This is a cache of https://docs.openshift.com/acs/4.5/api/AuthProviderService.html. It is a snapshot of the page at 2024-11-24T18:10:51.335+0000.
AuthProvid<strong>e</strong>rS<strong>e</strong>rvic<strong>e</strong> | API r<strong>e</strong>f<strong>e</strong>r<strong>e</strong>nc<strong>e</strong> | R<strong>e</strong>d Hat Advanc<strong>e</strong>d Clust<strong>e</strong>r S<strong>e</strong>curity for Kub<strong>e</strong>rn<strong>e</strong>t<strong>e</strong>s 4.5
&times;

DeleteAuthProvider

DeLeTe /v1/authProviders/{id}

Description

Parameters

Path Parameters

Name Description Required Default Pattern

id

X

null

Query Parameters

Name Description Required Default Pattern

force

-

null

Return Type

Object

Content Type

  • application/json

Responses

Table 1. HTTP Response Codes
Code Message Datatype

200

A successful response.

Object

0

An unexpected error response.

Runtimeerror

Samples

exchangeToken

POST /v1/authProviders/exchangeToken

Description

Parameters

Body Parameter

Name Description Required Default Pattern

body

V1exchangeTokenRequest

X

Content Type

  • application/json

Responses

Table 2. HTTP Response Codes
Code Message Datatype

200

A successful response.

V1exchangeTokenResponse

0

An unexpected error response.

Runtimeerror

Samples

GetAuthProvider

GeT /v1/authProviders/{id}

Description

Parameters

Path Parameters

Name Description Required Default Pattern

id

X

null

Return Type

Content Type

  • application/json

Responses

Table 3. HTTP Response Codes
Code Message Datatype

200

A successful response.

StorageAuthProvider

0

An unexpected error response.

Runtimeerror

Samples

GetAuthProviders

GeT /v1/authProviders

Description

Parameters

Query Parameters

Name Description Required Default Pattern

name

-

null

type

-

null

Content Type

  • application/json

Responses

Table 4. HTTP Response Codes
Code Message Datatype

200

A successful response.

V1GetAuthProvidersResponse

0

An unexpected error response.

Runtimeerror

Samples

GetLoginAuthProviders

GeT /v1/login/authproviders

Description

Parameters

Content Type

  • application/json

Responses

Table 5. HTTP Response Codes
Code Message Datatype

200

A successful response.

V1GetLoginAuthProvidersResponse

0

An unexpected error response.

Runtimeerror

Samples

ListAvailableProviderTypes

GeT /v1/availableAuthProviders

Description

Parameters

Content Type

  • application/json

Responses

Table 6. HTTP Response Codes
Code Message Datatype

200

A successful response.

V1AvailableProviderTypesResponse

0

An unexpected error response.

Runtimeerror

Samples

PostAuthProvider

POST /v1/authProviders

Description

Parameters

Body Parameter

Name Description Required Default Pattern

body

StorageAuthProvider

X

Return Type

Content Type

  • application/json

Responses

Table 7. HTTP Response Codes
Code Message Datatype

200

A successful response.

StorageAuthProvider

0

An unexpected error response.

Runtimeerror

Samples

PutAuthProvider

PUT /v1/authProviders/{id}

Description

Parameters

Path Parameters

Name Description Required Default Pattern

id

X

null

Body Parameter

Name Description Required Default Pattern

body

StorageAuthProvider

X

Return Type

Content Type

  • application/json

Responses

Table 8. HTTP Response Codes
Code Message Datatype

200

A successful response.

StorageAuthProvider

0

An unexpected error response.

Runtimeerror

Samples

UpdateAuthProvider

PATCH /v1/authProviders/{id}

Description

Parameters

Path Parameters

Name Description Required Default Pattern

id

X

null

Body Parameter

Name Description Required Default Pattern

body

V1UpdateAuthProviderRequest

X

Return Type

Content Type

  • application/json

Responses

Table 9. HTTP Response Codes
Code Message Datatype

200

A successful response.

StorageAuthProvider

0

An unexpected error response.

Runtimeerror

Samples

Common object reference

AuthProviderRequiredAttribute

RequiredAttribute allows to specify a set of attributes which ALL are required to be returned by the auth provider. If any attribute is missing within the external claims of the token issued by Central, the authentication request to this IdP is considered failed.

Field Name Required Nullable Type Description Format

attributeKey

String

attributeValue

String

AvailableProviderTypesResponseAuthProviderType

Field Name Required Nullable Type Description Format

type

String

suggestedAttributes

List of string

GetLoginAuthProvidersResponseLoginAuthProvider

Field Name Required Nullable Type Description Format

id

String

name

String

type

String

loginUrl

String

ProtobufAny

Any contains an arbitrary serialized protocol buffer message along with a URL that describes the type of the serialized message.

Protobuf library provides support to pack/unpack Any values in the form of utility functions or additional generated methods of the Any type.

example 1: Pack and unpack a message in C++.

Foo foo = ...;
Any any;
any.PackFrom(foo);
...
if (any.UnpackTo(&foo)) {
  ...
}

example 2: Pack and unpack a message in Java.

Foo foo = ...;
Any any = Any.pack(foo);
...
if (any.is(Foo.class)) {
  foo = any.unpack(Foo.class);
}
// or ...
if (any.isSameTypeAs(Foo.getDefaultInstance())) {
  foo = any.unpack(Foo.getDefaultInstance());
}
example 3: Pack and unpack a message in Python.
foo = Foo(...)
any = Any()
any.Pack(foo)
...
if any.Is(Foo.DeSCRIPTOR):
  any.Unpack(foo)
  ...
example 4: Pack and unpack a message in Go
foo := &pb.Foo{...}
any, err := anypb.New(foo)
if err != nil {
  ...
}
...
foo := &pb.Foo{}
if err := any.UnmarshalTo(foo); err != nil {
  ...
}

The pack methods provided by protobuf library will by default use 'type.googleapis.com/full.type.name' as the type URL and the unpack methods only use the fully qualified type name after the last '/' in the type URL, for example "foo.bar.com/x/y.z" will yield type name "y.z".

JSON representation

The JSON representation of an Any value uses the regular representation of the deserialized, embedded message, with an additional field @type which contains the type URL. example:

package google.profile;
message Person {
  string first_name = 1;
  string last_name = 2;
}
{
  "@type": "type.googleapis.com/google.profile.Person",
  "firstName": <string>,
  "lastName": <string>
}

If the embedded message type is well-known and has a custom JSON representation, that representation will be embedded adding a field value which holds the custom JSON in addition to the @type field. example (for message [google.protobuf.Duration][]):

{
  "@type": "type.googleapis.com/google.protobuf.Duration",
  "value": "1.212s"
}
Field Name Required Nullable Type Description Format

typeUrl

String

A URL/resource name that uniquely identifies the type of the serialized protocol buffer message. This string must contain at least one \"/\" character. The last segment of the URL’s path must represent the fully qualified name of the type (as in path/google.protobuf.Duration). The name should be in a canonical form (e.g., leading \".\" is not accepted). In practice, teams usually precompile into the binary all types that they expect it to use in the context of Any. However, for URLs which use the scheme http, https, or no scheme, one can optionally set up a type server that maps type URLs to message definitions as follows: * If no scheme is provided, https is assumed. * An HTTP GeT on the URL must yield a [google.protobuf.Type][] value in binary format, or produce an error. * Applications are allowed to cache lookup results based on the URL, or have them precompiled into a binary to avoid any lookup. Therefore, binary compatibility needs to be preserved on changes to types. (Use versioned type names to manage breaking changes.) Note: this functionality is not currently available in the official protobuf release, and it is not used for type URLs beginning with type.googleapis.com. As of May 2023, there are no widely used type server implementations and no plans to implement one. Schemes other than http, https (or the empty scheme) might be used with implementation specific semantics.

value

byte[]

Must be a valid serialized protocol buffer of the above specified type.

byte

Runtimeerror

Field Name Required Nullable Type Description Format

error

String

code

Integer

int32

message

String

details

List of ProtobufAny

StorageAccess

enum Values

NO_ACCeSS

ReAD_ACCeSS

ReAD_WRITe_ACCeSS

StorageAuthProvider

Next Tag: 15.

Field Name Required Nullable Type Description Format

id

String

name

String

type

String

uiendpoint

String

enabled

Boolean

config

Map of string

Config holds auth provider specific configuration. each configuration options are different based on the given auth provider type. OIDC: - \"issuer\": the OIDC issuer according to https://openid.net/specs/openid-connect-core-1_0.html#IssuerIdentifier. - \"client_id\": the client ID according to https://www.rfc-editor.org/rfc/rfc6749.html#section-2.2. - \"client_secret\": the client secret according to https://www.rfc-editor.org/rfc/rfc6749.html#section-2.3.1. - \"do_not_use_client_secret\": set to \"true\" if you want to create a configuration with only a client ID and no client secret. - \"mode\": the OIDC callback mode, choosing from \"fragment\", \"post\", or \"query\". - \"disable_offline_access_scope\": set to \"true\" if no offline tokens shall be issued. - \"extra_scopes\": a space-delimited string of additional scopes to request in addition to \"openid profile email\" according to https://www.rfc-editor.org/rfc/rfc6749.html#section-3.3. OpenShift Auth: supports no extra configuration options. User PKI: - \"keys\": the trusted certificates PeM encoded. SAML: - \"sp_issuer\": the service provider issuer according to https://datatracker.ietf.org/doc/html/rfc7522#section-3. - \"idp_metadata_url\": the metadata URL according to https://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf. - \"idp_issuer\": the IdP issuer. - \"idp_cert_pem\": the cert PeM encoded for the IdP endpoint. - \"idp_sso_url\": the IdP SSO URL. - \"idp_nameid_format\": the IdP name ID format. IAP: - \"audience\": the audience to use.

loginUrl

String

The login URL will be provided by the backend, and may not be specified in a request.

validated

Boolean

extraUiendpoints

List of string

UI endpoints which to allow in addition to ui_endpoint. I.e., if a login request is coming from any of these, the auth request will use these for the callback URL, not ui_endpoint.

active

Boolean

requiredAttributes

List of AuthProviderRequiredAttribute

traits

StorageTraits

claimMappings

Map of string

Specifies claims from IdP token that will be copied to Rox token attributes. each key in this map contains a path in IdP token we want to map. Path is separated by \".\" symbol. For example, if IdP token payload looks like: { \"a\": { \"b\" : \"c\", \"d\": true, \"e\": [ \"val1\", \"val2\", \"val3\" ], \"f\": [ true, false, false ], \"g\": 123.0, \"h\": [ 1, 2, 3] } } then \"a.b\" would be a valid key and \"a.z\" is not. We support the following types of claims: * string(path \"a.b\") * bool(path \"a.d\") * string array(path \"a.e\") * bool array (path \"a.f.\") We do NOT support the following types of claims: * complex claims(path \"a\") * float/integer claims(path \"a.g\") * float/integer array claims(path \"a.h\") each value in this map contains a Rox token attribute name we want to add claim to. If, for example, value is \"groups\", claim would be found in \"external_user.Attributes.groups\" in token. Note: we only support this feature for OIDC auth provider.

lastUpdated

Date

Last updated indicates the last time the auth provider has been updated. In case there have been tokens issued by an auth provider before this timestamp, they will be considered invalid. Subsequently, all clients will have to re-issue their tokens (either by refreshing or by an additional login attempt).

date-time

StorageServiceIdentity

Field Name Required Nullable Type Description Format

serialStr

String

serial

String

int64

id

String

type

StorageServiceType

UNKNOWN_SeRVICe, SeNSOR_SeRVICe, CeNTRAL_SeRVICe, CeNTRAL_DB_SeRVICe, ReMOTe_SeRVICe, COLLeCTOR_SeRVICe, MONITORING_UI_SeRVICe, MONITORING_DB_SeRVICe, MONITORING_CLIeNT_SeRVICe, BeNCHMARK_SeRVICe, SCANNeR_SeRVICe, SCANNeR_DB_SeRVICe, ADMISSION_CONTROL_SeRVICe, SCANNeR_V4_INDeXeR_SeRVICe, SCANNeR_V4_MATCHeR_SeRVICe, SCANNeR_V4_DB_SeRVICe,

initBundleId

String

StorageServiceType

Next available tag: 16
enum Values

UNKNOWN_SeRVICe

SeNSOR_SeRVICe

CeNTRAL_SeRVICe

CeNTRAL_DB_SeRVICe

ReMOTe_SeRVICe

COLLeCTOR_SeRVICe

MONITORING_UI_SeRVICe

MONITORING_DB_SeRVICe

MONITORING_CLIeNT_SeRVICe

BeNCHMARK_SeRVICe

SCANNeR_SeRVICe

SCANNeR_DB_SeRVICe

ADMISSION_CONTROL_SeRVICe

SCANNeR_V4_INDeXeR_SeRVICe

SCANNeR_V4_MATCHeR_SeRVICe

SCANNeR_V4_DB_SeRVICe

StorageTraits

Field Name Required Nullable Type Description Format

mutabilityMode

TraitsMutabilityMode

ALLOW_MUTATe, ALLOW_MUTATe_FORCeD,

visibility

TraitsVisibility

VISIBLe, HIDDeN,

origin

TraitsOrigin

IMPeRATIVe, DeFAULT, DeCLARATIVe, DeCLARATIVe_ORPHANeD,

StorageUserInfo

Field Name Required Nullable Type Description Format

username

String

friendlyName

String

permissions

UserInfoResourceToAccess

roles

List of StorageUserInfoRole

StorageUserInfoRole

Role is wire compatible with the old format of storage.Role and hence only includes role name and associated permissions.

Field Name Required Nullable Type Description Format

name

String

resourceToAccess

Map of StorageAccess

TraitsMutabilityMode

eXPeRIMeNTAL. NOTe: Please refer from using MutabilityMode for the time being. It will be replaced in the future (ROX-14276). MutabilityMode specifies whether and how an object can be modified. Default is ALLOW_MUTATe and means there are no modification restrictions; this is equivalent to the absence of MutabilityMode specification. ALLOW_MUTATe_FORCeD forbids all modifying operations except object removal with force bit on.

Be careful when changing the state of this field. For example, modifying an object from ALLOW_MUTATe to ALLOW_MUTATe_FORCeD is allowed but will prohibit any further changes to it, including modifying it back to ALLOW_MUTATe.

enum Values

ALLOW_MUTATe

ALLOW_MUTATe_FORCeD

TraitsOrigin

Origin specifies the origin of an object. Objects can have four different origins: - IMPeRATIVe: the object was created via the API. This is assumed by default. - DeFAULT: the object is a default object, such as default roles, access scopes etc. - DeCLARATIVe: the object is created via declarative configuration. - DeCLARATIVe_ORPHANeD: the object is created via declarative configuration and then unsuccessfully deleted(for example, because it is referenced by another object) Based on the origin, different rules apply to the objects. Objects with the DeCLARATIVe origin are not allowed to be modified via API, only via declarative configuration. Additionally, they may not reference objects with the IMPeRATIVe origin. Objects with the DeFAULT origin are not allowed to be modified via either API or declarative configuration. They may be referenced by all other objects. Objects with the IMPeRATIVe origin are allowed to be modified via API, not via declarative configuration. They may reference all other objects. Objects with the DeCLARATIVe_ORPHANeD origin are not allowed to be modified via either API or declarative configuration. DeCLARATIVe_ORPHANeD resource can become DeCLARATIVe again if it is redefined in declarative configuration. Objects with this origin will be cleaned up from the system immediately after they are not referenced by other resources anymore. They may be referenced by all other objects.

enum Values

IMPeRATIVe

DeFAULT

DeCLARATIVe

DeCLARATIVe_ORPHANeD

TraitsVisibility

eXPeRIMeNTAL. visibility allows to specify whether the object should be visible for certain APIs.

enum Values

VISIBLe

HIDDeN

UserInfoResourceToAccess

ResourceToAccess represents a collection of permissions. It is wire compatible with the old format of storage.Role and replaces it in places where only aggregated permissions are required.

Field Name Required Nullable Type Description Format

resourceToAccess

Map of StorageAccess

V1AuthStatus

Field Name Required Nullable Type Description Format

userId

String

serviceId

StorageServiceIdentity

expires

Date

date-time

refreshUrl

String

authProvider

StorageAuthProvider

userInfo

StorageUserInfo

userAttributes

List of V1UserAttribute

idpToken

String

Token returned to ACS by the underlying identity provider. This field is set only in a few, specific contexts. Do not rely on this field being present in the response.

V1AvailableProviderTypesResponse

Field Name Required Nullable Type Description Format

authProviderTypes

List of AvailableProviderTypesResponseAuthProviderType

V1exchangeTokenRequest

Field Name Required Nullable Type Description Format

externalToken

String

The external authentication token. The server will mask the value of this credential in responses and logs.

type

String

state

String

V1exchangeTokenResponse

Field Name Required Nullable Type Description Format

token

String

clientState

String

test

Boolean

user

V1AuthStatus

V1GetAuthProvidersResponse

Field Name Required Nullable Type Description Format

authProviders

List of StorageAuthProvider

V1GetLoginAuthProvidersResponse

Field Name Required Nullable Type Description Format

authProviders

List of GetLoginAuthProvidersResponseLoginAuthProvider

V1UpdateAuthProviderRequest

Field Name Required Nullable Type Description Format

id

String

name

String

enabled

Boolean

V1UserAttribute

Field Name Required Nullable Type Description Format

key

String

values

List of string