Skip to main content
A newer release of this product is available.

Create the OAuth 2.0 configuration

Contributors

POST /security/authentication/cluster/oauth2/clients

Introduced In: 9.14

Creates the OAuth 2.0 configuration.

Required properties

  • name

  • application

  • issuer

Optional properties

  • audience

  • client_id

  • client_secret

  • introspection.endpoint_uri

  • introspection.interval

  • remote_user_claim

  • jwks.provider_uri

  • jwks.refresh_interval

  • outgoing_proxy

  • use_local_roles_if_present

  • skip_uri_validation

  • use_mutual_tls

  • security oauth2 client create

Parameters

Name Type In Required Description

return_timeout

integer

query

False

The number of seconds to allow the call to execute before returning. When doing a POST, PATCH, or DELETE operation on a single record, the default is 0 seconds. This means that if an asynchronous operation is started, the server immediately returns HTTP code 202 (Accepted) along with a link to the job. If a non-zero value is specified for POST, PATCH, or DELETE operations, ONTAP waits that length of time to see if the job completes so it can return something other than 202.

  • Default value: 1

  • Max value: 120

  • Min value: 0

return_records

boolean

query

False

The default is false. If set to true, the records are returned.

  • Default value:

Request Body

Name Type Description

_links

_links

application

string

The name of the application using OAuth 2.0. Required for POST operations.

audience

string

The OAuth 2.0 Audience.

client_id

string

The OAuth 2.0 client ID. Required in POST operations for remote introspection.

client_secret

string

The OAuth 2.0 client secret. Required in POST operations for remote introspection.

hashed_client_secret

string

The OAuth 2.0 client secret as a SHA256 HMAC hashed value created with the cluster UUID as its HMAC secret key.

introspection

introspection

issuer

string

The OAuth 2.0 Issuer.

jwks

jwks

name

string

The configuration name. Required for POST operations.

outgoing_proxy

string

Outgoing proxy to access external identity providers (IdPs). If not specified, no proxy is configured.

remote_user_claim

string

The remote user claim.

skip_uri_validation

boolean

Indicates whether or not to validate the input URIs. Default value is false.

use_local_roles_if_present

boolean

Indicates whether or not to use locally confgiured roles, if present. Default value is false.

use_mutual_tls

string

OAuth 2.0 mutual TLS authentication setting. Set this value to "none" to disable mutual TLS authentication. Set this value to "required" to enforce mutual TLS authentication for all access tokens and reject any token that does not have x5t#S256 property in the cnf section. The default value is "request" which means mutual TLS authentication is enforced only if the x5t#S256 property is present in the cnf section of the access token.

Example request
{
  "_links": {
    "self": {
      "href": "/api/resourcelink"
    }
  },
  "application": "string",
  "audience": "string",
  "client_id": "string",
  "client_secret": "string",
  "hashed_client_secret": "string",
  "introspection": {
    "endpoint_uri": "https://examplelab.customer.com/token/introspect",
    "interval": "PT1H"
  },
  "issuer": "https://examplelab.customer.com",
  "jwks": {
    "provider_uri": "https://examplelab.customer.com/pf/JWKS",
    "refresh_interval": "PT2H"
  },
  "name": "auth0",
  "outgoing_proxy": "https://johndoe:secretpass@proxy.example.com:8080",
  "remote_user_claim": "string",
  "use_mutual_tls": "string"
}

Response

Status: 202, Accepted
Name Type Description

job

job_link

Example response
{
  "job": {
    "_links": {
      "self": {
        "href": "/api/resourcelink"
      }
    },
    "uuid": "string"
  }
}

Headers

Name Description Type

Location

Useful for tracking the resource location

string

Response

Status: 201, Created

Error

Status: Default

ONTAP Error Response Codes

Error Code Description

203817010

Client ID is required for remote introspection.

203817011

Client secret is required for remote introspection.

203817012

Client ID and client secret required for remote introspection.

203817013

JWKS URI should not be configured for remote introspection.

203817014

JWKS refresh interval should not be specified for remote introspection.

203817015

The token introspection endpoint is required for remote introspection.

203817016

JWKS refresh interval provided without providing JWKS URI.

203817017

Minimum supported value of JWKS refresh interval is 300 seconds.

203817018

Required parameters for either local validation or remote introspection are missing. Provide either the JWKS URI for local validation, or metadata configuration URI or token introspection endpoint with client ID and secret for remote introspection.

203817019

Failed to add new IDP client because number of maximum supported IDP clients is already reached.

203817020

Internal error. Failed to validate provider URI.

203817021

OAuth 2.0 Provider URI validation failed with error.

203817022

OAuth 2.0 Provider JWKS URI validation failed. Received empty response message from the JWKS URI.

203817023

OAuth 2.0 Provider JWKS URI validation failed. No keys were found in response message received from the JWKS URI.

203817024

Internal error. Unable to allocate memory for CURL response.

203817025

Maximum value of JWKS refresh interval is 2147483647 seconds.

203817033

OAuth 2.0 Provider Introspection endpoint validation failed. Received empty response message from the Introspection endpoint.

203817034

OAuth 2.0 Provider Introspection endpoint validation failed. Received invalid response message for Introspection request.

203817042

Maximum value of introspection interval is 2147483647 seconds.

Also see the table of common errors in the Response body overview section of this documentation.

Name Type Description

error

returned_error

Example error
{
  "error": {
    "arguments": [
      {
        "code": "string",
        "message": "string"
      }
    ],
    "code": "4",
    "message": "entry doesn't exist",
    "target": "uuid"
  }
}

Definitions

See Definitions

href

Name Type Description

href

string

Name Type Description

self

href

introspection

Name Type Description

endpoint_uri

string

The token introspection endpoint URI.

interval

string

The refresh interval for caching tokens, in ISO-8601 format. This can be set to the value "disabled" to disable caching of tokens. When set to 0, tokens are cached according to the expiry period in them. Otherwise, it can be set to a value from 1 second to 2147483647 seconds.

jwks

Name Type Description

provider_uri

string

The URI on which the JSON Web Key Set (JWKS) are hosted.

refresh_interval

string

The refresh interval for the JSON Web Key Set (JWKS), in ISO-8601 format. This can be set to a value from 300 seconds to 2147483647 seconds.

security_oauth2

Name Type Description

_links

_links

application

string

The name of the application using OAuth 2.0. Required for POST operations.

audience

string

The OAuth 2.0 Audience.

client_id

string

The OAuth 2.0 client ID. Required in POST operations for remote introspection.

client_secret

string

The OAuth 2.0 client secret. Required in POST operations for remote introspection.

hashed_client_secret

string

The OAuth 2.0 client secret as a SHA256 HMAC hashed value created with the cluster UUID as its HMAC secret key.

introspection

introspection

issuer

string

The OAuth 2.0 Issuer.

jwks

jwks

name

string

The configuration name. Required for POST operations.

outgoing_proxy

string

Outgoing proxy to access external identity providers (IdPs). If not specified, no proxy is configured.

remote_user_claim

string

The remote user claim.

skip_uri_validation

boolean

Indicates whether or not to validate the input URIs. Default value is false.

use_local_roles_if_present

boolean

Indicates whether or not to use locally confgiured roles, if present. Default value is false.

use_mutual_tls

string

OAuth 2.0 mutual TLS authentication setting. Set this value to "none" to disable mutual TLS authentication. Set this value to "required" to enforce mutual TLS authentication for all access tokens and reject any token that does not have x5t#S256 property in the cnf section. The default value is "request" which means mutual TLS authentication is enforced only if the x5t#S256 property is present in the cnf section of the access token.

Name Type Description

_links

_links

uuid

string

The UUID of the asynchronous job that is triggered by a POST, PATCH, or DELETE operation.

error_arguments

Name Type Description

code

string

Argument code

message

string

Message argument

returned_error

Name Type Description

arguments

array[error_arguments]

Message arguments

code

string

Error code

message

string

Error message

target

string

The target parameter that caused the error.