-
Notifications
You must be signed in to change notification settings - Fork 0
The MITREid Connect server has a robust RESTful API that is used to manage various aspects of the server's configuration. In fact, the administration UI is really just a JavaScript application that uses this RESTful API to do its job.
The API may be accessed through an active web session within the application (ie, any JavaScript running on the server itself) or through authorizing a client application through OAuth.
Manages all registered clients on the system, both statically and dynamically registered. Note that in this API's data model, the id field is distinct from the clientId field used in OAuth. This is a deliberate distinction to allow the clientId to be edited through the API.
Non-administrator end users can use Dynamic Client Registration and Protected Resource Registration to register clients and resources, respectively. These provide a more limited set of options compared to the full administrative API documented here.
Endpoint: /api/clients
Requires ROLE_USER or ROLE_ADMIN access.
Get a list of all clients on the system, returns results in application/json
.
[
{
"id": 1,
"clientId": "client",
"clientSecret": "secret",
"redirectUris": [
"http://localhost/",
"http://localhost:8080/"
],
"clientName": "Test Client",
"clientUri": null,
"logoUri": null,
"contacts": [ ],
"tosUri": null,
"tokenEndpointAuthMethod": null,
"scope": [
"phone",
"openid",
"offline_access",
"address",
"email",
"profile"
],
"grantTypes": [
"implicit",
"authorization_code",
"urn:ietf:params:oauth:grant_type:redelegate",
"refresh_token"
],
"responseTypes": [ ],
"policyUri": null,
"jwksUri": null,
"applicationType": null,
"sectorIdentifierUri": null,
"subjectType": null,
"requestObjectSigningAlg": null,
"userInfoSignedResponseAlg": null,
"userInfoEncryptedResponseAlg": null,
"userInfoEncryptedResponseEnc": null,
"idTokenSignedResponseAlg": null,
"idTokenEncryptedResponseAlg": null,
"idTokenEncryptedResponseEnc": null,
"tokenEndpointAuthSigningAlg": null,
"defaultMaxAge": null,
"requireAuthTime": null,
"defaultACRvalues": [ ],
"initiateLoginUri": null,
"postLogoutRedirectUri": null,
"requestUris": [ ],
"authorities": [ ],
"accessTokenValiditySeconds": 3600,
"refreshTokenValiditySeconds": null,
"resourceIds": [ ],
"clientDescription": null,
"reuseRefreshToken": true,
"dynamicallyRegistered": false,
"allowIntrospection": true,
"idTokenValiditySeconds": 600,
"createdAt": null
},
{
"id": 2,
"clientId": "a8af753c-f324-4e40-a177-87dfc06249b7",
"clientSecret": "EGvdSfyecgUeB44WWERaQXqHOECjbDmpkOupUUItxELqb6h1qtpMmPscIUsRo8_vC1JN8WQlG3-5Lp9q7J8XUg",
"redirectUris": [
"http://localhost:8080/simple-web-app/openid_connect_login"
],
"clientName": "Simple Web App",
"clientUri": null,
"logoUri": null,
"contacts": [ ],
"tosUri": null,
"tokenEndpointAuthMethod": "SECRET_JWT",
"scope": [
"openid",
"phone",
"email",
"address",
"profile"
],
"grantTypes": [
"authorization_code"
],
"responseTypes": [
"code"
],
"policyUri": null,
"jwksUri": null,
"applicationType": null,
"sectorIdentifierUri": null,
"subjectType": null,
"requestObjectSigningAlg": null,
"userInfoSignedResponseAlg": null,
"userInfoEncryptedResponseAlg": null,
"userInfoEncryptedResponseEnc": null,
"idTokenSignedResponseAlg": null,
"idTokenEncryptedResponseAlg": null,
"idTokenEncryptedResponseEnc": null,
"tokenEndpointAuthSigningAlg": "HS256",
"defaultMaxAge": null,
"requireAuthTime": null,
"defaultACRvalues": [ ],
"initiateLoginUri": null,
"postLogoutRedirectUri": null,
"requestUris": [ ],
"authorities": [ ],
"accessTokenValiditySeconds": 3600,
"refreshTokenValiditySeconds": null,
"resourceIds": [ ],
"clientDescription": "",
"reuseRefreshToken": true,
"dynamicallyRegistered": true,
"allowIntrospection": false,
"idTokenValiditySeconds": 600,
"createdAt": "2014-05-28T16:42:26-0400"
}
]
Note: This method will return different information depending on whether or not the authorized user is an administrator. A non-administrator will get a limited set of information back:
[
{
"id": 1,
"clientId": "client",
"clientName": "Test Client",
"logoUri": null,
"scope": [
"phone",
"openid",
"offline_access",
"address",
"email",
"profile"
],
"clientDescription": null
},
{
"id": 2,
"clientId": "a8af753c-f324-4e40-a177-87dfc06249b7",
"clientName": "Simple Web App",
"logoUri": null,
"scope": [
"openid",
"phone",
"email",
"address",
"profile"
],
"clientDescription": ""
}
]
Requires ROLE_ADMIN access.
Create a new client on the system. Request body is an application/json
object with all client parameters:
{
"clientId": "a8af753c-f324-4e40-a177-87dfc06249b7",
"clientSecret": "EGvdSfyecgUeB44WWERaQXqHOECjbDmpkOupUUItxELqb6h1qtpMmPscIUsRo8_vC1JN8WQlG3-5Lp9q7J8XUg",
"redirectUris": [
"http://localhost:8080/simple-web-app/openid_connect_login"
],
"clientName": "Simple Web App",
"clientUri": null,
"logoUri": null,
"contacts": [ ],
"tosUri": null,
"tokenEndpointAuthMethod": "SECRET_JWT",
"scope": [
"openid",
"phone",
"email",
"address",
"profile"
],
"grantTypes": [
"authorization_code"
],
"responseTypes": [
"code"
],
"policyUri": null,
"jwksUri": null,
"applicationType": null,
"sectorIdentifierUri": null,
"subjectType": null,
"requestObjectSigningAlg": null,
"userInfoSignedResponseAlg": null,
"userInfoEncryptedResponseAlg": null,
"userInfoEncryptedResponseEnc": null,
"idTokenSignedResponseAlg": null,
"idTokenEncryptedResponseAlg": null,
"idTokenEncryptedResponseEnc": null,
"tokenEndpointAuthSigningAlg": "HS256",
"defaultMaxAge": null,
"requireAuthTime": null,
"defaultACRvalues": [ ],
"initiateLoginUri": null,
"postLogoutRedirectUri": null,
"requestUris": [ ],
"authorities": [ ],
"accessTokenValiditySeconds": 3600,
"refreshTokenValiditySeconds": null,
"resourceIds": [ ],
"clientDescription": "",
"reuseRefreshToken": true,
"dynamicallyRegistered": false,
"allowIntrospection": false,
"idTokenValiditySeconds": 600,
}
Any omitted values will be filled in with appropriate defaults in the following manner:
- If
clientId
is empty, a new client id will be generated by the server - If
clientSecret
is empty and a field namedgenerateSecret
is sent and set totrue
, then a new client secret will be generated by the server - If
scope
is omitted or null, all system scopes marked as "default" will be assigned to the client
The server will return an updated copy of the object in application/json
format as described under GET /api/clients/{id}.
Requires ROLE_USER or ROLE_ADMIN access.
Get information about a specific client identified by {id} in the url, in application/json
format.
{
"id": 1,
"clientId": "client",
"clientSecret": "secret",
"redirectUris": [
"http://localhost/",
"http://localhost:8080/"
],
"clientName": "Test Client",
"clientUri": null,
"logoUri": null,
"contacts": [ ],
"tosUri": null,
"tokenEndpointAuthMethod": null,
"scope": [
"phone",
"openid",
"offline_access",
"address",
"email",
"profile"
],
"grantTypes": [
"implicit",
"authorization_code",
"urn:ietf:params:oauth:grant_type:redelegate",
"refresh_token"
],
"responseTypes": [ ],
"policyUri": null,
"jwksUri": null,
"applicationType": null,
"sectorIdentifierUri": null,
"subjectType": null,
"requestObjectSigningAlg": null,
"userInfoSignedResponseAlg": null,
"userInfoEncryptedResponseAlg": null,
"userInfoEncryptedResponseEnc": null,
"idTokenSignedResponseAlg": null,
"idTokenEncryptedResponseAlg": null,
"idTokenEncryptedResponseEnc": null,
"tokenEndpointAuthSigningAlg": null,
"defaultMaxAge": null,
"requireAuthTime": null,
"defaultACRvalues": [ ],
"initiateLoginUri": null,
"postLogoutRedirectUri": null,
"requestUris": [ ],
"authorities": [ ],
"accessTokenValiditySeconds": 3600,
"refreshTokenValiditySeconds": null,
"resourceIds": [ ],
"clientDescription": null,
"reuseRefreshToken": true,
"dynamicallyRegistered": false,
"allowIntrospection": true,
"idTokenValiditySeconds": 600,
"createdAt": null
}
Note: This method will return different information depending on whether or not the authorized user is an administrator. A non-administrator will get a limited set of information back:
{
"id": 1,
"clientId": "client",
"clientName": "Test Client",
"logoUri": null,
"scope": [
"phone",
"openid",
"offline_access",
"address",
"email",
"profile"
],
"clientDescription": null
}
Requires ROLE_ADMIN access.
Update the information for the client identified by {id} in the URL. The request body must be application/json
describing the entire client object:
{
"id": 2,
"clientId": "a8af753c-f324-4e40-a177-87dfc06249b7",
"clientSecret": "EGvdSfyecgUeB44WWERaQXqHOECjbDmpkOupUUItxELqb6h1qtpMmPscIUsRo8_vC1JN8WQlG3-5Lp9q7J8XUg",
"redirectUris": [
"http://localhost:8080/simple-web-app/openid_connect_login"
],
"clientName": "Simple Web App",
"clientUri": null,
"logoUri": null,
"contacts": [ ],
"tosUri": null,
"tokenEndpointAuthMethod": "SECRET_JWT",
"scope": [
"openid",
"phone",
"email",
"address",
"profile"
],
"grantTypes": [
"authorization_code"
],
"responseTypes": [
"code"
],
"policyUri": null,
"jwksUri": null,
"applicationType": null,
"sectorIdentifierUri": null,
"subjectType": null,
"requestObjectSigningAlg": null,
"userInfoSignedResponseAlg": null,
"userInfoEncryptedResponseAlg": null,
"userInfoEncryptedResponseEnc": null,
"idTokenSignedResponseAlg": null,
"idTokenEncryptedResponseAlg": null,
"idTokenEncryptedResponseEnc": null,
"tokenEndpointAuthSigningAlg": "HS256",
"defaultMaxAge": null,
"requireAuthTime": null,
"defaultACRvalues": [ ],
"initiateLoginUri": null,
"postLogoutRedirectUri": null,
"requestUris": [ ],
"authorities": [ ],
"accessTokenValiditySeconds": 3600,
"refreshTokenValiditySeconds": null,
"resourceIds": [ ],
"clientDescription": "",
"reuseRefreshToken": true,
"dynamicallyRegistered": true,
"allowIntrospection": false,
"idTokenValiditySeconds": 600,
"createdAt": "2014-05-28T16:42:26-0400"
}
Any omitted values will be filled in with appropriate defaults in the following manner:
- If
clientId
is empty, a new client id will be generated by the server - If
clientSecret
is empty and a field namedgenerateSecret
is sent and set totrue
, then a new client secret will be generated by the server - If
scope
is omitted or null, all system scopes marked as "default" will be assigned to the client
The server will return an updated copy of the object in application/json
format as described under GET /api/clients/{id} on success.
Requires ROLE_ADMIN access.
Deletes the client with the {id} in the URL.
Returns HTTP 200 with an empty page on success.
Whitelist entries allow an administrator to specify which clients will not cause a prompt a user for authorization under certain circumstances, such as a subset of the scopes for that client.
Endpoint: /api/whitelist
Requires ROLE_USER or ROLE_ADMIN access.
Get a list of all whitelists on the system, returns results in application/json
.
[
{
"id": 1,
"creatorUserId": "admin",
"clientId": "client",
"allowedScopes": [
"email",
"openid",
"profile"
]
}
]
Requires ROLE_ADMIN access.
Create a new whitelist on the system. Message body is an application/json
object with all information:
{
"creatorUserId": "admin",
"clientId": "client",
"allowedScopes": [
"email",
"openid",
"profile"
]
}
The server will return an updated copy of the object in application/json
format as described under GET /api/whitelist/{id} on success.
Requires ROLE_USER or ROLE_ADMIN access.
Get information about a specific whitelist identified by {id} in the url, in application/json
format.
For example, the call to /api/whitelist/1
would return:
{
"id": 1,
"creatorUserId": "admin",
"clientId": "client",
"allowedScopes": [
"email",
"openid",
"profile"
]
}
Requires ROLE_ADMIN access.
Update the information for the whitelist identified by {id} in the URL. The request body must be application/json
describing the entire whitelist object:
{
"id": 1,
"creatorUserId": "admin",
"clientId": "client",
"allowedScopes": [
"email",
"openid",
"profile"
]
}
The server will return an updated copy of the object in application/json
format as described under GET /api/whitelist/{id} on success.
Requires ROLE_ADMIN access.
Deletes the whitelist with the {id} in the URL.
Returns HTTP 200 with an empty page on success.
Blacklist entries allow an administrator to determine which URLs may not be used as redirect URIs for any clients, either dynamically or statically registered.
Endpoint: /api/blacklist
Requires ROLE_USER or ROLE_ADMIN access.
Get a list of all blacklists on the system, returns results in application/json
.
[
{
"id": 1,
"uri": "http://baddomain.com/"
},
{
"id": 2,
"uri": "http://evil.biz/"
}
]
Requires ROLE_ADMIN access.
Create a new blacklist on the system. Message body is an application/json
object with all information:
{
"uri": "http://baddomain.com/"
}
The server will return an updated copy of the object in application/json
format as described under GET /api/blacklist/{id} on success.
Requires ROLE_USER or ROLE_ADMIN access.
Get information about a specific blacklist identified by {id} in the url, in application/json
format.
For example, the call to /api/blacklist/1
would return:
{
"uri": "http://baddomain.com/"
}
Requires ROLE_ADMIN access.
Update the information for the blacklist identified by {id} in the URL. The request body must be application/json
describing the entire blacklist object:
{
"uri": "http://baddomain.com/"
}
The server will return an updated copy of the object in application/json
format as described under GET /api/blacklist/{id} on success.
Requires ROLE_ADMIN access.
Deletes the blacklist with the {id} in the URL.
Returns HTTP 200 with an empty page on success.
System scopes define special scopes that have metadata attached to them such as a human-redable description, an icon, and flags indicating whether or not they are assigned to newly-created clients (defaultScope
) or are avilable for dynamically registered clients to request (allowDynReg
). Clients that are managed through the admin UI/API can have scopes that are not registered as system scopes.
Endpoint: /api/scopes
Requires ROLE_USER or ROLE_ADMIN access.
Get a list of all system scopes on the system, returns results in application/json
.
[
{
"id": 1,
"value": "openid",
"description": "log in using your identity",
"icon": "user",
"allowDynReg": true,
"defaultScope": true,
"structured": false,
"structuredParamDescription": null,
"structuredValue": null
},
{
"id": 2,
"value": "profile",
"description": "basic profile information",
"icon": "list-alt",
"allowDynReg": true,
"defaultScope": true,
"structured": false,
"structuredParamDescription": null,
"structuredValue": null
},
{
"id": 3,
"value": "email",
"description": "email address",
"icon": "envelope",
"allowDynReg": true,
"defaultScope": true,
"structured": false,
"structuredParamDescription": null,
"structuredValue": null
},
{
"id": 4,
"value": "address",
"description": "physical address",
"icon": "home",
"allowDynReg": true,
"defaultScope": true,
"structured": false,
"structuredParamDescription": null,
"structuredValue": null
},
{
"id": 5,
"value": "phone",
"description": "telephone number",
"icon": "bell",
"allowDynReg": true,
"defaultScope": true,
"structured": false,
"structuredParamDescription": null,
"structuredValue": null
},
{
"id": 6,
"value": "offline_access",
"description": "offline access",
"icon": "time",
"allowDynReg": true,
"defaultScope": true,
"structured": false,
"structuredParamDescription": null,
"structuredValue": null
},
{
"id": 7,
"value": "structured",
"description": "a demonstration of a structured scope",
"icon": "th",
"allowDynReg": false,
"defaultScope": false,
"structured": true,
"structuredParamDescription": "the parameter would go here",
"structuredValue": null
}
]
Requires ROLE_ADMIN access.
Create a new scope on the system. Message body is an application/json
object with all information:
{
"value": "openid",
"description": "log in using your identity",
"icon": "user",
"allowDynReg": true,
"defaultScope": true,
"structured": false,
"structuredParamDescription": null,
"structuredValue": null
}
The server will return an updated copy of the object in application/json
format as described under GET /api/scopes/{id} on success. Scope values must be unique. If a client attempts to create a new scope with an existing value, the request will be rejected.
Requires ROLE_USER or ROLE_ADMIN access.
Get information about a specific scope identified by {id} in the url, in application/json
format.
For example, the call to /api/scope/1
would return:
{
"id": 1,
"value": "openid",
"description": "log in using your identity",
"icon": "user",
"allowDynReg": true,
"defaultScope": true,
"structured": false,
"structuredParamDescription": null,
"structuredValue": null
}
Requires ROLE_ADMIN access.
Update the information for the scope identified by {id} in the URL. The request body must be application/json
describing the entire scope object:
{
"id": 1,
"value": "openid",
"description": "log in using your identity",
"icon": "user",
"allowDynReg": true,
"defaultScope": true,
"structured": false,
"structuredParamDescription": null,
"structuredValue": null
}
The server will return an updated copy of the object in application/json
format as described under GET /api/scope/{id} on success.
Requires ROLE_ADMIN access.
Deletes the scope with the {id} in the URL. Any clients that are currently registered with the scope will retain this scope value but will no longer have the user-readable text or icon associated with it.
Returns HTTP 200 with an empty page on success.
Approved sites represent a decision by an end user (or "authorization grant") that has been stored. Future authorization requests that match the parameters of this approval will be granted automatically. This API allows for reading and deleting existing approvals. New approvals are created during the normal course of the OAuth protocol, and approved sites can not be updated.
Endpoint: /api/approved
Requires ROLE_USER access.
Gets a list of the approved sites for the current user in application/json
format.
[
{
"id": 1,
"userId": "jricher",
"clientId": "client",
"creationDate": "2013-04-26T14:57:21-0400",
"accessDate": "2013-04-26T14:57:21-0400",
"timeoutDate": null,
"allowedScopes": [
"email",
"phone",
"openid"
],
"whitelistedSite": null,
approvedAccessTokens: [ 3, 4 ]
}
]
Requires ROLE_USER access.
Gets the approved site with the {id} indicated in the url, in application/json
format. Users may only get approved sites that belong to them.
{
"id": 2,
"userId": "jricher",
"clientId": "client",
"creationDate": "2013-04-26T14:57:21-0400",
"accessDate": "2013-04-26T14:57:21-0400",
"timeoutDate": null,
"allowedScopes": [
"email",
"phone",
"openid"
],
"whitelistedSite": 1,
approvedAccessTokens: [ 6 ]
}
Requires ROLE_USER access.
Deletes the approved site with the given {id} in the URL. Users may delete only their own approved sites. Any tokens associated with the approved site remain active. Note: This behavior will likely change in a future version of the software.
The sever responds with an HTTP 200 code and a blank page on success.
This API allows a user to read and delete their currently-valid access tokens and refresh tokens. ID Tokens are listed as access tokens.
Note that this is not a full CRUD API as the "create" action is taken care of by standard OAuth flows and the "update" action is not allowed.
Clients and protected resources wishing to delete tokens issued to them can alternatively use the token revocation API, also supported by the server at {$issuer}/revoke
.
Endpoint: /api/tokens
Requires ROLE_USER access.
Gets the list of currently active access tokens (including ID tokens) approved by the requesting user in application/json
format.
[
{
"value": "eyJhbGciOiJSUzI1NiJ9.eyJleHAiOjE0MDEzMTE1MjksInN1YiI6IjkwMzQyLkFTREZKV0ZBIiwibm9uY2UiOiIzNTU1MTk4ZDU3YjZiIiwiYXVkIjpbImE4YWY3NTNjLWYzMjQtNGU0MC1hMTc3LTg3ZGZjMDYyNDliNyJdLCJpc3MiOiJodHRwOlwvXC9sb2NhbGhvc3Q6ODA4MFwvb3BlbmlkLWNvbm5lY3Qtc2VydmVyLXdlYmFwcFwvIiwiaWF0IjoxNDAxMzEwOTI5fQ.gSflavUWvb_-ZY3D701uQ0H_65YBm9TH4llovFDEnHjeecxA_phUwDRksnyctXQuPHZQ9yXnwDaSquDh1jRE_XZOdp0igsWl_ZlBUHvESugGzBjSOujh2112j___KMTsv8oXLmBBoebqExMEHbT_9PMHBvQaiHO82S2ipd32d1I",
"id": 5,
"idTokenId": null,
"refreshTokenId": null,
"scopes": [
"id-token"
],
"clientId": "a8af753c-f324-4e40-a177-87dfc06249b7",
"userId": "admin",
"expiration": "2014-05-28T17:12:09-0400"
},
{
"value": "eyJhbGciOiJSUzI1NiJ9.eyJleHAiOjE0MDEzMTQ1MjksImF1ZCI6WyJhOGFmNzUzYy1mMzI0LTRlNDAtYTE3Ny04N2RmYzA2MjQ5YjciXSwiaXNzIjoiaHR0cDpcL1wvbG9jYWxob3N0OjgwODBcL29wZW5pZC1jb25uZWN0LXNlcnZlci13ZWJhcHBcLyIsImp0aSI6Ijg4ZjM4OGE4LTk1NzctNGQyMC1hZTZjLWMyMDMxOGQ1OWJjNiIsImlhdCI6MTQwMTMxMDkyOX0.HYnNxRvGRdKFykVChL-hdxszcFBvygkeUmc8_iv2Jl4MU-jPJVzMnTwKJbCMWBjeBp8hrb0Dgd9XbnHUDyXxwj8MDrWQEH3QnwYJGRW9JFWjHMGfKDQDFY6Ffl3OFERVbyoB2ObiGTUgbw4Nkl1L1ihuMpMAc5nKi0rk3QXcS1M",
"id": 6,
"idTokenId": 5,
"refreshTokenId": null,
"scopes": [
"openid",
"phone",
"email",
"address",
"profile"
],
"clientId": "a8af753c-f324-4e40-a177-87dfc06249b7",
"userId": "admin",
"expiration": "2014-05-28T18:02:09-0400"
}
]
Requires ROLE_USER access.
Gets a single access token by its {id} in application/json
format. The given {id} must point to a token that is tied to the authenticated user.
{
"value": "eyJhbGciOiJSUzI1NiJ9.eyJleHAiOjE0MDEzMTQ1MjksImF1ZCI6WyJhOGFmNzUzYy1mMzI0LTRlNDAtYTE3Ny04N2RmYzA2MjQ5YjciXSwiaXNzIjoiaHR0cDpcL1wvbG9jYWxob3N0OjgwODBcL29wZW5pZC1jb25uZWN0LXNlcnZlci13ZWJhcHBcLyIsImp0aSI6Ijg4ZjM4OGE4LTk1NzctNGQyMC1hZTZjLWMyMDMxOGQ1OWJjNiIsImlhdCI6MTQwMTMxMDkyOX0.HYnNxRvGRdKFykVChL-hdxszcFBvygkeUmc8_iv2Jl4MU-jPJVzMnTwKJbCMWBjeBp8hrb0Dgd9XbnHUDyXxwj8MDrWQEH3QnwYJGRW9JFWjHMGfKDQDFY6Ffl3OFERVbyoB2ObiGTUgbw4Nkl1L1ihuMpMAc5nKi0rk3QXcS1M",
"id": 6,
"idTokenId": 5,
"refreshTokenId": null,
"scopes": [
"openid",
"phone",
"email",
"address",
"profile"
],
"clientId": "a8af753c-f324-4e40-a177-87dfc06249b7",
"userId": "admin",
"expiration": "2014-05-28T18:02:09-0400"
}
Requires ROLE_USER access.
Deletes the access token identified by {id}. The given {id} must point to a token that is tied to the authenticated user.
Returns an HTTP 200 on success.
Requires ROLE_USER access.
Gets the list of currently active refresh tokens approved by the requesting user in application/json
format.
[
{
"value": "eyJhbGciOiJub25lIn0.eyJqdGkiOiJmYzYwNmZhZS04MmMyLTQwZWEtOTAzYi03OWI1NDdiNDg1YjUifQ.",
"id": 1,
"scopes": [
"phone",
"offline_access",
"email",
"address",
"profile"
],
"clientId": "client",
"userId": "admin",
"expiration": null
},
{
"value": "eyJhbGciOiJub25lIn0.eyJqdGkiOiI5MzkwOTc0YS0zZDI0LTQ4ZWItYWFiYS1kZDdjMTc5NDZlZmMifQ.",
"id": 2,
"scopes": [
"address",
"email",
"offline_access",
"phone",
"profile"
],
"clientId": "client",
"userId": "admin",
"expiration": null
}
]
Requires ROLE_USER access.
Gets a single refresh token by its {id} in application/json
format. The given {id} must point to a token that is tied to the authenticated user.
{
"value": "eyJhbGciOiJub25lIn0.eyJqdGkiOiI5MzkwOTc0YS0zZDI0LTQ4ZWItYWFiYS1kZDdjMTc5NDZlZmMifQ.",
"id": 2,
"scopes": [
"address",
"email",
"offline_access",
"phone",
"profile"
],
"clientId": "client",
"userId": "admin",
"expiration": null
}
Requires ROLE_USER access.
Deletes the refresh token identified by {id}. The given {id} must point to a token that is tied to the authenticated user.
Returns an HTTP 200 on success.
The data API is used for exporting and importing data to facilitate upgrades and server cloning.
Requires ROLE_ADMIN access.
Returns an application/json
object representing the current running state of the server, including all tokens, authorizations, clients, scopes, whitelists, blacklists, and grants. The format and content of this varies depending on the API version.
Requires ROLE_ADMIN access.
Body contains an application/json
object representing the state of the server to import, including all tokens, authorizations, clients, scopes, whitelists, blacklists, and grants. The format and content of this varies depending on the API version. Newer API versions will be able to import exports from older API versions, facilitating upgrades.
Copyright ©2015 The MITRE Corporation and the MIT Kerberos and Internet Trust Consortium. Software is available under the Apache 2.0 license. Documentation available under the Creative Commons 3.0 By-NC license.