Set OIDC settings
POST /api/admin/auth/oidc/settings
Configure OpenID Connect as a login provider for Unleash.
Request
- application/json
Body
required
oidcSettingsSchema
- enabled booleantrueif OpenID connect is turned on for this instance, otherwisefalse
- discoverUrl string
- clientId string requiredThe OIDC client ID of this application. 
- secret string requiredShared secret from OpenID server. Used to authenticate login requests 
- autoCreate booleanAuto create users based on email addresses from login tokens 
- enableSingleSignOut booleanSupport Single sign out when user clicks logout in Unleash. If trueuser is signed out of all OpenID Connect sessions against the clientId they may have active
- defaultRootRole stringPossible values: [ Viewer,Editor,Admin]Default role granted to users auto-created from email. Only relevant if autoCreate is true
- defaultRootRoleId numberAssign this root role to auto created users. Should be a role ID and takes precedence over defaultRootRole.
- emailDomains stringComma separated list of email domains that are automatically approved for an account in the server. Only relevant if autoCreate is true
- acrValues stringAuthentication Context Class Reference, used to request extra values in the acr claim returned from the server. If multiple values are required, they should be space separated. Consult the OIDC reference for more information 
- idTokenSigningAlgorithm stringPossible values: [ RS256,RS384,RS512]The signing algorithm used to sign our token. Refer to the JWT signatures documentation for more information. 
- 200
- 400
- 401
- 403
- 415
oidcSettingsSchema
- application/json
- Schema
- Example (from schema)
Schema
- enabled booleantrueif OpenID connect is turned on for this instance, otherwisefalse
- discoverUrl string
- clientId string requiredThe OIDC client ID of this application. 
- secret string requiredShared secret from OpenID server. Used to authenticate login requests 
- autoCreate booleanAuto create users based on email addresses from login tokens 
- enableSingleSignOut booleanSupport Single sign out when user clicks logout in Unleash. If trueuser is signed out of all OpenID Connect sessions against the clientId they may have active
- defaultRootRole stringPossible values: [ Viewer,Editor,Admin]Default role granted to users auto-created from email. Only relevant if autoCreate is true
- defaultRootRoleId numberAssign this root role to auto created users. Should be a role ID and takes precedence over defaultRootRole.
- emailDomains stringComma separated list of email domains that are automatically approved for an account in the server. Only relevant if autoCreate is true
- acrValues stringAuthentication Context Class Reference, used to request extra values in the acr claim returned from the server. If multiple values are required, they should be space separated. Consult the OIDC reference for more information 
- idTokenSigningAlgorithm stringPossible values: [ RS256,RS384,RS512]The signing algorithm used to sign our token. Refer to the JWT signatures documentation for more information. 
{
  "enabled": true,
  "discoverUrl": "https://myoidchost.azure.com/.well-known/openid-configuration",
  "clientId": "FB87266D-CDDB-4BCF-BB1F-8392FD0EDC1B",
  "secret": "qjcVfeFjEfoYAF3AEsX2IMUWYuUzAbXO",
  "autoCreate": true,
  "enableSingleSignOut": true,
  "defaultRootRole": "Viewer",
  "defaultRootRoleId": 2,
  "emailDomains": "getunleash.io,getunleash.ai",
  "acrValues": "urn:okta:loa:2fa:any phr",
  "idTokenSigningAlgorithm": "RS256"
}
The request data does not match what we expect.
- application/json
- Schema
- Example (from schema)
Schema
- id stringThe ID of the error instance 
- name stringThe name of the error kind 
- message stringA description of what went wrong. 
{
  "id": "9c40958a-daac-400e-98fb-3bb438567008",
  "name": "ValidationError",
  "message": "The request payload you provided doesn't conform to the schema. The .parameters property should be object. You sent []."
}
Authorization information is missing or invalid. Provide a valid API token as the authorization header, e.g. authorization:*.*.my-admin-token.
- application/json
- Schema
- Example (from schema)
Schema
- id stringThe ID of the error instance 
- name stringThe name of the error kind 
- message stringA description of what went wrong. 
{
  "id": "9c40958a-daac-400e-98fb-3bb438567008",
  "name": "AuthenticationRequired",
  "message": "You must log in to use Unleash. Your request had no authorization header, so we could not authorize you. Try logging in at /auth/simple/login."
}
The provided user credentials are valid, but the user does not have the necessary permissions to perform this operation
- application/json
- Schema
- Example (from schema)
Schema
- id stringThe ID of the error instance 
- name stringThe name of the error kind 
- message stringA description of what went wrong. 
{
  "id": "9c40958a-daac-400e-98fb-3bb438567008",
  "name": "NoAccessError",
  "message": "You need the \"UPDATE_ADDON\" permission to perform this action in the \"development\" environment."
}
The operation does not support request payloads of the provided type. Please ensure that you're using one of the listed payload types and that you have specified the right content type in the "content-type" header.
- application/json
- Schema
- Example (from schema)
Schema
- id stringThe ID of the error instance 
- name stringThe name of the error kind 
- message stringA description of what went wrong. 
{
  "id": "9c40958a-daac-400e-98fb-3bb438567008",
  "name": "ContentTypeerror",
  "message": "We do not accept the content-type you provided (application/xml). Try using one of the content-types we do accept instead (application/json) and make sure the body is in the corresponding format."
}