Search Vault documentation » Create or Update a ProviderThis endpoint creates or updates a Provider.
Method Path POST
identity/oidc/provider/:name
» Parametersname
(string: <required>)
– The name of the provider. This parameter is specified as part of the URL.
issuer
(string: <optional>)
- Specifies what will be used as the scheme://host:port
component for the iss
claim of ID tokens. This defaults to a URL with
Vault's api_addr
as the scheme://host:port
component and /v1/:namespace/identity/oidc/provider/:name
as the path
component. If provided explicitly, it must point to a Vault instance that is network reachable by clients for ID token validation.
allowed_client_ids
([]string: <optional>)
– The client IDs that are permitted to use the provider. If empty, no clients are allowed. If "*"
is provided, all clients are allowed.
scopes_supported
([]string: <optional>)
– The scopes available for requesting on the provider.
» Sample Payload{
"allowed_client_ids" : [ "*" ] ,
"scopes_supported" : [ "test-scope" ]
}
{
"allowed_client_ids" : [ "*" ] ,
"scopes_supported" : [ "test-scope" ]
}
» Sample Request$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload.json \
http://127.0.0.1:8200/v1/identity/oidc/provider/test-provider
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload.json \
http://127.0.0.1:8200/v1/identity/oidc/provider/test-provider
» Read Provider by NameThis endpoint queries the OIDC provider by its name.
Method Path GET
/identity/oidc/provider/:name
» Parametersname
(string: <required>)
– The name of the provider.» Sample Request$ curl \
--header "X-Vault-Token: ..." \
http://127.0.0.1:8200/v1/identity/oidc/provider/test-provider
$ curl \
--header "X-Vault-Token: ..." \
http://127.0.0.1:8200/v1/identity/oidc/provider/test-provider
» Sample Response{
"data" : {
"allowed_client_ids" : [ "*" ] ,
"issuer" : "" ,
"scopes_supported" : [ "test-scope" ]
}
}
{
"data" : {
"allowed_client_ids" : [ "*" ] ,
"issuer" : "" ,
"scopes_supported" : [ "test-scope" ]
}
}
» List ProvidersThis endpoint returns a list of all OIDC providers.
Method Path LIST
/identity/oidc/provider
» Sample Request$ curl \
--header "X-Vault-Token: ..." \
--request LIST \
http://127.0.0.1:8200/v1/identity/oidc/provider
$ curl \
--header "X-Vault-Token: ..." \
--request LIST \
http://127.0.0.1:8200/v1/identity/oidc/provider
» Sample Response{
"data" : {
"keys" : [
"test-provider"
]
}
}
{
"data" : {
"keys" : [
"test-provider"
]
}
}
» Delete Provider by NameThis endpoint deletes an OIDC provider.
Method Path DELETE
/identity/oidc/provider/:name
» Parametersname
(string: <required>)
– The name of the provider.» Sample Request$ curl \
--header "X-Vault-Token: ..." \
--request DELETE \
http://127.0.0.1:8200/v1/identity/oidc/provider/test-provider
$ curl \
--header "X-Vault-Token: ..." \
--request DELETE \
http://127.0.0.1:8200/v1/identity/oidc/provider/test-provider
» Create or Update a ScopeThis endpoint creates or updates a scope.
Method Path POST
identity/oidc/scope/:name
» Parametersname
(string: <required>)
– The name of the scope. This parameter is specified as part of the URL. The openid
scope name is reserved.
template
(string: <optional>)
- The JSON template
string for the scope. This may be provided as escaped JSON or base64 encoded JSON.
description
(string: <optional>)
– A description of the scope.
» Sample Payload{
"template" : "{ \"groups\": {{identity.entity.groups.names}} }" ,
"description" : "A simple scope example."
}
{
"template" : "{ \"groups\": {{identity.entity.groups.names}} }" ,
"description" : "A simple scope example."
}
» Sample Request$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload.json \
http://127.0.0.1:8200/v1/identity/oidc/scope/test-scope
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload.json \
http://127.0.0.1:8200/v1/identity/oidc/scope/test-scope
» Read Scope by NameThis endpoint queries a scope by its name.
Method Path GET
/identity/oidc/scope/:name
» Parametersname
(string: <required>)
– The name of the scope.» Sample Request$ curl \
--header "X-Vault-Token: ..." \
http://127.0.0.1:8200/v1/identity/oidc/scope/test-scope
$ curl \
--header "X-Vault-Token: ..." \
http://127.0.0.1:8200/v1/identity/oidc/scope/test-scope
» Sample Response{
"data" : {
"description" : "A simple scope example." ,
"template" : "{ \"groups\": {{identity.entity.groups.names}} }"
}
}
{
"data" : {
"description" : "A simple scope example." ,
"template" : "{ \"groups\": {{identity.entity.groups.names}} }"
}
}
» List ScopesThis endpoint returns a list of all configured scopes.
Method Path LIST
/identity/oidc/scope
» Sample Request$ curl \
--header "X-Vault-Token: ..." \
--request LIST \
http://127.0.0.1:8200/v1/identity/oidc/scope
$ curl \
--header "X-Vault-Token: ..." \
--request LIST \
http://127.0.0.1:8200/v1/identity/oidc/scope
» Sample Response{
"data" : {
"keys" : [
"test-scope"
]
}
}
{
"data" : {
"keys" : [
"test-scope"
]
}
}
» Delete Scope by NameThis endpoint deletes a scope.
Method Path DELETE
/identity/oidc/scope/:name
» Parametersname
(string: <required>)
– The name of the scope.» Sample Request$ curl \
--header "X-Vault-Token: ..." \
--request DELETE \
http://127.0.0.1:8200/v1/identity/oidc/scope/test-scope
$ curl \
--header "X-Vault-Token: ..." \
--request DELETE \
http://127.0.0.1:8200/v1/identity/oidc/scope/test-scope
» Create or Update a ClientThis endpoint creates or updates a client.
Method Path POST
identity/oidc/client/:name
» Parametersname
(string: <required>)
– The name of the client. This parameter is specified as part of the URL.
key
(string: "default")
– A reference to a named key
resource. This key will be used to sign ID tokens for the client. This cannot be modified
after creation. If not supplied, defaults to the built-in default key .
redirect_uris
([]string: <optional>)
- Redirection URI values used by the client. One of these values
must exactly match the redirect_uri
parameter value used in each authentication request .
assignments
([]string: <optional>)
– A list of assignment resources associated with
the client. Client assignments limit the Vault entities and groups that are allowed to
authenticate through the client. By default, no Vault entities are allowed. To allow all
Vault entities to authenticate through the client, supply the built-in
allow_all assignment.
client_type
(string: "confidential")
– The client type
based on its ability to maintain confidentiality of credentials. The following list details
the differences between confidential and public clients in Vault:
confidential
Capable of maintaining the confidentiality of its credentials Has a client secret Uses the client_secret_basic
client authentication method May use Proof Key for Code Exchange (PKCE )
for the authorization code flow public
Not capable of maintaining the confidentiality of its credentials Does not have a client secret Uses the none
client authentication method Must use Proof Key for Code Exchange (PKCE )
for the authorization code flow id_token_ttl
(int or duration: "24h")
– The time-to-live for ID tokens obtained by the client.
This can be specified as a number of seconds or as a Go duration format string
like "30m"
or "6h"
. The value should be less than the verification_ttl
on the key.
access_token_ttl
(int or duration: "24h")
– The time-to-live for access tokens obtained by the client.
This can be specified as a number of seconds or as a Go duration format string like "30m"
or "6h"
.
» Sample Payload{
"key" : "test-key" ,
"access_token_ttl" : "30m" ,
"id_token_ttl" : "1h"
}
{
"key" : "test-key" ,
"access_token_ttl" : "30m" ,
"id_token_ttl" : "1h"
}
» Sample Request$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload.json \
http://127.0.0.1:8200/v1/identity/oidc/client/test-client
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload.json \
http://127.0.0.1:8200/v1/identity/oidc/client/test-client
» Read Client by NameThis endpoint queries a client by its name.
Method Path GET
/identity/oidc/client/:name
» Parametersname
(string: <required>)
– The name of the client.» Sample Request$ curl \
--header "X-Vault-Token: ..." \
http://127.0.0.1:8200/v1/identity/oidc/client/test-client
$ curl \
--header "X-Vault-Token: ..." \
http://127.0.0.1:8200/v1/identity/oidc/client/test-client
» Sample Response{
"data" : {
"access_token_ttl" : 1800 ,
"assignments" : [ ] ,
"client_id" : "014zXvcvbvIZWwD5NfD1Uzmv7c5JBRMb" ,
"client_secret" : "hvo_secret_bZtgQPBZaJXK7F5vOI7JlvEuLOfOUS7DmwynFjE3xKcsen7TyowqPFfYFXG2tbWM" ,
"client_type" : "confidential" ,
"id_token_ttl" : 3600 ,
"key" : "test-key" ,
"redirect_uris" : [ ]
}
}
{
"data" : {
"access_token_ttl" : 1800 ,
"assignments" : [ ] ,
"client_id" : "014zXvcvbvIZWwD5NfD1Uzmv7c5JBRMb" ,
"client_secret" : "hvo_secret_bZtgQPBZaJXK7F5vOI7JlvEuLOfOUS7DmwynFjE3xKcsen7TyowqPFfYFXG2tbWM" ,
"client_type" : "confidential" ,
"id_token_ttl" : 3600 ,
"key" : "test-key" ,
"redirect_uris" : [ ]
}
}
» List ClientsThis endpoint returns a list of all configured clients.
Method Path LIST
/identity/oidc/client
» Sample Request$ curl \
--header "X-Vault-Token: ..." \
--request LIST \
http://127.0.0.1:8200/v1/identity/oidc/client
$ curl \
--header "X-Vault-Token: ..." \
--request LIST \
http://127.0.0.1:8200/v1/identity/oidc/client
» Sample Response{
"data" : {
"keys" : [
"test-client"
]
}
}
{
"data" : {
"keys" : [
"test-client"
]
}
}
» Delete Client by NameThis endpoint deletes a client.
Method Path DELETE
/identity/oidc/client/:name
» Parametersname
(string: <required>)
– The name of the client.» Sample Request$ curl \
--header "X-Vault-Token: ..." \
--request DELETE \
http://127.0.0.1:8200/v1/identity/oidc/client/test-client
$ curl \
--header "X-Vault-Token: ..." \
--request DELETE \
http://127.0.0.1:8200/v1/identity/oidc/client/test-client
» Create or Update an AssignmentThis endpoint creates or updates an assignment.
Method Path POST
identity/oidc/assignment/:name
» Parametersname
(string: <required>)
– The name of the assignment. This parameter is specified as part of the URL.
entity_ids
([]string: <optional>)
- A list of Vault entity IDs.
group_ids
([]string: <optional>)
– A list of Vault group IDs.
» Sample Payload{
"group_ids" : [ "my-group" ] ,
"entity_ids" : [ "my-entity" ]
}
{
"group_ids" : [ "my-group" ] ,
"entity_ids" : [ "my-entity" ]
}
» Sample Request$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload.json \
http://127.0.0.1:8200/v1/identity/oidc/assignment/test-assignment
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload.json \
http://127.0.0.1:8200/v1/identity/oidc/assignment/test-assignment
» Read Assignment by NameThis endpoint queries an assignment by its name.
Method Path GET
/identity/oidc/assignment/:name
» Parametersname
(string: <required>)
– The name of the assignment.» Sample Request$ curl \
--header "X-Vault-Token: ..." \
http://127.0.0.1:8200/v1/identity/oidc/assignment/test-assignment
$ curl \
--header "X-Vault-Token: ..." \
http://127.0.0.1:8200/v1/identity/oidc/assignment/test-assignment
» Sample Response{
"data" : {
"entity_ids" : [
"my-entity"
] ,
"group_ids" : [
"my-group"
]
}
}
{
"data" : {
"entity_ids" : [
"my-entity"
] ,
"group_ids" : [
"my-group"
]
}
}
» List AssignmentsThis endpoint returns a list of all configured assignments.
Method Path LIST
/identity/oidc/assignment
» Sample Request$ curl \
--header "X-Vault-Token: ..." \
--request LIST \
http://127.0.0.1:8200/v1/identity/oidc/assignment
$ curl \
--header "X-Vault-Token: ..." \
--request LIST \
http://127.0.0.1:8200/v1/identity/oidc/assignment
» Sample Response{
"data" : {
"keys" : [
"test-assignment"
]
}
}
{
"data" : {
"keys" : [
"test-assignment"
]
}
}
» Delete Assignment by NameThis endpoint deletes an assignment.
Method Path DELETE
/identity/oidc/assignment/:name
» Parametersname
(string: <required>)
– The name of the assignment.» Sample Request$ curl \
--header "X-Vault-Token: ..." \
--request DELETE \
http://127.0.0.1:8200/v1/identity/oidc/assignment/test-assignment
$ curl \
--header "X-Vault-Token: ..." \
--request DELETE \
http://127.0.0.1:8200/v1/identity/oidc/assignment/test-assignment
» Read Provider OpenID ConfigurationReturns OpenID Connect Metadata for a named OIDC provider. The response is a
compliant OpenID Provider Configuration Response .
Method Path GET
/identity/oidc/provider/:name/.well-known/openid-configuration
» Parametersname
(string: <required>)
– The name of the provider. This parameter is specified as part of the URL.» Sample Request$ curl \
--request GET \
http://127.0.0.1:8200/v1/identity/oidc/provider/test-provider/.well-known/openid-configuration
$ curl \
--request GET \
http://127.0.0.1:8200/v1/identity/oidc/provider/test-provider/.well-known/openid-configuration
» Sample Response{
"issuer" : "http://127.0.0.1:8200/v1/identity/oidc/provider/test-provider" ,
"jwks_uri" : "http://127.0.0.1:8200/v1/identity/oidc/provider/test-provider/.well-known/keys" ,
"authorization_endpoint" : "http://127.0.0.1:8200/ui/vault/identity/oidc/provider/test-provider/authorize" ,
"token_endpoint" : "http://127.0.0.1:8200/v1/identity/oidc/provider/test-provider/token" ,
"userinfo_endpoint" : "http://127.0.0.1:8200/v1/identity/oidc/provider/test-provider/userinfo" ,
"request_uri_parameter_supported" : false ,
"id_token_signing_alg_values_supported" : [
"RS256" ,
"RS384" ,
"RS512" ,
"ES256" ,
"ES384" ,
"ES512" ,
"EdDSA"
] ,
"response_types_supported" : [
"code"
] ,
"scopes_supported" : [
"openid"
] ,
"subject_types_supported" : [
"public"
] ,
"grant_types_supported" : [
"authorization_code"
] ,
"token_endpoint_auth_methods_supported" : [
"client_secret_basic" ,
"none"
] }
{
"issuer" : "http://127.0.0.1:8200/v1/identity/oidc/provider/test-provider" ,
"jwks_uri" : "http://127.0.0.1:8200/v1/identity/oidc/provider/test-provider/.well-known/keys" ,
"authorization_endpoint" : "http://127.0.0.1:8200/ui/vault/identity/oidc/provider/test-provider/authorize" ,
"token_endpoint" : "http://127.0.0.1:8200/v1/identity/oidc/provider/test-provider/token" ,
"userinfo_endpoint" : "http://127.0.0.1:8200/v1/identity/oidc/provider/test-provider/userinfo" ,
"request_uri_parameter_supported" : false ,
"id_token_signing_alg_values_supported" : [
"RS256" ,
"RS384" ,
"RS512" ,
"ES256" ,
"ES384" ,
"ES512" ,
"EdDSA"
] ,
"response_types_supported" : [
"code"
] ,
"scopes_supported" : [
"openid"
] ,
"subject_types_supported" : [
"public"
] ,
"grant_types_supported" : [
"authorization_code"
] ,
"token_endpoint_auth_methods_supported" : [
"client_secret_basic" ,
"none"
] }
» Read Provider Public KeysQuery this path to retrieve the public portion of keys for an OIDC provider.
Clients can use them to validate the authenticity of an identity token.
Method Path GET
/identity/oidc/provider/:name/.well-known/keys
» Parametersname
(string: <required>)
– The name of the provider. This parameter is specified as part of the URL.» Sample Request$ curl \
--request GET \
http://127.0.0.1:8200/v1/identity/oidc/provider/test-provider/.well-known/keys
$ curl \
--request GET \
http://127.0.0.1:8200/v1/identity/oidc/provider/test-provider/.well-known/keys
» Sample Response{
"keys" : [
{
"use" : "sig" ,
"kty" : "RSA" ,
"kid" : "ee7c0920-fdb9-5c1a-9c69-6dab710d1a09" ,
"alg" : "RS256" ,
"n" : "zdFjUV9lBw5nQPvTtwH-gzKgRG7iepvYbFoc2hNB0-inJL25oh-mvNW3GS8jPY5XHLsiWa_1TKKE99JrKQgane2C96soFeOvR7SozbCeH8_FpZelH1Pym1NV038j05Vp87uB9FeKPsy1PNOLPTs_Fp42JIAenly7ojYwPp1s61p9V0U9rOhtldY7GkXHLN9s8v3aJjxqrTS3Puhs9MFS7EgRrEDAc69uiLXCoYXKygjXddvJi6j446XxnO2eTRMGl1f2t04s_vDgVnFQgjQSKYWPbOMhf2slkeR47fqE3qqUDzINxauqMbkW-PlLP9IN0crR2uC07cG2os4RxN4YHw" ,
"e" : "AQAB"
} ,
{
"use" : "sig" ,
"kty" : "RSA" ,
"kid" : "6e468221-b7c2-9d2d-744d-33b7ae0357cb" ,
"alg" : "RS256" ,
"n" : "rMaucILJKiFg_lkCE8ZEV_8jiYdaVDjKkc-8XPBW8S34wIRl1EbsgCYfMHtJnIJ_3eUgOVorW5KVeN9C8W16LR3lhqRWS9y4qlt0AcWpOvsmxr5q5dS_QqgCjeftCKwJzUsMi5bMW8wKjRZdd-qLz6X1rVSZWX82G0So8nRBg9d3MNJbKcdIJrRbrxWkm8U9xMqRouzbyQ2Hsp2rRVgGh7yjEA6daI5Ao8UsPdBmlCM9oKZ1_Kje5JTfZKeHlT-58vn_ylCjMVlapLuUsDN6He2kPVyOzGbie297VOfjmB7QX0ah1f7Ni1UJFJYHrVK9wMfCLTltSFZBcQ9--FlVdQ" ,
"e" : "AQAB"
}
] }
{
"keys" : [
{
"use" : "sig" ,
"kty" : "RSA" ,
"kid" : "ee7c0920-fdb9-5c1a-9c69-6dab710d1a09" ,
"alg" : "RS256" ,
"n" : "zdFjUV9lBw5nQPvTtwH-gzKgRG7iepvYbFoc2hNB0-inJL25oh-mvNW3GS8jPY5XHLsiWa_1TKKE99JrKQgane2C96soFeOvR7SozbCeH8_FpZelH1Pym1NV038j05Vp87uB9FeKPsy1PNOLPTs_Fp42JIAenly7ojYwPp1s61p9V0U9rOhtldY7GkXHLN9s8v3aJjxqrTS3Puhs9MFS7EgRrEDAc69uiLXCoYXKygjXddvJi6j446XxnO2eTRMGl1f2t04s_vDgVnFQgjQSKYWPbOMhf2slkeR47fqE3qqUDzINxauqMbkW-PlLP9IN0crR2uC07cG2os4RxN4YHw" ,
"e" : "AQAB"
} ,
{
"use" : "sig" ,
"kty" : "RSA" ,
"kid" : "6e468221-b7c2-9d2d-744d-33b7ae0357cb" ,
"alg" : "RS256" ,
"n" : "rMaucILJKiFg_lkCE8ZEV_8jiYdaVDjKkc-8XPBW8S34wIRl1EbsgCYfMHtJnIJ_3eUgOVorW5KVeN9C8W16LR3lhqRWS9y4qlt0AcWpOvsmxr5q5dS_QqgCjeftCKwJzUsMi5bMW8wKjRZdd-qLz6X1rVSZWX82G0So8nRBg9d3MNJbKcdIJrRbrxWkm8U9xMqRouzbyQ2Hsp2rRVgGh7yjEA6daI5Ao8UsPdBmlCM9oKZ1_Kje5JTfZKeHlT-58vn_ylCjMVlapLuUsDN6He2kPVyOzGbie297VOfjmB7QX0ah1f7Ni1UJFJYHrVK9wMfCLTltSFZBcQ9--FlVdQ" ,
"e" : "AQAB"
}
] }
» Authorization EndpointProvides the Authorization Endpoint
for an OIDC provider. This allows OIDC clients to request an authorization code
to be used for the Authorization Code Flow .
Method Path GET/POST
/identity/oidc/provider/:name/authorize
» Parametersname
(string: <required>)
- The name of the provider. This parameter is specified as part of the URL.
scope
(string: <required>)
- A space-delimited list of scopes to be requested. The openid
scope is required.
response_type
(string: <required>)
- The OIDC authentication flow to be used. The following response types are supported: code
.
client_id
(string: <required>)
- The ID of the requesting client.
redirect_uri
(string: <required>)
- The redirection URI to which the response will be sent.
state
(string: <required>)
- A value used to maintain state between the authentication request and client.
nonce
(string: <optional>)
- A value that is returned in the ID token nonce claim. It is used to mitigate replay attacks, so we strongly encourage providing this optional parameter.
max_age
(integer: <optional>)
- The allowable elapsed time in seconds since the last
time the end-user was actively authenticated.
code_challenge
(string: <optional>)
- The PKCE
code challenge derived from the client's code verifier. Optional for confidential
clients.
Required for public
clients.
code_challenge_method
(string: "plain")
- The method that was used to derive the
PKCE code challenge. The following
methods are supported: S256
, plain
.
» Sample Request$ curl \
--request GET \
--header "X-Vault-Token: ..." \
-G \
-d "response_type=code" \
-d "client_id=$CLIENT_ID " \
-d "state=af0ifjsldkj" \
-d "nonce=abcdefghijk" \
--data-urlencode "scope=openid" \
--data-urlencode "redirect_uri=http://127.0.0.1:8251/callback" \
http://127.0.0.1:8200/v1/identity/oidc/provider/test-provider/authorize
$ curl \
--request GET \
--header "X-Vault-Token: ..." \
-G \
-d "response_type=code" \
-d "client_id=$CLIENT_ID " \
-d "state=af0ifjsldkj" \
-d "nonce=abcdefghijk" \
--data-urlencode "scope=openid" \
--data-urlencode "redirect_uri=http://127.0.0.1:8251/callback" \
http://127.0.0.1:8200/v1/identity/oidc/provider/test-provider/authorize
» Sample Response{
"code" : "BDSc9kVYljxND93YpveBuJtSvguM3AWe" ,
"state" : "af0ifjsldkj"
}
{
"code" : "BDSc9kVYljxND93YpveBuJtSvguM3AWe" ,
"state" : "af0ifjsldkj"
}
» Token EndpointProvides the Token Endpoint
for an OIDC provider.
Method Path POST
/identity/oidc/provider/:name/token
» Parametersname
(string: <required>)
- The name of the provider. This parameter is
specified as part of the URL.
code
(string: <required>)
- The authorization code received from the
provider's authorization endpoint.
grant_type
(string: <required>)
- The authorization grant type. The
following grant types are supported: authorization_code
.
redirect_uri
(string: <required>)
- The callback location where the
authorization request was sent. This must match the redirect_uri
used when the
original authorization code was generated.
client_id
(string: <required>)
- The ID of the requesting client. This parameter
is only required for public
clients which do not have a client secret. confidential
clients should not use this parameter.
code_verifier
(string: <optional>)
- The code verifier associated with the given
code
. Required for authorization codes that were granted using PKCE .
Required for public
clients.
» HeadersAuthorization: Basic
(string: <required>)
- An HTTP Basic authentication scheme header
including the client_id
and client_secret
as described in the client_secret_basic
authentication method. This header is only required for confidential
clients.» Sample Request$ BASIC_AUTH_CREDS = $( printf "%s:%s" "$CLIENT_ID " "$CLIENT_SECRET " | base64)
$ curl \
--request POST \
--header "Authorization: Basic $BASIC_AUTH_CREDS " \
-H 'Content-Type: application/x-www-form-urlencoded' \
-d "code=4RL50r78p8HsNJY0GVUNGfjLHnpkRf3N" \
-d "grant_type=authorization_code" \
-d "redirect_uri=http://127.0.0.1:8251/callback" \
http://127.0.0.1:8200/v1/identity/oidc/provider/test-provider/token
$ BASIC_AUTH_CREDS = $( printf "%s:%s" "$CLIENT_ID " "$CLIENT_SECRET " | base64)
$ curl \
--request POST \
--header "Authorization: Basic $BASIC_AUTH_CREDS " \
-H 'Content-Type: application/x-www-form-urlencoded' \
-d "code=4RL50r78p8HsNJY0GVUNGfjLHnpkRf3N" \
-d "grant_type=authorization_code" \
-d "redirect_uri=http://127.0.0.1:8251/callback" \
http://127.0.0.1:8200/v1/identity/oidc/provider/test-provider/token
» Sample Response{
"access_token" : "b.AAAAAQJEH5VXjfjUESCwySTKk2MS1MGVNc9oU-N2EyoLKVo9SYa-NnOWAXloYfrlO45UWC3R1PC5ZShl3JdmRJ0264julNnlBduSNXJkYjgCQsFQwXTKHcjhqdNsmJNMWiPaHPn5NLSpNQVtzAxfHADt4r9rmX-UEG5seOWbmK_Z5WwS_4a8-wcVPB7FpOGzfBydP7yMxHu-3H1TWyQvYVr28XUfYxcBbdlzxhJn0yqkWItgmZ25xEOp7SW7Pg4tYB7AXfk" ,
"expires_in" : 3600 ,
"id_token" : "eyJhbGciOiJSUzI1NiIsImtpZCI6ImEzMjk5ZWVmLTllNDEtOGNiYS1kNWExLTZmZWM2NjIyODRjYyJ9.eyJhdF9oYXNoIjoiMUdlQlEzUFdtUjJ2ajZVU2swSW42USIsImF1ZCI6InpTSktMVmk0R1BYS1o3TTZzUUEwY3FNc05VaHNPYkVTIiwiY19oYXNoIjoiN09SOUszNmhNdllENzJkUkFLUHhNdyIsImNvbnRhY3QiOnsiZW1haWwiOiJ2YXVsdEBoYXNoaWNvcnAuY29tIiwicGhvbmVfbnVtYmVyIjoiMTIzLTQ1Ni03ODkwIn0sImV4cCI6MTYzMzEwNjI5NCwiZ3JvdXBzIjpbImVuZ2luZWVyaW5nIl0sImlhdCI6MTYzMzEwNDQ5NCwiaXNzIjoiaHR0cDovLzEyNy4wLjAuMTo4MjAwL3YxL2lkZW50aXR5L29pZGMvcHJvdmlkZXIvbXktcHJvdmlkZXIiLCJuYW1lc3BhY2UiOiJyb290Iiwibm9uY2UiOiJhYmNkZWZnaGlqayIsInN1YiI6IjUwMDA3OTZlLTM2ZGYtMGQ4Yy02NDYwLTgxODUzZDliMjY2NyIsInVzZXJuYW1lIjoiZW5kLXVzZXIifQ.ehdLj6jnrJvltar1kkVSyNK48w2M5vkh5DTFJFZDqatnDWhQbbKGLZnVgd3wD6KPboXRaUwhGe4jDiTIiSoJaovOhsia77NKukym_ROLvGZw-LG7xaYkzJLnmEfeQhelLxWe0DHPROB7VXcFqBx8vX5hkuoVyqrB87vwiobK42pDPZ9MRsmbM2yzBC3wrnT7RQFtT4q2Bbyt9YIAHUaq9rU0PwJRoNISw6of1uQHo3_UzLdpwth7PEOEcI47OBGFA5vR_Gw3ocREfSrUWfCWOInAKCT43cImvg4Bts6qiZYfv9n-iNBq4AihGqq_VEF-hB1Hrprn7VgnEZ1VjUHaQQ" ,
"token_type" : "Bearer"
}
{
"access_token" : "b.AAAAAQJEH5VXjfjUESCwySTKk2MS1MGVNc9oU-N2EyoLKVo9SYa-NnOWAXloYfrlO45UWC3R1PC5ZShl3JdmRJ0264julNnlBduSNXJkYjgCQsFQwXTKHcjhqdNsmJNMWiPaHPn5NLSpNQVtzAxfHADt4r9rmX-UEG5seOWbmK_Z5WwS_4a8-wcVPB7FpOGzfBydP7yMxHu-3H1TWyQvYVr28XUfYxcBbdlzxhJn0yqkWItgmZ25xEOp7SW7Pg4tYB7AXfk" ,
"expires_in" : 3600 ,
"id_token" : "eyJhbGciOiJSUzI1NiIsImtpZCI6ImEzMjk5ZWVmLTllNDEtOGNiYS1kNWExLTZmZWM2NjIyODRjYyJ9.eyJhdF9oYXNoIjoiMUdlQlEzUFdtUjJ2ajZVU2swSW42USIsImF1ZCI6InpTSktMVmk0R1BYS1o3TTZzUUEwY3FNc05VaHNPYkVTIiwiY19oYXNoIjoiN09SOUszNmhNdllENzJkUkFLUHhNdyIsImNvbnRhY3QiOnsiZW1haWwiOiJ2YXVsdEBoYXNoaWNvcnAuY29tIiwicGhvbmVfbnVtYmVyIjoiMTIzLTQ1Ni03ODkwIn0sImV4cCI6MTYzMzEwNjI5NCwiZ3JvdXBzIjpbImVuZ2luZWVyaW5nIl0sImlhdCI6MTYzMzEwNDQ5NCwiaXNzIjoiaHR0cDovLzEyNy4wLjAuMTo4MjAwL3YxL2lkZW50aXR5L29pZGMvcHJvdmlkZXIvbXktcHJvdmlkZXIiLCJuYW1lc3BhY2UiOiJyb290Iiwibm9uY2UiOiJhYmNkZWZnaGlqayIsInN1YiI6IjUwMDA3OTZlLTM2ZGYtMGQ4Yy02NDYwLTgxODUzZDliMjY2NyIsInVzZXJuYW1lIjoiZW5kLXVzZXIifQ.ehdLj6jnrJvltar1kkVSyNK48w2M5vkh5DTFJFZDqatnDWhQbbKGLZnVgd3wD6KPboXRaUwhGe4jDiTIiSoJaovOhsia77NKukym_ROLvGZw-LG7xaYkzJLnmEfeQhelLxWe0DHPROB7VXcFqBx8vX5hkuoVyqrB87vwiobK42pDPZ9MRsmbM2yzBC3wrnT7RQFtT4q2Bbyt9YIAHUaq9rU0PwJRoNISw6of1uQHo3_UzLdpwth7PEOEcI47OBGFA5vR_Gw3ocREfSrUWfCWOInAKCT43cImvg4Bts6qiZYfv9n-iNBq4AihGqq_VEF-hB1Hrprn7VgnEZ1VjUHaQQ" ,
"token_type" : "Bearer"
}
» UserInfo EndpointProvides the UserInfo Endpoint
for an OIDC provider. The UserInfo Endpoint is an OAuth 2.0 Protected
Resource that returns Claims about the authenticated End-User.
Method Path POST
/identity/oidc/provider/:name/userinfo
» Parametersname
(string: <required>)
- The name of the provider. This parameter is
specified as part of the URL.» HeadersAccess Token (string: <required>)
- The access token provided by the
Authorization: Bearer <access_token>
HTTP header acquired from the authorization
endpoint. » Sample Request$ curl \
-X GET \
--header "Authorization: Bearer $ACCESS_TOKEN " \
http://127.0.0.1:8200/v1/identity/oidc/provider/test-provider/userinfo
$ curl \
-X GET \
--header "Authorization: Bearer $ACCESS_TOKEN " \
http://127.0.0.1:8200/v1/identity/oidc/provider/test-provider/userinfo
» Sample Response{
"contact" : {
"email" : "vault@hashicorp.com" ,
"phone_number" : "123-456-7890"
} ,
"groups" : [
"engineering"
] ,
"sub" : "5000796e-36df-0d8c-6460-81853d9b2667" ,
"username" : "end-user" }
{
"contact" : {
"email" : "vault@hashicorp.com" ,
"phone_number" : "123-456-7890"
} ,
"groups" : [
"engineering"
] ,
"sub" : "5000796e-36df-0d8c-6460-81853d9b2667" ,
"username" : "end-user" }