Get OIDC auth settings | Unleash Documentation

Enterprise feature

Returns the current settings for OIDC Authentication

Authentication

Authorizationstring

API key needed to access this API

AuthorizationBearer

API key needed to access this API, in Bearer token format

Response

oidcSettingsResponseSchema

enabledboolean or null

Whether to enable or disable OpenID Connect for this instance

discoverUrlstring or nullformat: "uri"

The .well-known OpenID discover URL

The [.well-known OpenID discover URL](https://swagger.io/docs/specification/authentication/openid-connect-discovery/)

clientIdstring or null

The OIDC client ID of this application.

secretstring or null

Shared secret from OpenID server. Used to authenticate login requests

autoCreateboolean or null

Auto create users based on email addresses from login tokens

enableSingleSignOutboolean or null

Support Single sign out when user clicks logout in Unleash. If true user is signed out of all OpenID Connect sessions against the clientId they may have active

defaultRootRoleenum or null

Default role granted to users auto-created from email. Only relevant if autoCreate is true

Allowed values:

defaultRootRoleIddouble or null

Assign this root role to auto created users. Should be a role ID and takes precedence over defaultRootRole.

emailDomainsstring or null

Comma separated list of email domains that are automatically approved for an account in the server. Only relevant if autoCreate is true

acrValuesstring or null

Authentication Context Class Reference, used to request extra values in the acr claim returned from the server. If multiple values are required, they should be space separated. Consult the OIDC reference for more information

idTokenSigningAlgorithmenum or null

The signing algorithm used to sign our token. Refer to the JWT signatures documentation for more information.

The signing algorithm used to sign our token. Refer to the [JWT signatures](https://jwt.io/introduction) documentation for more information.

Allowed values:

enableGroupSyncingboolean or null

Should we enable group syncing. Refer to the documentation Group syncing

groupJsonPathstring or null

Specifies the path in the OIDC token response to read which groups the user belongs to from.

addGroupsScopeboolean or null

When enabled Unleash will also request the 'groups' scope as part of the login request.

enablePkceboolean or null

Enable PKCE (Proof Key for Code Exchange) for enhanced security. Recommended for public clients and provides additional protection against authorization code interception attacks.

1	{
2	"enabled": true,
3	"discoverUrl": "https://myoidchost.azure.com/.well-known/openid-configuration",
4	"clientId": "FB87266D-CDDB-4BCF-BB1F-8392FD0EDC1B",
5	"secret": "qjcVfeFjEfoYAF3AEsX2IMUWYuUzAbXO",
6	"autoCreate": true,
7	"enableSingleSignOut": true,
8	"defaultRootRole": "Viewer",
9	"defaultRootRoleId": 2,
10	"emailDomains": "getunleash.io,getunleash.ai",
11	"acrValues": "urn:okta:loa:2fa:any phr",
12	"idTokenSigningAlgorithm": "RS256",
13	"enableGroupSyncing": false,
14	"groupJsonPath": "groups",
15	"addGroupsScope": false,
16	"enablePkce": false
17	}

1	curl https://app.unleash-instance.example.com/api/admin/auth/oidc/settings \
2	-H "Authorization: <apiKey>"

Authentication

Response

Errors