openapi: 3.0.1 info: title: IAM Authentication Management API Specification description: This specification describes the endpoints of the IAM Authentication Management Service. version: 0-SNAPSHOT servers: - url: http://localhost description: local development host tags: - name: IAM Authentication Discovery description: Support functions for reading authentication configuration - name: IAM Console Application Identity Provider Management description: Management functions for application identity configurations in IAM Console paths: /authentication/v1/applications/{application-expression}/identity-providers: get: tags: - IAM Console Application Identity Provider Management summary: Get application identity providers description: Read application identity providers by application expression operationId: getApplicationIdentityProviders parameters: - $ref: '#/components/parameters/application-expression' responses: "200": description: OK content: application/json: schema: type: array items: $ref: '#/components/schemas/ApplicationIdentityProviderV1' application/x-ndjson: schema: type: array items: $ref: '#/components/schemas/ApplicationIdentityProviderV1' "400": $ref: '#/components/responses/BadRequest' "401": $ref: '#/components/responses/Unauthorized' "403": $ref: '#/components/responses/Forbidden' "404": $ref: '#/components/responses/NotFound' security: - iam-console-token: [] put: tags: - IAM Console Application Identity Provider Management summary: Upsert application identity providers description: Create or replace a specific application identity providers for the referenced application. If an empty list is given as input then any exising configurations will be removed. operationId: upsertApplicationIdentityProviders parameters: - $ref: '#/components/parameters/application-expression' - $ref: '#/components/parameters/returnUpdated' requestBody: content: application/json: schema: type: array items: $ref: '#/components/schemas/ApplicationIdentityProviderInV1' application/x-ndjson: schema: type: array items: $ref: '#/components/schemas/ApplicationIdentityProviderInV1' responses: "200": description: OK content: application/json: schema: type: array items: $ref: '#/components/schemas/ApplicationIdentityProviderV1' application/x-ndjson: schema: type: array items: $ref: '#/components/schemas/ApplicationIdentityProviderV1' "400": $ref: '#/components/responses/BadRequest' "401": $ref: '#/components/responses/Unauthorized' "403": $ref: '#/components/responses/Forbidden' "404": $ref: '#/components/responses/NotFound' "409": $ref: '#/components/responses/Conflict' security: - iam-console-token: [] delete: tags: - IAM Console Application Identity Provider Management summary: Delete application identity providers description: Remove application identity providers by application expression operationId: deleteApplicationIdentityProviders parameters: - $ref: '#/components/parameters/application-expression' responses: "204": description: The request is processed and no content was returned "400": $ref: '#/components/responses/BadRequest' "401": $ref: '#/components/responses/Unauthorized' "403": $ref: '#/components/responses/Forbidden' "404": $ref: '#/components/responses/NotFound' "409": $ref: '#/components/responses/Conflict' security: - iam-console-token: [] /authentication/v1/applications/{application-expression}/identity-providers/{identity-provider-key}: get: tags: - IAM Console Application Identity Provider Management summary: Get application identity provider description: Read application identity provider by application expression and identity provider key operationId: getApplicationIdentityProvider parameters: - $ref: '#/components/parameters/application-expression' - $ref: '#/components/parameters/identity-provider-key' responses: "200": description: OK content: application/json: schema: $ref: '#/components/schemas/ApplicationIdentityProviderV1' "400": $ref: '#/components/responses/BadRequest' "401": $ref: '#/components/responses/Unauthorized' "403": $ref: '#/components/responses/Forbidden' "404": $ref: '#/components/responses/NotFound' security: - iam-console-token: [] put: tags: - IAM Console Application Identity Provider Management summary: Upsert application identity provider description: Create or replace a specific application identity provider for the referenced application operationId: upsertApplicationIdentityProvider parameters: - $ref: '#/components/parameters/application-expression' - $ref: '#/components/parameters/identity-provider-key' - $ref: '#/components/parameters/returnUpdated' requestBody: content: application/json: schema: $ref: '#/components/schemas/ApplicationIdentityProviderInWithoutKeyV1' required: true responses: "200": description: OK content: application/json: schema: $ref: '#/components/schemas/ApplicationIdentityProviderV1' "204": $ref: '#/components/responses/NoContent' "400": $ref: '#/components/responses/BadRequest' "401": $ref: '#/components/responses/Unauthorized' "403": $ref: '#/components/responses/Forbidden' "404": $ref: '#/components/responses/NotFound' "409": $ref: '#/components/responses/Conflict' security: - iam-console-token: [] delete: tags: - IAM Console Application Identity Provider Management summary: Delete application identity provider description: Remove application identity provider by application expression and identity provider key operationId: deleteApplicationIdentityProvider parameters: - $ref: '#/components/parameters/application-expression' - $ref: '#/components/parameters/identity-provider-key' responses: "204": description: The request is processed and no content was returned "400": $ref: '#/components/responses/BadRequest' "401": $ref: '#/components/responses/Unauthorized' "403": $ref: '#/components/responses/Forbidden' "404": $ref: '#/components/responses/NotFound' "409": $ref: '#/components/responses/Conflict' security: - iam-console-token: [] /authentication/v1/applications/{application-expression}/public-identity-provider-setup: get: tags: - IAM Authentication Discovery summary: Get publicly declared application identity providers description: Read public declared identity provider definitions for the given application expression operationId: getPublicIdentityProviderSetup parameters: - $ref: '#/components/parameters/application-expression' responses: "200": description: OK content: application/json: schema: $ref: '#/components/schemas/IdentityProviderSetupV1' application/x-ndjson: schema: $ref: '#/components/schemas/IdentityProviderSetupV1' "400": $ref: '#/components/responses/BadRequest' "404": $ref: '#/components/responses/NotFound' /authentication/v1/identity-provider-setup: get: tags: - IAM Authentication Discovery summary: Get application defined identity providers description: Read identity provider setup for the current application operationId: getIdentityProviderSetup responses: "200": description: OK content: application/json: schema: $ref: '#/components/schemas/IdentityProviderSetupV1' application/x-ndjson: schema: $ref: '#/components/schemas/IdentityProviderSetupV1' "401": $ref: '#/components/responses/Unauthorized' "403": $ref: '#/components/responses/Forbidden' security: - iam-console-token: [] components: schemas: ApplicationIdentityProviderInV1: required: - adapter - key type: object properties: key: maxLength: 64 minLength: 1 pattern: "^[a-zA-Z0-9-_.]{1,64}$" type: string description: An identity provider key which is used to identity a specific identity provider configuration. example: idp-1 name: maxLength: 64 type: string description: "A name, usually for an entity" example: John Doe description: maxLength: 4096 type: string description: "A description, usually for an entity" example: "Lorem ipsum dolor sit amet, consectetur adipiscing elit." adapter: type: string description: Reference a support identity provider implementation enum: - IAM_BASIC_IDP - OIDC adapterConfigOidc: $ref: '#/components/schemas/IdpAdapterConfigOidcInV1' visibility: type: string description: Defined how and if this configuration is made available via idp discovery endpoints. enum: - APPLICATION - PUBLIC - HIDDEN ApplicationIdentityProviderInWithoutKeyV1: required: - adapter type: object properties: name: maxLength: 64 type: string description: "A name, usually for an entity" example: John Doe description: maxLength: 4096 type: string description: "A description, usually for an entity" example: "Lorem ipsum dolor sit amet, consectetur adipiscing elit." adapter: type: string description: Reference a support identity provider implementation enum: - IAM_BASIC_IDP - OIDC adapterConfigOidc: $ref: '#/components/schemas/IdpAdapterConfigOidcInV1' visibility: type: string description: Defined how and if this configuration is made available via idp discovery endpoints. enum: - APPLICATION - PUBLIC - HIDDEN ApplicationIdentityProviderV1: required: - adapter - applicationId - changeId - createdAt - createdBy - key - lastModifiedAt - lastModifiedBy type: object properties: applicationId: type: string description: The globally unique identifier for an application key: type: string description: An identity provider key which is used to identity a specific identity provider configuration. name: type: string description: "A name, usually for an entity" example: John Doe description: type: string description: "A description, usually for an entity" example: "Lorem ipsum dolor sit amet, consectetur adipiscing elit." adapter: type: string description: Reference a support identity provider implementation adapterConfigOidc: $ref: '#/components/schemas/IdpAdapterConfigOidcV1' visibility: type: string description: Defined how and if this configuration is made available via idp discovery endpoints. createdAt: type: string description: UTC date time when entity was created. This string is formatted according to RFC3339. format: date-time createdBy: type: string description: The globally unique identifier for an actor lastModifiedAt: type: string description: UTC date time when entity was modified. This string is formatted according to RFC3339. format: date-time lastModifiedBy: type: string description: The globally unique identifier for an actor changeId: type: string description: Text representation of changeId sequence number example: "7380283282446876762" ErrorDetailV1: required: - code type: object properties: field: type: string description: A reference to a field or parameter which cannot be processed code: type: string description: "A code which indicated the type of error, documented per service" message: type: string description: "Additional information, intended for developers" description: "Additional error details, usually used for form validation. Documented\ \ per service and endpoint." ErrorV1: required: - errorId type: object properties: errorId: type: string description: "An error identifier for the request, to be provided in troubleshooting." code: type: string description: An error code which describes this error. Documented per service and endpoint. message: type: string description: A human readable message of error. Intended for developers. details: type: array description: "Additional error details, usually used for form validation.\ \ Documented per service and endpoint." items: $ref: '#/components/schemas/ErrorDetailV1' IdentityProviderSetupV1: required: - applicationId - changeId type: object properties: applicationId: type: string description: The globally unique identifier for an application identityProviders: type: array description: Identity provider configurations for this application items: $ref: '#/components/schemas/IdentityProviderV1' changeId: type: string description: Text representation of changeId sequence number example: "7380283282446876762" IdentityProviderV1: required: - adapter - key type: object properties: key: type: string description: An identity provider key which is used to identity a specific identity provider configuration. name: type: string description: "A name, usually for an entity" example: John Doe description: type: string description: "A description, usually for an entity" example: "Lorem ipsum dolor sit amet, consectetur adipiscing elit." adapter: type: string description: Reference a support identity provider implementation adapterDetailsOidc: $ref: '#/components/schemas/IdpAdapterDetailsOidcV1' description: Identity provider configurations for this application IdpAdapterConfigOidcAttributeMappingNameInV1: required: - attribute - syncOption type: object properties: attribute: maxLength: 256 minLength: 1 type: string description: Reference to the name attribute syncOption: type: string description: Defines if any mapped name should be copied into the associated actor enum: - NEVER - ONCE - ALWAYS description: Reference to the claim which represents the name of the end user. IdpAdapterConfigOidcAttributeMappingNameV1: required: - attribute - syncOption type: object properties: attribute: type: string description: Reference to the name attribute syncOption: type: string description: Defines if any mapped name should be copied into the associated actor description: Reference to the claim which represents the name of the end user. IdpAdapterConfigOidcAttributeMappingUsernameInV1: required: - attribute type: object properties: attribute: maxLength: 256 minLength: 1 type: string description: Reference to the username attribute. description: Reference to the claim which represents the username of the subject for for its identity provider. The referenced value should be unique for the identity provider instance. IdpAdapterConfigOidcAttributeMappingUsernameV1: required: - attribute type: object properties: attribute: type: string description: Reference to the username attribute. description: Reference to the claim which represents the username of the subject for for its identity provider. The referenced value should be unique for the identity provider instance. IdpAdapterConfigOidcInV1: required: - audience - issuer type: object properties: issuer: maxLength: 256 minLength: 1 type: string description: "Identifies the issuer, which is the principal/system/application\ \ that issued the jwt. Must be a valid URL and its oidc configuration\ \ must be present at the standardized .well-known/openid-configuration\ \ location." audience: maxLength: 256 minLength: 1 type: string description: Identifies the recipients that the JWT is intended for. Will be used in validation of a given JWT. usernameMapping: $ref: '#/components/schemas/IdpAdapterConfigOidcAttributeMappingUsernameInV1' nameMapping: $ref: '#/components/schemas/IdpAdapterConfigOidcAttributeMappingNameInV1' description: OIDC adapter configuration options. IdpAdapterConfigOidcV1: required: - audience - issuer type: object properties: issuer: type: string description: "Identifies the issuer, which is the principal/system/application\ \ that issued the jwt. Must be a valid URL and its oidc configuration\ \ must be present at the standardized .well-known/openid-configuration\ \ location." audience: type: string description: Identifies the recipients that the JWT is intended for. Will be used in validation of a given JWT. usernameMapping: $ref: '#/components/schemas/IdpAdapterConfigOidcAttributeMappingUsernameV1' nameMapping: $ref: '#/components/schemas/IdpAdapterConfigOidcAttributeMappingNameV1' description: OIDC adapter configuration options. IdpAdapterDetailsOidcV1: required: - audience - issuer type: object properties: issuer: type: string description: "Identifies the issuer, which is the principal/system/application\ \ that issued the jwt. Must be a valid URL and its oidc configuration\ \ must be present at the standardized .well-known/openid-configuration\ \ location." audience: type: string description: Identifies the recipients that the JWT is intended for. Will be used in validation of a given JWT. description: OIDC adapter details responses: NoContent: description: The request is processed and no content was returned BadRequest: description: "The request is malformed, see error data for additional information" content: application/json: schema: $ref: '#/components/schemas/ErrorV1' Unauthorized: description: The request did not have valid authentication credentials content: application/json: schema: $ref: '#/components/schemas/ErrorV1' Forbidden: description: The requester is not authorized to perform this action content: application/json: schema: $ref: '#/components/schemas/ErrorV1' NotFound: description: The resource could not be found content: application/json: schema: $ref: '#/components/schemas/ErrorV1' Conflict: description: "The request could not be processed due to a conflict in state,\ \ see error data for additional information" content: application/json: schema: $ref: '#/components/schemas/ErrorV1' parameters: application-expression: name: application-expression in: path required: true schema: pattern: "^[a-zA-Z0-9-_.]{1,64}$" type: string description: "Used to identify a specific applicationId. The available options\ \ are: \n* '{applicationId}' - direct applicationId reference" identity-provider-key: name: identity-provider-key in: path required: true schema: maxLength: 64 minLength: 1 pattern: "^[a-zA-Z0-9-_.]{1,64}$" type: string description: An identity provider key which is used to identity a specific identity provider configuration. example: idp-1 returnUpdated: name: returnUpdated in: query description: To return the entity after successful update or not schema: type: boolean default: false securitySchemes: iam-console-token: type: http scheme: bearer bearerFormat: IAM issued jwt token for the IAM console application iam-tenant-token: type: http scheme: bearer bearerFormat: IAM issued jwt token for a generic application