# Set OIDC settings POST https://app.unleash-instance.example.com/api/admin/auth/oidc/settings Content-Type: application/json **Enterprise feature** Configure OpenID Connect as a login provider for Unleash. Reference: https://docs.getunleash.io/api/set-oidc-settings ## OpenAPI Specification ```yaml openapi: 3.1.1 info: title: Set OIDC settings version: endpoint_auth.setOidcSettings paths: /api/admin/auth/oidc/settings: post: operationId: set-oidc-settings summary: Set OIDC settings description: |- **Enterprise feature** Configure OpenID Connect as a login provider for Unleash. tags: - - subpackage_auth parameters: - name: Authorization in: header description: Header authentication of the form `undefined ` required: true schema: type: string responses: '200': description: oidcSettingsResponseSchema content: application/json: schema: $ref: '#/components/schemas/oidcSettingsResponseSchema' '400': description: The request data does not match what we expect. content: {} '401': description: >- Authorization information is missing or invalid. Provide a valid API token as the `authorization` header, e.g. `authorization:*.*.my-admin-token`. content: {} '403': description: >- The provided user credentials are valid, but the user does not have the necessary permissions to perform this operation content: {} '415': description: >- The operation does not support request payloads of the provided type. Please ensure that you're using one of the listed payload types and that you have specified the right content type in the "content-type" header. content: {} requestBody: description: oidcSettingsSchema content: application/json: schema: $ref: '#/components/schemas/oidcSettingsSchema' components: schemas: OidcSettingsSchemaOneOf0DefaultRootRole: type: string enum: - value: Viewer - value: Editor - value: Admin OidcSettingsSchemaOneOf0IdTokenSigningAlgorithm: type: string enum: - value: RS256 - value: RS384 - value: RS512 OidcSettingsSchema0: type: object properties: enabled: type: boolean description: Whether to enable or disable OpenID Connect for this instance discoverUrl: type: string format: uri description: >- The [.well-known OpenID discover URL](https://swagger.io/docs/specification/authentication/openid-connect-discovery/) clientId: type: string description: The OIDC client ID of this application. secret: type: string description: >- Shared secret from OpenID server. Used to authenticate login requests autoCreate: type: boolean description: Auto create users based on email addresses from login tokens enableSingleSignOut: type: boolean description: >- Support Single sign out when user clicks logout in Unleash. If `true` user is signed out of all OpenID Connect sessions against the clientId they may have active defaultRootRole: $ref: '#/components/schemas/OidcSettingsSchemaOneOf0DefaultRootRole' description: >- [Default role](https://docs.getunleash.io/concepts/rbac#standard-roles) granted to users auto-created from email. Only relevant if autoCreate is `true` defaultRootRoleId: type: number format: double description: >- Assign this root role to auto created users. Should be a role ID and takes precedence over `defaultRootRole`. emailDomains: type: string description: >- Comma separated list of email domains that are automatically approved for an account in the server. Only relevant if autoCreate is `true` acrValues: type: string description: > Authentication Context Class Reference, used to request extra values in the acr claim returned from the server. If multiple values are required, they should be space separated. Consult [the OIDC reference](https://openid.net/specs/openid-connect-core-1_0.html#AuthorizationEndpoint) for more information idTokenSigningAlgorithm: $ref: '#/components/schemas/OidcSettingsSchemaOneOf0IdTokenSigningAlgorithm' description: >- The signing algorithm used to sign our token. Refer to the [JWT signatures](https://jwt.io/introduction) documentation for more information. enableGroupSyncing: type: boolean description: >- Should we enable group syncing. Refer to the documentation [Group syncing](https://docs.getunleash.io/guides/how-to-set-up-group-sso-sync) groupJsonPath: type: string description: >- Specifies the path in the OIDC token response to read which groups the user belongs to from. addGroupsScope: type: boolean description: >- When enabled Unleash will also request the 'groups' scope as part of the login request. enablePkce: type: boolean description: >- Enable PKCE (Proof Key for Code Exchange) for enhanced security. Recommended for public clients and provides additional protection against authorization code interception attacks. required: - enabled - clientId - secret OidcSettingsSchemaOneOf1DefaultRootRole: type: string enum: - value: Viewer - value: Editor - value: Admin OidcSettingsSchemaOneOf1IdTokenSigningAlgorithm: type: string enum: - value: RS256 - value: RS384 - value: RS512 OidcSettingsSchema1: type: object properties: enabled: type: boolean description: Whether to enable or disable OpenID Connect for this instance discoverUrl: type: string format: uri description: >- The [.well-known OpenID discover URL](https://swagger.io/docs/specification/authentication/openid-connect-discovery/) clientId: type: string description: The OIDC client ID of this application. secret: type: string description: >- Shared secret from OpenID server. Used to authenticate login requests autoCreate: type: boolean description: Auto create users based on email addresses from login tokens enableSingleSignOut: type: boolean description: >- Support Single sign out when user clicks logout in Unleash. If `true` user is signed out of all OpenID Connect sessions against the clientId they may have active defaultRootRole: $ref: '#/components/schemas/OidcSettingsSchemaOneOf1DefaultRootRole' description: >- [Default role](https://docs.getunleash.io/concepts/rbac#standard-roles) granted to users auto-created from email. Only relevant if autoCreate is `true` defaultRootRoleId: type: number format: double description: >- Assign this root role to auto created users. Should be a role ID and takes precedence over `defaultRootRole`. emailDomains: type: string description: >- Comma separated list of email domains that are automatically approved for an account in the server. Only relevant if autoCreate is `true` acrValues: type: string description: > Authentication Context Class Reference, used to request extra values in the acr claim returned from the server. If multiple values are required, they should be space separated. Consult [the OIDC reference](https://openid.net/specs/openid-connect-core-1_0.html#AuthorizationEndpoint) for more information idTokenSigningAlgorithm: $ref: '#/components/schemas/OidcSettingsSchemaOneOf1IdTokenSigningAlgorithm' description: >- The signing algorithm used to sign our token. Refer to the [JWT signatures](https://jwt.io/introduction) documentation for more information. enableGroupSyncing: type: boolean description: >- Should we enable group syncing. Refer to the documentation [Group syncing](https://docs.getunleash.io/guides/how-to-set-up-group-sso-sync) groupJsonPath: type: string description: >- Specifies the path in the OIDC token response to read which groups the user belongs to from. addGroupsScope: type: boolean description: >- When enabled Unleash will also request the 'groups' scope as part of the login request. enablePkce: type: boolean description: >- Enable PKCE (Proof Key for Code Exchange) for enhanced security. Recommended for public clients and provides additional protection against authorization code interception attacks. oidcSettingsSchema: oneOf: - $ref: '#/components/schemas/OidcSettingsSchema0' - $ref: '#/components/schemas/OidcSettingsSchema1' OidcSettingsResponseSchemaDefaultRootRole: type: string enum: - value: Viewer - value: Editor - value: Admin OidcSettingsResponseSchemaIdTokenSigningAlgorithm: type: string enum: - value: RS256 - value: RS384 - value: RS512 oidcSettingsResponseSchema: type: object properties: enabled: type: boolean description: Whether to enable or disable OpenID Connect for this instance discoverUrl: type: string format: uri description: >- The [.well-known OpenID discover URL](https://swagger.io/docs/specification/authentication/openid-connect-discovery/) clientId: type: string description: The OIDC client ID of this application. secret: type: string description: >- Shared secret from OpenID server. Used to authenticate login requests autoCreate: type: boolean description: Auto create users based on email addresses from login tokens enableSingleSignOut: type: boolean description: >- Support Single sign out when user clicks logout in Unleash. If `true` user is signed out of all OpenID Connect sessions against the clientId they may have active defaultRootRole: $ref: '#/components/schemas/OidcSettingsResponseSchemaDefaultRootRole' description: >- [Default role](https://docs.getunleash.io/concepts/rbac#standard-roles) granted to users auto-created from email. Only relevant if autoCreate is `true` defaultRootRoleId: type: number format: double description: >- Assign this root role to auto created users. Should be a role ID and takes precedence over `defaultRootRole`. emailDomains: type: string description: >- Comma separated list of email domains that are automatically approved for an account in the server. Only relevant if autoCreate is `true` acrValues: type: string description: > Authentication Context Class Reference, used to request extra values in the acr claim returned from the server. If multiple values are required, they should be space separated. Consult [the OIDC reference](https://openid.net/specs/openid-connect-core-1_0.html#AuthorizationEndpoint) for more information idTokenSigningAlgorithm: $ref: >- #/components/schemas/OidcSettingsResponseSchemaIdTokenSigningAlgorithm description: >- The signing algorithm used to sign our token. Refer to the [JWT signatures](https://jwt.io/introduction) documentation for more information. enableGroupSyncing: type: boolean description: >- Should we enable group syncing. Refer to the documentation [Group syncing](https://docs.getunleash.io/guides/how-to-set-up-group-sso-sync) groupJsonPath: type: string description: >- Specifies the path in the OIDC token response to read which groups the user belongs to from. addGroupsScope: type: boolean description: >- When enabled Unleash will also request the 'groups' scope as part of the login request. enablePkce: type: boolean description: >- Enable PKCE (Proof Key for Code Exchange) for enhanced security. Recommended for public clients and provides additional protection against authorization code interception attacks. ``` ## SDK Code Examples ```python import requests url = "https://app.unleash-instance.example.com/api/admin/auth/oidc/settings" payload = { "enabled": True, "clientId": "FB87266D-CDDB-4BCF-BB1F-8392FD0EDC1B", "secret": "qjcVfeFjEfoYAF3AEsX2IMUWYuUzAbXO" } headers = { "Authorization": "", "Content-Type": "application/json" } response = requests.post(url, json=payload, headers=headers) print(response.json()) ``` ```javascript const url = 'https://app.unleash-instance.example.com/api/admin/auth/oidc/settings'; const options = { method: 'POST', headers: {Authorization: '', 'Content-Type': 'application/json'}, body: '{"enabled":true,"clientId":"FB87266D-CDDB-4BCF-BB1F-8392FD0EDC1B","secret":"qjcVfeFjEfoYAF3AEsX2IMUWYuUzAbXO"}' }; try { const response = await fetch(url, options); const data = await response.json(); console.log(data); } catch (error) { console.error(error); } ``` ```go package main import ( "fmt" "strings" "net/http" "io" ) func main() { url := "https://app.unleash-instance.example.com/api/admin/auth/oidc/settings" payload := strings.NewReader("{\n \"enabled\": true,\n \"clientId\": \"FB87266D-CDDB-4BCF-BB1F-8392FD0EDC1B\",\n \"secret\": \"qjcVfeFjEfoYAF3AEsX2IMUWYuUzAbXO\"\n}") req, _ := http.NewRequest("POST", url, payload) req.Header.Add("Authorization", "") req.Header.Add("Content-Type", "application/json") res, _ := http.DefaultClient.Do(req) defer res.Body.Close() body, _ := io.ReadAll(res.Body) fmt.Println(res) fmt.Println(string(body)) } ``` ```ruby require 'uri' require 'net/http' url = URI("https://app.unleash-instance.example.com/api/admin/auth/oidc/settings") http = Net::HTTP.new(url.host, url.port) http.use_ssl = true request = Net::HTTP::Post.new(url) request["Authorization"] = '' request["Content-Type"] = 'application/json' request.body = "{\n \"enabled\": true,\n \"clientId\": \"FB87266D-CDDB-4BCF-BB1F-8392FD0EDC1B\",\n \"secret\": \"qjcVfeFjEfoYAF3AEsX2IMUWYuUzAbXO\"\n}" response = http.request(request) puts response.read_body ``` ```java import com.mashape.unirest.http.HttpResponse; import com.mashape.unirest.http.Unirest; HttpResponse response = Unirest.post("https://app.unleash-instance.example.com/api/admin/auth/oidc/settings") .header("Authorization", "") .header("Content-Type", "application/json") .body("{\n \"enabled\": true,\n \"clientId\": \"FB87266D-CDDB-4BCF-BB1F-8392FD0EDC1B\",\n \"secret\": \"qjcVfeFjEfoYAF3AEsX2IMUWYuUzAbXO\"\n}") .asString(); ``` ```php request('POST', 'https://app.unleash-instance.example.com/api/admin/auth/oidc/settings', [ 'body' => '{ "enabled": true, "clientId": "FB87266D-CDDB-4BCF-BB1F-8392FD0EDC1B", "secret": "qjcVfeFjEfoYAF3AEsX2IMUWYuUzAbXO" }', 'headers' => [ 'Authorization' => '', 'Content-Type' => 'application/json', ], ]); echo $response->getBody(); ``` ```csharp using RestSharp; var client = new RestClient("https://app.unleash-instance.example.com/api/admin/auth/oidc/settings"); var request = new RestRequest(Method.POST); request.AddHeader("Authorization", ""); request.AddHeader("Content-Type", "application/json"); request.AddParameter("application/json", "{\n \"enabled\": true,\n \"clientId\": \"FB87266D-CDDB-4BCF-BB1F-8392FD0EDC1B\",\n \"secret\": \"qjcVfeFjEfoYAF3AEsX2IMUWYuUzAbXO\"\n}", ParameterType.RequestBody); IRestResponse response = client.Execute(request); ``` ```swift import Foundation let headers = [ "Authorization": "", "Content-Type": "application/json" ] let parameters = [ "enabled": true, "clientId": "FB87266D-CDDB-4BCF-BB1F-8392FD0EDC1B", "secret": "qjcVfeFjEfoYAF3AEsX2IMUWYuUzAbXO" ] as [String : Any] let postData = JSONSerialization.data(withJSONObject: parameters, options: []) let request = NSMutableURLRequest(url: NSURL(string: "https://app.unleash-instance.example.com/api/admin/auth/oidc/settings")! as URL, cachePolicy: .useProtocolCachePolicy, timeoutInterval: 10.0) request.httpMethod = "POST" request.allHTTPHeaderFields = headers request.httpBody = postData as Data let session = URLSession.shared let dataTask = session.dataTask(with: request as URLRequest, completionHandler: { (data, response, error) -> Void in if (error != nil) { print(error as Any) } else { let httpResponse = response as? HTTPURLResponse print(httpResponse) } }) dataTask.resume() ```