Skip to main content

Update OIDC Application Config

Update the OIDC specific configuration of an application.

Path Parameters
  • projectId string required
  • appId string required
Header Parameters
  • x-zitadel-orgid string

    The default is always the organization of the requesting user. If you like to change/get objects of another organization include the header. Make sure the requesting user has permission to access the requested data.

Request Body required
  • redirectUris string[]

    Callback URI of the authorization request where the code or tokens will be sent to

  • responseTypes string[]

    Possible values: [OIDC_RESPONSE_TYPE_CODE, OIDC_RESPONSE_TYPE_ID_TOKEN, OIDC_RESPONSE_TYPE_ID_TOKEN_TOKEN]

    Determines whether a code, id_token token or just id_token will be returned

  • grantTypes string[]

    Possible values: [OIDC_GRANT_TYPE_AUTHORIZATION_CODE, OIDC_GRANT_TYPE_IMPLICIT, OIDC_GRANT_TYPE_REFRESH_TOKEN, OIDC_GRANT_TYPE_DEVICE_CODE]

    The flow type the application uses to gain access

  • appType string

    Possible values: [OIDC_APP_TYPE_WEB, OIDC_APP_TYPE_USER_AGENT, OIDC_APP_TYPE_NATIVE]

    Default value: OIDC_APP_TYPE_WEB

    Determines the paradigm of the application

  • authMethodType string

    Possible values: [OIDC_AUTH_METHOD_TYPE_BASIC, OIDC_AUTH_METHOD_TYPE_POST, OIDC_AUTH_METHOD_TYPE_NONE, OIDC_AUTH_METHOD_TYPE_PRIVATE_KEY_JWT]

    Default value: OIDC_AUTH_METHOD_TYPE_BASIC

    Defines how the application passes login credentials

  • postLogoutRedirectUris string[]

    ZITADEL will redirect to this link after a successful logout

  • devMode boolean

    Used for development, some checks of the OIDC specification will not be checked.

  • accessTokenType string

    Possible values: [OIDC_TOKEN_TYPE_BEARER, OIDC_TOKEN_TYPE_JWT]

    Default value: OIDC_TOKEN_TYPE_BEARER

    Type of the access token returned from ZITADEL

  • accessTokenRoleAssertion boolean

    Adds roles to the claims of the access token (only if type == JWT) even if they are not requested by scopes

  • idTokenRoleAssertion boolean

    Adds roles to the claims of the id token even if they are not requested by scopes

  • idTokenUserinfoAssertion boolean

    Claims of profile, email, address and phone scopes are added to the id token even if an access token is issued. Attention this violates the OIDC specification

  • clockSkew string

    Used to compensate time difference of servers. Duration added to the "exp" claim and subtracted from "iat", "auth_time" and "nbf" claims

  • additionalOrigins string[]

    Additional origins (other than the redirect_uris) from where the API can be used

  • skipNativeAppSuccessPage boolean

    Skip the successful login page on native apps and directly redirect the user to the callback.

Responses

A successful response.

Schema
  • details object
  • sequence uint64

    on read: the sequence of the last event reduced by the projection

    on manipulation: the timestamp of the event(s) added by the manipulation

  • creationDate date-time

    on read: the timestamp of the first event of the object

    on create: the timestamp of the event(s) added by the manipulation

  • changeDate date-time

    on read: the timestamp of the last event reduced by the projection

    on manipulation: the

  • resourceOwner resource_owner is the organization an object belongs to
PUT /projects/:projectId/apps/:appId/oidc_config

Authorization

type: oauth2flow: authorizationCodescopes: openid,urn:zitadel:iam:org:project:id:zitadel:aud

Request

Base URL
https://$ZITADEL_DOMAIN/management/v1
Bearer Token
projectId — path required
appId — path required
x-zitadel-orgid — header
Content-Type
Body required
{

  "redirectUris": [

    "http://localhost:4200/auth/callback"

  ],

  "responseTypes": [

    "OIDC_RESPONSE_TYPE_CODE"

  ],

  "grantTypes": [

    "OIDC_GRANT_TYPE_AUTHORIZATION_CODE"

  ],

  "appType": "OIDC_APP_TYPE_WEB",

  "authMethodType": "OIDC_AUTH_METHOD_TYPE_BASIC",

  "postLogoutRedirectUris": [

    "http://localhost:4200/signedout"

  ],

  "devMode": true,

  "accessTokenType": "OIDC_TOKEN_TYPE_BEARER",

  "accessTokenRoleAssertion": true,

  "idTokenRoleAssertion": true,

  "idTokenUserinfoAssertion": true,

  "clockSkew": "1s",

  "additionalOrigins": [

    "https://console.zitadel.ch/auth/callback"

  ],

  "skipNativeAppSuccessPage": true

}
Accept
curl -L -X PUT 'https://$ZITADEL_DOMAIN/management/v1/projects/:projectId/apps/:appId/oidc_config' \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-H 'Authorization: Bearer <TOKEN>' \
--data-raw '{
  "redirectUris": [
    "http://localhost:4200/auth/callback"
  ],
  "responseTypes": [
    "OIDC_RESPONSE_TYPE_CODE"
  ],
  "grantTypes": [
    "OIDC_GRANT_TYPE_AUTHORIZATION_CODE"
  ],
  "appType": "OIDC_APP_TYPE_WEB",
  "authMethodType": "OIDC_AUTH_METHOD_TYPE_BASIC",
  "postLogoutRedirectUris": [
    "http://localhost:4200/signedout"
  ],
  "devMode": true,
  "accessTokenType": "OIDC_TOKEN_TYPE_BEARER",
  "accessTokenRoleAssertion": true,
  "idTokenRoleAssertion": true,
  "idTokenUserinfoAssertion": true,
  "clockSkew": "1s",
  "additionalOrigins": [
    "https://console.zitadel.ch/auth/callback"
  ],
  "skipNativeAppSuccessPage": true
}'