreshTokenOnRefreshedToken": true,
"validateScopeScript": "[Empty]"
},
"advancedOAuth2ClientConfig": {
"logoUri": {
"inherited": false,
"value": []
},
"subjectType": {
"inherited": false,
"value": "public"
},
"clientUri": {
"inherited": false,
"value": []
},
"tokenExchangeAuthLevel": {
"inherited": false,
"value": 0
},
"responseTypes": {
"inherited": false,
"value": [
"code",
"token",
"id_token",
"code token",
"token id_token",
"code id_token",
"code token id_token",
"device_code",
"device_code id_token"
]
},
"mixUpMitigation": {
"inherited": false,
"value": false
},
"customProperties": {
"inherited": false,
"value": []
},
"javascriptOrigins": {
"inherited": false,
"value": []
},
"policyUri": {
"inherited": false,
"value": []
},
"softwareVersion": {
"inherited": false
},
"tosURI": {
"inherited": false,
"value": []
},
"sectorIdentifierUri": {
"inherited": false
},
"tokenEndpointAuthMethod": {
"inherited": false,
"value": "client_secret_basic"
},
"refreshTokenGracePeriod": {
"inherited": false,
"value": 0
},
"isConsentImplied": {
"inherited": false,
"value": false
},
"softwareIdentity": {
"inherited": false
},
"grantTypes": {
"inherited": false,
"value": [
"authorization_code"
]
},
"require_pushed_authorization_requests": {
"inherited": false,
"value": false
},
"descriptions": {
"inherited": false,
"value": []
},
"requestUris": {
"inherited": false,
"value": []
},
"name": {
"inherited": false,
"value": [
"null"
]
},
"contacts": {
"inherited": false,
"value": []
},
"updateAccessToken": {
"inherited": false
}
},
"signEncOAuth2ClientConfig": {
"tokenEndpointAuthSigningAlgorithm": {
"inherited": false,
"value": "RS256"
},
"idTokenEncryptionEnabled": {
"inherited": false,
"value": false
},
"tokenIntrospectionEncryptedResponseEncryptionAlgorithm": {
"inherited": false,
"value": "A128CBC-HS256"
},
"requestParameterSignedAlg": {
"inherited": false
},
"authorizationResponseSigningAlgorithm": {
"inherited": false,
"value": "RS256"
},
"clientJwtPublicKey": {
"inherited": false
},
"idTokenPublicEncryptionKey": {
"inherited": false
},
"mTLSSubjectDN": {
"inherited": false
},
"jwkStoreCacheMissCacheTime": {
"inherited": false,
"value": 60000
},
"jwkSet": {
"inherited": false
},
"idTokenEncryptionMethod": {
"inherited": false,
"value": "A128CBC-HS256"
},
"jwksUri": {
"inherited": false
},
"tokenIntrospectionEncryptedResponseAlg": {
"inherited": false,
"value": "RSA-OAEP-256"
},
"authorizationResponseEncryptionMethod": {
"inherited": false
},
"userinfoResponseFormat": {
"inherited": false,
"value": "JSON"
},
"mTLSCertificateBoundAccessTokens": {
"inherited": false,
"value": false
},
"publicKeyLocation": {
"inherited": false,
"value": "jwks_uri"
},
"tokenIntrospectionResponseFormat": {
"inherited": false,
"value": "JSON"
},
"requestParameterEncryptedEncryptionAlgorithm": {
"inherited": false,
"value": "A128CBC-HS256"
},
"userinfoSignedResponseAlg": {
"inherited": false
},
"idTokenEncryptionAlgorithm": {
"inherited": false,
"value": "RSA-OAEP-256"
},
"requestParameterEncryptedAlg": {
"inherited": false
},
"authorizationResponseEncryptionAlgorithm": {
"inherited": false
},
"mTLSTrustedCert": {
"inherited": false
},
"jwksCacheTimeout": {
"inherited": false,
"value": 3600000
},
"userinfoEncryptedResponseAlg": {
"inherited": false
},
"idTokenSignedResponseAlg": {
"inherited": false,
"value": "RS256"
},
"tokenIntrospectionSignedResponseAlg": {
"inherited": false,
"value": "RS256"
},
"userinfoEncryptedResponseEncryptionAlgorithm": {
"inherited": false,
"value": "A128CBC-HS256"
}
},
"coreOpenIDClientConfig": {
"claims": {
"inherited": false,
"value": []
},
"backchannel_logout_uri": {
"inherited": false
},
"defaultAcrValues": {
"inherited": false,
"value": []
},
"jwtTokenLifetime": {
"inherited": false,
"value": 0
},
"defaultMaxAgeEnabled": {
"inherited": false,
"value": false
},
"clientSessionUri": {
"inherited": false
},
"defaultMaxAge": {
"inherited": false,
"value": 600
},
"postLogoutRedirectUri": {
"inherited": false,
"value": []
},
"backchannel_logout_session_required": {
"inherited": false,
"value": false
}
},
"coreOAuth2ClientConfig": {
"userpassword": null,
"status": {
"inherited": false,
"value": "Active"
},
"clientName": {
"inherited": false,
"value": []
},
"clientType": {
"inherited": false,
"value": "Confidential"
},
"loopbackInterfaceRedirection": {
"inherited": false,
"value": false
},
"defaultScopes": {
"inherited": false,
"value": []
},
"refreshTokenLifetime": {
"inherited": false,
"value": 0
},
"scopes": {
"inherited": false,
"value": [
"write",
"read"
]
},
"accessTokenLifetime": {
"inherited": false,
"value": 0
},
"redirectionUris": {
"inherited": false,
"value": [
"https://www.example.com:443/callback"
]
},
"authorizationCodeLifetime": {
"inherited": false,
"value": 0
}
},
"coreUmaClientConfig": {
"claimsRedirectionUris": {
"inherited": false,
"value": []
}
},
"_type": {
"_id": "OAuth2Client",
"name": "OAuth2 Clients",
"collection": true
}
}Update an OAuth 2.0 client
To update an existing OAuth 2.0 client, use a similar PUT request to the create request. Make sure you include all the attributes to be retained in the client configuration. If you omit an attribute in the JSON payload, the request effectively deletes that attribute from the client.
Query OAuth 2.0 clients
This example lists the OAuth 2.0 clients in the alpha realm.
Provide the SSO token of a tenant administrator as a header.
$ curl \
--request GET \
--header "Accept-API-Version: resource=1.0" \
--header "<session-cookie-name>: AQIC5wM...3MTYxOA..*" \
"https://<tenant-env-fqdn>/am/json/realms/root/realms/alpha/realm-config/agents/OAuth2Client?_queryFilter=true"Display output
{
"result": [
{
"_id": "myClient",
"_rev": "-1788958356",
"overrideOAuth2ClientConfig": {
"issueRefreshToken": true,
"validateScopePluginType": "PROVIDER",
"tokenEncryptionEnabled": false,
"evaluateScopePluginType": "PROVIDER",
"oidcMayActScript": "[Empty]",
"oidcClaimsScript": "[Empty]",
"accessTokenModificationPluginType": "PROVIDER",
"authorizeEndpointDataProviderClass": "org.forgerock.oauth2.core.plugins.registry.DefaultEndpointDataProvider",
"oidcClaimsPluginType": "PROVIDER",
"providerOverridesEnabled": false,
"authorizeEndpointDataProviderScript": "[Empty]",
"statelessTokensEnabled": false,
"authorizeEndpointDataProviderPluginType": "PROVIDER",
"remoteConsentServiceId": null,
"enableRemoteConsent": false,
"validateScopeClass": "org.forgerock.oauth2.core.plugins.registry.DefaultScopeValidator",
"usePolicyEngineForScope": false,
"evaluateScopeClass": "org.forgerock.oauth2.core.plugins.registry.DefaultScopeEvaluator",
"overrideableOIDCClaims": [],
"accessTokenMayActScript": "[Empty]",
"evaluateScopeScript": "[Empty]",
"clientsCanSkipConsent": false,
"accessTokenModificationScript": "[Empty]",
"issueRefreshTokenOnRefreshedToken": true,
"validateScopeScript": "[Empty]"
},
"advancedOAuth2ClientConfig": {
"logoUri": [],
"subjectType": "public",
"clientUri": [],
"tokenExchangeAuthLevel": 0,
"responseTypes": [
"code",
"token",
"id_token",
"code token",
"token id_token",
"code id_token",
"code token id_token",
"device_code",
"device_code id_token"
],
"mixUpMitigation": false,
"customProperties": [],
"javascriptOrigins": [],
"policyUri": [],
"softwareVersion": null,
"sectorIdentifierUri": null,
"tosURI": [],
"tokenEndpointAuthMethod": "client_secret_basic",
"isConsentImplied": false,
"refreshTokenGracePeriod": 0,
"softwareIdentity": null,
"grantTypes": [
"authorization_code"
],
"require_pushed_authorization_requests": false,
"descriptions": [],
"requestUris": [],
"name": [],
"contacts": [],
"updateAccessToken": null
},
"signEncOAuth2ClientConfig": {
"tokenEndpointAuthSigningAlgorithm": "RS256",
"idTokenEncryptionEnabled": false,
"tokenIntrospectionEncryptedResponseEncryptionAlgorithm": "A128CBC-HS256",
"requestParameterSignedAlg": null,
"authorizationResponseSigningAlgorithm": "RS256",
"clientJwtPublicKey": null,
"idTokenPublicEncryptionKey": null,
"mTLSSubjectDN": null,
"jwkStoreCacheMissCacheTime": 60000,
"jwkSet": null,
"idTokenEncryptionMethod": "A128CBC-HS256",
"jwksUri": null,
"tokenIntrospectionEncryptedResponseAlg": "RSA-OAEP-256",
"authorizationResponseEncryptionMethod": null,
"userinfoResponseFormat": "JSON",
"mTLSCertificateBoundAccessTokens": false,
"publicKeyLocation": "jwks_uri",
"tokenIntrospectionResponseFormat": "JSON",
"requestParameterEncryptedEncryptionAlgorithm": "A128CBC-HS256",
"userinfoSignedResponseAlg": null,
"idTokenEncryptionAlgorithm": "RSA-OAEP-256",
"requestParameterEncryptedAlg": null,
"authorizationResponseEncryptionAlgorithm": null,
"mTLSTrustedCert": null,
"jwksCacheTimeout": 3600000,
"userinfoEncryptedResponseAlg": null,
"idTokenSignedResponseAlg": "RS256",
"userinfoEncryptedResponseEncryptionAlgorithm": "A128CBC-HS256",
"tokenIntrospectionSignedResponseAlg": "RS256"
},
"coreOpenIDClientConfig": {
"claims": [],
"backchannel_logout_uri": null,
"defaultAcrValues": [],
"jwtTokenLifetime": 0,
"defaultMaxAgeEnabled": false,
"clientSessionUri": null,
"defaultMaxAge": 600,
"postLogoutRedirectUri": [],
"backchannel_logout_session_required": false
},
"coreOAuth2ClientConfig": {
"status": "Active",
"clientName": [],
"clientType": "Confidential",
"loopbackInterfaceRedirection": false,
"defaultScopes": [],
"agentgroup": null,
"refreshTokenLifetime": 0,
"scopes": [],
"accessTokenLifetime": 0,
"redirectionUris": [],
"authorizationCodeLifetime": 0
},
"coreUmaClientConfig": {
"claimsRedirectionUris": []
},
"_type": {
"_id": "OAuth2Client",
"name": "OAuth2 Clients",
"collection": true
}
}
],
"resultCount": 1,
"pagedResultsCookie": null,
"totalPagedResultsPolicy": "EXACT",
"totalPagedResults": 1,
"remainingPagedResults": -1
}Delete an OAuth 2.0 client
This example deletes an OAuth 2.0 client named myClient in the alpha realm.
Provide the SSO token of the tenant administrator as a header,
and append the name of the client to the URL:
$ curl \
--request DELETE \
--header "Accept-API-Version: resource=1.0" \
--header "<session-cookie-name>: AQIC5wM...3MTYxOA..*" \
"https://<tenant-env-fqdn>/am/json/realms/root/realms/alpha/realm-config/agents/OAuth2Client/myClient"
{
"_id": "myClient",
"_rev": "-614477476",
...
}