Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 5. AuthProviderService

5.1. ExchangeToken
Copy link

POST /v1/authProviders/exchangeToken

5.1.1. Description
Copy link

5.1.2. Parameters
Copy link

5.1.2.1. Body Parameter
Copy link

Expand
NameDescriptionRequiredDefaultPattern

body

V1ExchangeTokenRequest

X

  

5.1.3. Return Type
Copy link

V1ExchangeTokenResponse

5.1.4. Content Type
Copy link

  • application/json

5.1.5. Responses
Copy link

Expand
Table 5.1. HTTP Response Codes
CodeMessageDatatype

200

A successful response.

V1ExchangeTokenResponse

0

An unexpected error response.

RuntimeError

5.1.6. Samples
Copy link

5.1.7. Common object reference
Copy link

5.1.7.1. AuthProviderRequiredAttribute
Copy link

RequiredAttribute allows to specify a set of attributes which ALL are required to be returned by the auth provider. If any attribute is missing within the external claims of the token issued by Central, the authentication request to this IdP is considered failed.

Expand
Field NameRequiredNullableTypeDescriptionFormat

attributeKey

  

String

  

attributeValue

  

String

  

5.1.7.2. ProtobufAny
Copy link

Any contains an arbitrary serialized protocol buffer message along with a URL that describes the type of the serialized message.

Protobuf library provides support to pack/unpack Any values in the form of utility functions or additional generated methods of the Any type.

Example 1: Pack and unpack a message in C++. 

Foo foo = ...;
Any any;
any.PackFrom(foo);
...
if (any.UnpackTo(&foo)) {
  ...
}

Example 2: Pack and unpack a message in Java. 

Foo foo = ...;
Any any = Any.pack(foo);
...
if (any.is(Foo.class)) {
  foo = any.unpack(Foo.class);
}
// or ...
if (any.isSameTypeAs(Foo.getDefaultInstance())) {
  foo = any.unpack(Foo.getDefaultInstance());
}
 
Example 3: Pack and unpack a message in Python.
 
foo = Foo(...)
any = Any()
any.Pack(foo)
...
if any.Is(Foo.DESCRIPTOR):
  any.Unpack(foo)
  ...
 
Example 4: Pack and unpack a message in Go
 
foo := &pb.Foo{...}
any, err := anypb.New(foo)
if err != nil {
  ...
}
...
foo := &pb.Foo{}
if err := any.UnmarshalTo(foo); err != nil {
  ...
}

The pack methods provided by protobuf library will by default use 'type.googleapis.com/full.type.name' as the type URL and the unpack methods only use the fully qualified type name after the last '/' in the type URL, for example "foo.bar.com/x/y.z" will yield type name "y.z".

5.1.7.2.1. JSON representation
Copy link

The JSON representation of an Any value uses the regular representation of the deserialized, embedded message, with an additional field @type which contains the type URL. Example: 

package google.profile;
message Person {
  string first_name = 1;
  string last_name = 2;
}
 
{
  "@type": "type.googleapis.com/google.profile.Person",
  "firstName": <string>,
  "lastName": <string>
}

If the embedded message type is well-known and has a custom JSON representation, that representation will be embedded adding a field value which holds the custom JSON in addition to the @type field. Example (for message [google.protobuf.Duration][]): 

{
  "@type": "type.googleapis.com/google.protobuf.Duration",
  "value": "1.212s"
}
Expand
Field NameRequiredNullableTypeDescriptionFormat

typeUrl

  

String

A URL/resource name that uniquely identifies the type of the serialized protocol buffer message. This string must contain at least one \"/\" character. The last segment of the URL’s path must represent the fully qualified name of the type (as in path/google.protobuf.Duration). The name should be in a canonical form (e.g., leading \".\" is not accepted). In practice, teams usually precompile into the binary all types that they expect it to use in the context of Any. However, for URLs which use the scheme http, https, or no scheme, one can optionally set up a type server that maps type URLs to message definitions as follows: * If no scheme is provided, https is assumed. * An HTTP GET on the URL must yield a [google.protobuf.Type][] value in binary format, or produce an error. * Applications are allowed to cache lookup results based on the URL, or have them precompiled into a binary to avoid any lookup. Therefore, binary compatibility needs to be preserved on changes to types. (Use versioned type names to manage breaking changes.) Note: this functionality is not currently available in the official protobuf release, and it is not used for type URLs beginning with type.googleapis.com. As of May 2023, there are no widely used type server implementations and no plans to implement one. Schemes other than http, https (or the empty scheme) might be used with implementation specific semantics.

 

value

  

byte[]

Must be a valid serialized protocol buffer of the above specified type.

byte

5.1.7.3. RuntimeError
Copy link

Expand
Field NameRequiredNullableTypeDescriptionFormat

error

  

String

  

code

  

Integer

 

int32

message

  

String

  

details

  

List of ProtobufAny

  

5.1.7.4. StorageAccess
Copy link

Expand
Enum Values

NO_ACCESS

READ_ACCESS

READ_WRITE_ACCESS

5.1.7.5. StorageAuthProvider
Copy link

Next Tag: 15.

Expand
Field NameRequiredNullableTypeDescriptionFormat

id

  

String

  

name

  

String

  

type

  

String

  

uiEndpoint

  

String

  

enabled

  

Boolean

  

config

  

Map of string

Config holds auth provider specific configuration. Each configuration options are different based on the given auth provider type. OIDC: - \"issuer\": the OIDC issuer according to https://openid.net/specs/openid-connect-core-1_0.html#IssuerIdentifier. - \"client_id\": the client ID according to https://www.rfc-editor.org/rfc/rfc6749.html#section-2.2. - \"client_secret\": the client secret according to https://www.rfc-editor.org/rfc/rfc6749.html#section-2.3.1. - \"do_not_use_client_secret\": set to \"true\" if you want to create a configuration with only a client ID and no client secret. - \"mode\": the OIDC callback mode, choosing from \"fragment\", \"post\", or \"query\". - \"disable_offline_access_scope\": set to \"true\" if no offline tokens shall be issued. - \"extra_scopes\": a space-delimited string of additional scopes to request in addition to \"openid profile email\" according to https://www.rfc-editor.org/rfc/rfc6749.html#section-3.3. OpenShift Auth: supports no extra configuration options. User PKI: - \"keys\": the trusted certificates PEM encoded. SAML: - \"sp_issuer\": the service provider issuer according to https://datatracker.ietf.org/doc/html/rfc7522#section-3. - \"idp_metadata_url\": the metadata URL according to https://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf. - \"idp_issuer\": the IdP issuer. - \"idp_cert_pem\": the cert PEM encoded for the IdP endpoint. - \"idp_sso_url\": the IdP SSO URL. - \"idp_nameid_format\": the IdP name ID format. IAP: - \"audience\": the audience to use.

 

loginUrl

  

String

The login URL will be provided by the backend, and may not be specified in a request.

 

validated

  

Boolean

  

extraUiEndpoints

  

List of string

UI endpoints which to allow in addition to ui_endpoint. I.e., if a login request is coming from any of these, the auth request will use these for the callback URL, not ui_endpoint.

 

active

  

Boolean

  

requiredAttributes

  

List of AuthProviderRequiredAttribute

  

traits

  

StorageTraits

  

claimMappings

  

Map of string

Specifies claims from IdP token that will be copied to Rox token attributes. Each key in this map contains a path in IdP token we want to map. Path is separated by \".\" symbol. For example, if IdP token payload looks like: { \"a\": { \"b\" : \"c\", \"d\": true, \"e\": [ \"val1\", \"val2\", \"val3\" ], \"f\": [ true, false, false ], \"g\": 123.0, \"h\": [ 1, 2, 3] } } then \"a.b\" would be a valid key and \"a.z\" is not. We support the following types of claims: * string(path \"a.b\") * bool(path \"a.d\") * string array(path \"a.e\") * bool array (path \"a.f.\") We do NOT support the following types of claims: * complex claims(path \"a\") * float/integer claims(path \"a.g\") * float/integer array claims(path \"a.h\") Each value in this map contains a Rox token attribute name we want to add claim to. If, for example, value is \"groups\", claim would be found in \"external_user.Attributes.groups\" in token. Note: we only support this feature for OIDC auth provider.

 

lastUpdated

  

Date

Last updated indicates the last time the auth provider has been updated. In case there have been tokens issued by an auth provider before this timestamp, they will be considered invalid. Subsequently, all clients will have to re-issue their tokens (either by refreshing or by an additional login attempt).

date-time

5.1.7.6. StorageServiceIdentity
Copy link

Expand
Field NameRequiredNullableTypeDescriptionFormat

serialStr

  

String

  

serial

  

String

 

int64

id

  

String

  

type

  

StorageServiceType

 

UNKNOWN_SERVICE, SENSOR_SERVICE, CENTRAL_SERVICE, CENTRAL_DB_SERVICE, REMOTE_SERVICE, COLLECTOR_SERVICE, MONITORING_UI_SERVICE, MONITORING_DB_SERVICE, MONITORING_CLIENT_SERVICE, BENCHMARK_SERVICE, SCANNER_SERVICE, SCANNER_DB_SERVICE, ADMISSION_CONTROL_SERVICE, SCANNER_V4_INDEXER_SERVICE, SCANNER_V4_MATCHER_SERVICE, SCANNER_V4_DB_SERVICE,

initBundleId

  

String

  

5.1.7.7. StorageServiceType
Copy link

Next available tag: 16
Expand
Enum Values

UNKNOWN_SERVICE

SENSOR_SERVICE

CENTRAL_SERVICE

CENTRAL_DB_SERVICE

REMOTE_SERVICE

COLLECTOR_SERVICE

MONITORING_UI_SERVICE

MONITORING_DB_SERVICE

MONITORING_CLIENT_SERVICE

BENCHMARK_SERVICE

SCANNER_SERVICE

SCANNER_DB_SERVICE

ADMISSION_CONTROL_SERVICE

SCANNER_V4_INDEXER_SERVICE

SCANNER_V4_MATCHER_SERVICE

SCANNER_V4_DB_SERVICE

5.1.7.8. StorageTraits
Copy link

Expand
Field NameRequiredNullableTypeDescriptionFormat

mutabilityMode

  

TraitsMutabilityMode

 

ALLOW_MUTATE, ALLOW_MUTATE_FORCED,

visibility

  

TraitsVisibility

 

VISIBLE, HIDDEN,

origin

  

TraitsOrigin

 

IMPERATIVE, DEFAULT, DECLARATIVE, DECLARATIVE_ORPHANED,

5.1.7.9. StorageUserInfo
Copy link

Expand
Field NameRequiredNullableTypeDescriptionFormat

username

  

String

  

friendlyName

  

String

  

permissions

  

UserInfoResourceToAccess

  

roles

  

List of StorageUserInfoRole

  

5.1.7.10. StorageUserInfoRole
Copy link

Role is wire compatible with the old format of storage.Role and hence only includes role name and associated permissions.

Expand
Field NameRequiredNullableTypeDescriptionFormat

name

  

String

  

resourceToAccess

  

Map of StorageAccess

  

5.1.7.11. TraitsMutabilityMode
Copy link

EXPERIMENTAL. NOTE: Please refer from using MutabilityMode for the time being. It will be replaced in the future (ROX-14276). MutabilityMode specifies whether and how an object can be modified. Default is ALLOW_MUTATE and means there are no modification restrictions; this is equivalent to the absence of MutabilityMode specification. ALLOW_MUTATE_FORCED forbids all modifying operations except object removal with force bit on.

Be careful when changing the state of this field. For example, modifying an object from ALLOW_MUTATE to ALLOW_MUTATE_FORCED is allowed but will prohibit any further changes to it, including modifying it back to ALLOW_MUTATE.

Expand
Enum Values

ALLOW_MUTATE

ALLOW_MUTATE_FORCED

5.1.7.12. TraitsOrigin
Copy link

Origin specifies the origin of an object. Objects can have four different origins: - IMPERATIVE: the object was created via the API. This is assumed by default. - DEFAULT: the object is a default object, such as default roles, access scopes etc. - DECLARATIVE: the object is created via declarative configuration. - DECLARATIVE_ORPHANED: the object is created via declarative configuration and then unsuccessfully deleted(for example, because it is referenced by another object) Based on the origin, different rules apply to the objects. Objects with the DECLARATIVE origin are not allowed to be modified via API, only via declarative configuration. Additionally, they may not reference objects with the IMPERATIVE origin. Objects with the DEFAULT origin are not allowed to be modified via either API or declarative configuration. They may be referenced by all other objects. Objects with the IMPERATIVE origin are allowed to be modified via API, not via declarative configuration. They may reference all other objects. Objects with the DECLARATIVE_ORPHANED origin are not allowed to be modified via either API or declarative configuration. DECLARATIVE_ORPHANED resource can become DECLARATIVE again if it is redefined in declarative configuration. Objects with this origin will be cleaned up from the system immediately after they are not referenced by other resources anymore. They may be referenced by all other objects.

Expand
Enum Values

IMPERATIVE

DEFAULT

DECLARATIVE

DECLARATIVE_ORPHANED

5.1.7.13. TraitsVisibility
Copy link

EXPERIMENTAL. visibility allows to specify whether the object should be visible for certain APIs.

Expand
Enum Values

VISIBLE

HIDDEN

5.1.7.14. UserInfoResourceToAccess
Copy link

ResourceToAccess represents a collection of permissions. It is wire compatible with the old format of storage.Role and replaces it in places where only aggregated permissions are required.

Expand
Field NameRequiredNullableTypeDescriptionFormat

resourceToAccess

  

Map of StorageAccess

  

5.1.7.15. V1AuthStatus
Copy link

Expand
Field NameRequiredNullableTypeDescriptionFormat

userId

  

String

  

serviceId

  

StorageServiceIdentity

  

expires

  

Date

 

date-time

refreshUrl

  

String

  

authProvider

  

StorageAuthProvider

  

userInfo

  

StorageUserInfo

  

userAttributes

  

List of V1UserAttribute

  

idpToken

  

String

Token returned to ACS by the underlying identity provider. This field is set only in a few, specific contexts. Do not rely on this field being present in the response.

 

5.1.7.16. V1ExchangeTokenRequest
Copy link

Expand
Field NameRequiredNullableTypeDescriptionFormat

externalToken

  

String

The external authentication token. The server will mask the value of this credential in responses and logs.

 

type

  

String

  

state

  

String

  

5.1.7.17. V1ExchangeTokenResponse
Copy link

Expand
Field NameRequiredNullableTypeDescriptionFormat

token

  

String

  

clientState

  

String

  

test

  

Boolean

  

user

  

V1AuthStatus

  

5.1.7.18. V1UserAttribute
Copy link

Expand
Field NameRequiredNullableTypeDescriptionFormat

key

  

String

  

values

  

List of string

  

5.2. GetAuthProviders
Copy link

GET /v1/authProviders

5.2.1. Description
Copy link

5.2.2. Parameters
Copy link

5.2.2.1. Query Parameters
Copy link

Expand
NameDescriptionRequiredDefaultPattern

name

 

-

null

 

type

 

-

null

 

5.2.3. Return Type
Copy link

V1GetAuthProvidersResponse

5.2.4. Content Type
Copy link

  • application/json

5.2.5. Responses
Copy link

Expand
Table 5.2. HTTP Response Codes
CodeMessageDatatype

200

A successful response.

V1GetAuthProvidersResponse

0

An unexpected error response.

RuntimeError

5.2.6. Samples
Copy link

5.2.7. Common object reference
Copy link

5.2.7.1. AuthProviderRequiredAttribute
Copy link

RequiredAttribute allows to specify a set of attributes which ALL are required to be returned by the auth provider. If any attribute is missing within the external claims of the token issued by Central, the authentication request to this IdP is considered failed.

Expand
Field NameRequiredNullableTypeDescriptionFormat

attributeKey

  

String

  

attributeValue

  

String

  

5.2.7.2. ProtobufAny
Copy link

Any contains an arbitrary serialized protocol buffer message along with a URL that describes the type of the serialized message.

Protobuf library provides support to pack/unpack Any values in the form of utility functions or additional generated methods of the Any type.

Example 1: Pack and unpack a message in C++. 

Foo foo = ...;
Any any;
any.PackFrom(foo);
...
if (any.UnpackTo(&foo)) {
  ...
}

Example 2: Pack and unpack a message in Java. 

Foo foo = ...;
Any any = Any.pack(foo);
...
if (any.is(Foo.class)) {
  foo = any.unpack(Foo.class);
}
// or ...
if (any.isSameTypeAs(Foo.getDefaultInstance())) {
  foo = any.unpack(Foo.getDefaultInstance());
}
 
Example 3: Pack and unpack a message in Python.
 
foo = Foo(...)
any = Any()
any.Pack(foo)
...
if any.Is(Foo.DESCRIPTOR):
  any.Unpack(foo)
  ...
 
Example 4: Pack and unpack a message in Go
 
foo := &pb.Foo{...}
any, err := anypb.New(foo)
if err != nil {
  ...
}
...
foo := &pb.Foo{}
if err := any.UnmarshalTo(foo); err != nil {
  ...
}

The pack methods provided by protobuf library will by default use 'type.googleapis.com/full.type.name' as the type URL and the unpack methods only use the fully qualified type name after the last '/' in the type URL, for example "foo.bar.com/x/y.z" will yield type name "y.z".

5.2.7.2.1. JSON representation
Copy link

The JSON representation of an Any value uses the regular representation of the deserialized, embedded message, with an additional field @type which contains the type URL. Example: 

package google.profile;
message Person {
  string first_name = 1;
  string last_name = 2;
}
 
{
  "@type": "type.googleapis.com/google.profile.Person",
  "firstName": <string>,
  "lastName": <string>
}

If the embedded message type is well-known and has a custom JSON representation, that representation will be embedded adding a field value which holds the custom JSON in addition to the @type field. Example (for message [google.protobuf.Duration][]): 

{
  "@type": "type.googleapis.com/google.protobuf.Duration",
  "value": "1.212s"
}
Expand
Field NameRequiredNullableTypeDescriptionFormat

typeUrl

  

String

A URL/resource name that uniquely identifies the type of the serialized protocol buffer message. This string must contain at least one \"/\" character. The last segment of the URL’s path must represent the fully qualified name of the type (as in path/google.protobuf.Duration). The name should be in a canonical form (e.g., leading \".\" is not accepted). In practice, teams usually precompile into the binary all types that they expect it to use in the context of Any. However, for URLs which use the scheme http, https, or no scheme, one can optionally set up a type server that maps type URLs to message definitions as follows: * If no scheme is provided, https is assumed. * An HTTP GET on the URL must yield a [google.protobuf.Type][] value in binary format, or produce an error. * Applications are allowed to cache lookup results based on the URL, or have them precompiled into a binary to avoid any lookup. Therefore, binary compatibility needs to be preserved on changes to types. (Use versioned type names to manage breaking changes.) Note: this functionality is not currently available in the official protobuf release, and it is not used for type URLs beginning with type.googleapis.com. As of May 2023, there are no widely used type server implementations and no plans to implement one. Schemes other than http, https (or the empty scheme) might be used with implementation specific semantics.

 

value

  

byte[]

Must be a valid serialized protocol buffer of the above specified type.

byte

5.2.7.3. RuntimeError
Copy link

Expand
Field NameRequiredNullableTypeDescriptionFormat

error

  

String

  

code

  

Integer

 

int32

message

  

String

  

details

  

List of ProtobufAny

  

5.2.7.4. StorageAuthProvider
Copy link

Next Tag: 15.

Expand
Field NameRequiredNullableTypeDescriptionFormat

id

  

String

  

name

  

String

  

type

  

String

  

uiEndpoint

  

String

  

enabled

  

Boolean

  

config

  

Map of string

Config holds auth provider specific configuration. Each configuration options are different based on the given auth provider type. OIDC: - \"issuer\": the OIDC issuer according to https://openid.net/specs/openid-connect-core-1_0.html#IssuerIdentifier. - \"client_id\": the client ID according to https://www.rfc-editor.org/rfc/rfc6749.html#section-2.2. - \"client_secret\": the client secret according to https://www.rfc-editor.org/rfc/rfc6749.html#section-2.3.1. - \"do_not_use_client_secret\": set to \"true\" if you want to create a configuration with only a client ID and no client secret. - \"mode\": the OIDC callback mode, choosing from \"fragment\", \"post\", or \"query\". - \"disable_offline_access_scope\": set to \"true\" if no offline tokens shall be issued. - \"extra_scopes\": a space-delimited string of additional scopes to request in addition to \"openid profile email\" according to https://www.rfc-editor.org/rfc/rfc6749.html#section-3.3. OpenShift Auth: supports no extra configuration options. User PKI: - \"keys\": the trusted certificates PEM encoded. SAML: - \"sp_issuer\": the service provider issuer according to https://datatracker.ietf.org/doc/html/rfc7522#section-3. - \"idp_metadata_url\": the metadata URL according to https://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf. - \"idp_issuer\": the IdP issuer. - \"idp_cert_pem\": the cert PEM encoded for the IdP endpoint. - \"idp_sso_url\": the IdP SSO URL. - \"idp_nameid_format\": the IdP name ID format. IAP: - \"audience\": the audience to use.

 

loginUrl

  

String

The login URL will be provided by the backend, and may not be specified in a request.

 

validated

  

Boolean

  

extraUiEndpoints

  

List of string

UI endpoints which to allow in addition to ui_endpoint. I.e., if a login request is coming from any of these, the auth request will use these for the callback URL, not ui_endpoint.

 

active

  

Boolean

  

requiredAttributes

  

List of AuthProviderRequiredAttribute

  

traits

  

StorageTraits

  

claimMappings

  

Map of string

Specifies claims from IdP token that will be copied to Rox token attributes. Each key in this map contains a path in IdP token we want to map. Path is separated by \".\" symbol. For example, if IdP token payload looks like: { \"a\": { \"b\" : \"c\", \"d\": true, \"e\": [ \"val1\", \"val2\", \"val3\" ], \"f\": [ true, false, false ], \"g\": 123.0, \"h\": [ 1, 2, 3] } } then \"a.b\" would be a valid key and \"a.z\" is not. We support the following types of claims: * string(path \"a.b\") * bool(path \"a.d\") * string array(path \"a.e\") * bool array (path \"a.f.\") We do NOT support the following types of claims: * complex claims(path \"a\") * float/integer claims(path \"a.g\") * float/integer array claims(path \"a.h\") Each value in this map contains a Rox token attribute name we want to add claim to. If, for example, value is \"groups\", claim would be found in \"external_user.Attributes.groups\" in token. Note: we only support this feature for OIDC auth provider.

 

lastUpdated

  

Date

Last updated indicates the last time the auth provider has been updated. In case there have been tokens issued by an auth provider before this timestamp, they will be considered invalid. Subsequently, all clients will have to re-issue their tokens (either by refreshing or by an additional login attempt).

date-time

5.2.7.5. StorageTraits
Copy link

Expand
Field NameRequiredNullableTypeDescriptionFormat

mutabilityMode

  

TraitsMutabilityMode

 

ALLOW_MUTATE, ALLOW_MUTATE_FORCED,

visibility

  

TraitsVisibility

 

VISIBLE, HIDDEN,

origin

  

TraitsOrigin

 

IMPERATIVE, DEFAULT, DECLARATIVE, DECLARATIVE_ORPHANED,

5.2.7.6. TraitsMutabilityMode
Copy link

EXPERIMENTAL. NOTE: Please refer from using MutabilityMode for the time being. It will be replaced in the future (ROX-14276). MutabilityMode specifies whether and how an object can be modified. Default is ALLOW_MUTATE and means there are no modification restrictions; this is equivalent to the absence of MutabilityMode specification. ALLOW_MUTATE_FORCED forbids all modifying operations except object removal with force bit on.

Be careful when changing the state of this field. For example, modifying an object from ALLOW_MUTATE to ALLOW_MUTATE_FORCED is allowed but will prohibit any further changes to it, including modifying it back to ALLOW_MUTATE.

Expand
Enum Values

ALLOW_MUTATE

ALLOW_MUTATE_FORCED

5.2.7.7. TraitsOrigin
Copy link

Origin specifies the origin of an object. Objects can have four different origins: - IMPERATIVE: the object was created via the API. This is assumed by default. - DEFAULT: the object is a default object, such as default roles, access scopes etc. - DECLARATIVE: the object is created via declarative configuration. - DECLARATIVE_ORPHANED: the object is created via declarative configuration and then unsuccessfully deleted(for example, because it is referenced by another object) Based on the origin, different rules apply to the objects. Objects with the DECLARATIVE origin are not allowed to be modified via API, only via declarative configuration. Additionally, they may not reference objects with the IMPERATIVE origin. Objects with the DEFAULT origin are not allowed to be modified via either API or declarative configuration. They may be referenced by all other objects. Objects with the IMPERATIVE origin are allowed to be modified via API, not via declarative configuration. They may reference all other objects. Objects with the DECLARATIVE_ORPHANED origin are not allowed to be modified via either API or declarative configuration. DECLARATIVE_ORPHANED resource can become DECLARATIVE again if it is redefined in declarative configuration. Objects with this origin will be cleaned up from the system immediately after they are not referenced by other resources anymore. They may be referenced by all other objects.

Expand
Enum Values

IMPERATIVE

DEFAULT

DECLARATIVE

DECLARATIVE_ORPHANED

5.2.7.8. TraitsVisibility
Copy link

EXPERIMENTAL. visibility allows to specify whether the object should be visible for certain APIs.

Expand
Enum Values

VISIBLE

HIDDEN

5.2.7.9. V1GetAuthProvidersResponse
Copy link

Expand
Field NameRequiredNullableTypeDescriptionFormat

authProviders

  

List of StorageAuthProvider

  

5.3. DeleteAuthProvider
Copy link

DELETE /v1/authProviders/{id}

5.3.1. Description
Copy link

5.3.2. Parameters
Copy link

5.3.2.1. Path Parameters
Copy link

Expand
NameDescriptionRequiredDefaultPattern

id

 

X

null

 

5.3.2.2. Query Parameters
Copy link

Expand
NameDescriptionRequiredDefaultPattern

force

 

-

null

 

5.3.3. Return Type
Copy link

Object

5.3.4. Content Type
Copy link

  • application/json

5.3.5. Responses
Copy link

Expand
Table 5.3. HTTP Response Codes
CodeMessageDatatype

200

A successful response.

Object

0

An unexpected error response.

RuntimeError

5.3.6. Samples
Copy link

5.3.7. Common object reference
Copy link

5.3.7.1. ProtobufAny
Copy link

Any contains an arbitrary serialized protocol buffer message along with a URL that describes the type of the serialized message.

Protobuf library provides support to pack/unpack Any values in the form of utility functions or additional generated methods of the Any type.

Example 1: Pack and unpack a message in C++. 

Foo foo = ...;
Any any;
any.PackFrom(foo);
...
if (any.UnpackTo(&foo)) {
  ...
}

Example 2: Pack and unpack a message in Java. 

Foo foo = ...;
Any any = Any.pack(foo);
...
if (any.is(Foo.class)) {
  foo = any.unpack(Foo.class);
}
// or ...
if (any.isSameTypeAs(Foo.getDefaultInstance())) {
  foo = any.unpack(Foo.getDefaultInstance());
}
 
Example 3: Pack and unpack a message in Python.
 
foo = Foo(...)
any = Any()
any.Pack(foo)
...
if any.Is(Foo.DESCRIPTOR):
  any.Unpack(foo)
  ...
 
Example 4: Pack and unpack a message in Go
 
foo := &pb.Foo{...}
any, err := anypb.New(foo)
if err != nil {
  ...
}
...
foo := &pb.Foo{}
if err := any.UnmarshalTo(foo); err != nil {
  ...
}

The pack methods provided by protobuf library will by default use 'type.googleapis.com/full.type.name' as the type URL and the unpack methods only use the fully qualified type name after the last '/' in the type URL, for example "foo.bar.com/x/y.z" will yield type name "y.z".

5.3.7.1.1. JSON representation
Copy link

The JSON representation of an Any value uses the regular representation of the deserialized, embedded message, with an additional field @type which contains the type URL. Example: 

package google.profile;
message Person {
  string first_name = 1;
  string last_name = 2;
}
 
{
  "@type": "type.googleapis.com/google.profile.Person",
  "firstName": <string>,
  "lastName": <string>
}

If the embedded message type is well-known and has a custom JSON representation, that representation will be embedded adding a field value which holds the custom JSON in addition to the @type field. Example (for message [google.protobuf.Duration][]): 

{
  "@type": "type.googleapis.com/google.protobuf.Duration",
  "value": "1.212s"
}
Expand
Field NameRequiredNullableTypeDescriptionFormat

typeUrl

  

String

A URL/resource name that uniquely identifies the type of the serialized protocol buffer message. This string must contain at least one \"/\" character. The last segment of the URL’s path must represent the fully qualified name of the type (as in path/google.protobuf.Duration). The name should be in a canonical form (e.g., leading \".\" is not accepted). In practice, teams usually precompile into the binary all types that they expect it to use in the context of Any. However, for URLs which use the scheme http, https, or no scheme, one can optionally set up a type server that maps type URLs to message definitions as follows: * If no scheme is provided, https is assumed. * An HTTP GET on the URL must yield a [google.protobuf.Type][] value in binary format, or produce an error. * Applications are allowed to cache lookup results based on the URL, or have them precompiled into a binary to avoid any lookup. Therefore, binary compatibility needs to be preserved on changes to types. (Use versioned type names to manage breaking changes.) Note: this functionality is not currently available in the official protobuf release, and it is not used for type URLs beginning with type.googleapis.com. As of May 2023, there are no widely used type server implementations and no plans to implement one. Schemes other than http, https (or the empty scheme) might be used with implementation specific semantics.

 

value

  

byte[]

Must be a valid serialized protocol buffer of the above specified type.

byte

5.3.7.2. RuntimeError
Copy link

Expand
Field NameRequiredNullableTypeDescriptionFormat

error

  

String

  

code

  

Integer

 

int32

message

  

String

  

details

  

List of ProtobufAny

  

5.4. GetAuthProvider
Copy link

GET /v1/authProviders/{id}

5.4.1. Description
Copy link

5.4.2. Parameters
Copy link

5.4.2.1. Path Parameters
Copy link

Expand
NameDescriptionRequiredDefaultPattern

id

 

X

null

 

5.4.3. Return Type
Copy link

StorageAuthProvider

5.4.4. Content Type
Copy link

  • application/json

5.4.5. Responses
Copy link

Expand
Table 5.4. HTTP Response Codes
CodeMessageDatatype

200

A successful response.

StorageAuthProvider

0

An unexpected error response.

RuntimeError

5.4.6. Samples
Copy link

5.4.7. Common object reference
Copy link

5.4.7.1. AuthProviderRequiredAttribute
Copy link

RequiredAttribute allows to specify a set of attributes which ALL are required to be returned by the auth provider. If any attribute is missing within the external claims of the token issued by Central, the authentication request to this IdP is considered failed.

Expand
Field NameRequiredNullableTypeDescriptionFormat

attributeKey

  

String

  

attributeValue

  

String

  

5.4.7.2. ProtobufAny
Copy link

Any contains an arbitrary serialized protocol buffer message along with a URL that describes the type of the serialized message.

Protobuf library provides support to pack/unpack Any values in the form of utility functions or additional generated methods of the Any type.

Example 1: Pack and unpack a message in C++. 

Foo foo = ...;
Any any;
any.PackFrom(foo);
...
if (any.UnpackTo(&foo)) {
  ...
}

Example 2: Pack and unpack a message in Java. 

Foo foo = ...;
Any any = Any.pack(foo);
...
if (any.is(Foo.class)) {
  foo = any.unpack(Foo.class);
}
// or ...
if (any.isSameTypeAs(Foo.getDefaultInstance())) {
  foo = any.unpack(Foo.getDefaultInstance());
}
 
Example 3: Pack and unpack a message in Python.
 
foo = Foo(...)
any = Any()
any.Pack(foo)
...
if any.Is(Foo.DESCRIPTOR):
  any.Unpack(foo)
  ...
 
Example 4: Pack and unpack a message in Go
 
foo := &pb.Foo{...}
any, err := anypb.New(foo)
if err != nil {
  ...
}
...
foo := &pb.Foo{}
if err := any.UnmarshalTo(foo); err != nil {
  ...
}

The pack methods provided by protobuf library will by default use 'type.googleapis.com/full.type.name' as the type URL and the unpack methods only use the fully qualified type name after the last '/' in the type URL, for example "foo.bar.com/x/y.z" will yield type name "y.z".

5.4.7.2.1. JSON representation
Copy link

The JSON representation of an Any value uses the regular representation of the deserialized, embedded message, with an additional field @type which contains the type URL. Example: 

package google.profile;
message Person {
  string first_name = 1;
  string last_name = 2;
}
 
{
  "@type": "type.googleapis.com/google.profile.Person",
  "firstName": <string>,
  "lastName": <string>
}

If the embedded message type is well-known and has a custom JSON representation, that representation will be embedded adding a field value which holds the custom JSON in addition to the @type field. Example (for message [google.protobuf.Duration][]): 

{
  "@type": "type.googleapis.com/google.protobuf.Duration",
  "value": "1.212s"
}
Expand
Field NameRequiredNullableTypeDescriptionFormat

typeUrl

  

String

A URL/resource name that uniquely identifies the type of the serialized protocol buffer message. This string must contain at least one \"/\" character. The last segment of the URL’s path must represent the fully qualified name of the type (as in path/google.protobuf.Duration). The name should be in a canonical form (e.g., leading \".\" is not accepted). In practice, teams usually precompile into the binary all types that they expect it to use in the context of Any. However, for URLs which use the scheme http, https, or no scheme, one can optionally set up a type server that maps type URLs to message definitions as follows: * If no scheme is provided, https is assumed. * An HTTP GET on the URL must yield a [google.protobuf.Type][] value in binary format, or produce an error. * Applications are allowed to cache lookup results based on the URL, or have them precompiled into a binary to avoid any lookup. Therefore, binary compatibility needs to be preserved on changes to types. (Use versioned type names to manage breaking changes.) Note: this functionality is not currently available in the official protobuf release, and it is not used for type URLs beginning with type.googleapis.com. As of May 2023, there are no widely used type server implementations and no plans to implement one. Schemes other than http, https (or the empty scheme) might be used with implementation specific semantics.

 

value

  

byte[]

Must be a valid serialized protocol buffer of the above specified type.

byte

5.4.7.3. RuntimeError
Copy link

Expand
Field NameRequiredNullableTypeDescriptionFormat

error

  

String

  

code

  

Integer

 

int32

message

  

String

  

details

  

List of ProtobufAny

  

5.4.7.4. StorageAuthProvider
Copy link

Next Tag: 15.

Expand
Field NameRequiredNullableTypeDescriptionFormat

id

  

String

  

name

  

String

  

type

  

String

  

uiEndpoint

  

String

  

enabled

  

Boolean

  

config

  

Map of string

Config holds auth provider specific configuration. Each configuration options are different based on the given auth provider type. OIDC: - \"issuer\": the OIDC issuer according to https://openid.net/specs/openid-connect-core-1_0.html#IssuerIdentifier. - \"client_id\": the client ID according to https://www.rfc-editor.org/rfc/rfc6749.html#section-2.2. - \"client_secret\": the client secret according to https://www.rfc-editor.org/rfc/rfc6749.html#section-2.3.1. - \"do_not_use_client_secret\": set to \"true\" if you want to create a configuration with only a client ID and no client secret. - \"mode\": the OIDC callback mode, choosing from \"fragment\", \"post\", or \"query\". - \"disable_offline_access_scope\": set to \"true\" if no offline tokens shall be issued. - \"extra_scopes\": a space-delimited string of additional scopes to request in addition to \"openid profile email\" according to https://www.rfc-editor.org/rfc/rfc6749.html#section-3.3. OpenShift Auth: supports no extra configuration options. User PKI: - \"keys\": the trusted certificates PEM encoded. SAML: - \"sp_issuer\": the service provider issuer according to https://datatracker.ietf.org/doc/html/rfc7522#section-3. - \"idp_metadata_url\": the metadata URL according to https://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf. - \"idp_issuer\": the IdP issuer. - \"idp_cert_pem\": the cert PEM encoded for the IdP endpoint. - \"idp_sso_url\": the IdP SSO URL. - \"idp_nameid_format\": the IdP name ID format. IAP: - \"audience\": the audience to use.

 

loginUrl

  

String

The login URL will be provided by the backend, and may not be specified in a request.

 

validated

  

Boolean

  

extraUiEndpoints

  

List of string

UI endpoints which to allow in addition to ui_endpoint. I.e., if a login request is coming from any of these, the auth request will use these for the callback URL, not ui_endpoint.

 

active

  

Boolean

  

requiredAttributes

  

List of AuthProviderRequiredAttribute

  

traits

  

StorageTraits

  

claimMappings

  

Map of string

Specifies claims from IdP token that will be copied to Rox token attributes. Each key in this map contains a path in IdP token we want to map. Path is separated by \".\" symbol. For example, if IdP token payload looks like: { \"a\": { \"b\" : \"c\", \"d\": true, \"e\": [ \"val1\", \"val2\", \"val3\" ], \"f\": [ true, false, false ], \"g\": 123.0, \"h\": [ 1, 2, 3] } } then \"a.b\" would be a valid key and \"a.z\" is not. We support the following types of claims: * string(path \"a.b\") * bool(path \"a.d\") * string array(path \"a.e\") * bool array (path \"a.f.\") We do NOT support the following types of claims: * complex claims(path \"a\") * float/integer claims(path \"a.g\") * float/integer array claims(path \"a.h\") Each value in this map contains a Rox token attribute name we want to add claim to. If, for example, value is \"groups\", claim would be found in \"external_user.Attributes.groups\" in token. Note: we only support this feature for OIDC auth provider.

 

lastUpdated

  

Date

Last updated indicates the last time the auth provider has been updated. In case there have been tokens issued by an auth provider before this timestamp, they will be considered invalid. Subsequently, all clients will have to re-issue their tokens (either by refreshing or by an additional login attempt).

date-time

5.4.7.5. StorageTraits
Copy link

Expand
Field NameRequiredNullableTypeDescriptionFormat

mutabilityMode

  

TraitsMutabilityMode

 

ALLOW_MUTATE, ALLOW_MUTATE_FORCED,

visibility

  

TraitsVisibility

 

VISIBLE, HIDDEN,

origin

  

TraitsOrigin

 

IMPERATIVE, DEFAULT, DECLARATIVE, DECLARATIVE_ORPHANED,

5.4.7.6. TraitsMutabilityMode
Copy link

EXPERIMENTAL. NOTE: Please refer from using MutabilityMode for the time being. It will be replaced in the future (ROX-14276). MutabilityMode specifies whether and how an object can be modified. Default is ALLOW_MUTATE and means there are no modification restrictions; this is equivalent to the absence of MutabilityMode specification. ALLOW_MUTATE_FORCED forbids all modifying operations except object removal with force bit on.

Be careful when changing the state of this field. For example, modifying an object from ALLOW_MUTATE to ALLOW_MUTATE_FORCED is allowed but will prohibit any further changes to it, including modifying it back to ALLOW_MUTATE.

Expand
Enum Values

ALLOW_MUTATE

ALLOW_MUTATE_FORCED

5.4.7.7. TraitsOrigin
Copy link

Origin specifies the origin of an object. Objects can have four different origins: - IMPERATIVE: the object was created via the API. This is assumed by default. - DEFAULT: the object is a default object, such as default roles, access scopes etc. - DECLARATIVE: the object is created via declarative configuration. - DECLARATIVE_ORPHANED: the object is created via declarative configuration and then unsuccessfully deleted(for example, because it is referenced by another object) Based on the origin, different rules apply to the objects. Objects with the DECLARATIVE origin are not allowed to be modified via API, only via declarative configuration. Additionally, they may not reference objects with the IMPERATIVE origin. Objects with the DEFAULT origin are not allowed to be modified via either API or declarative configuration. They may be referenced by all other objects. Objects with the IMPERATIVE origin are allowed to be modified via API, not via declarative configuration. They may reference all other objects. Objects with the DECLARATIVE_ORPHANED origin are not allowed to be modified via either API or declarative configuration. DECLARATIVE_ORPHANED resource can become DECLARATIVE again if it is redefined in declarative configuration. Objects with this origin will be cleaned up from the system immediately after they are not referenced by other resources anymore. They may be referenced by all other objects.

Expand
Enum Values

IMPERATIVE

DEFAULT

DECLARATIVE

DECLARATIVE_ORPHANED

5.4.7.8. TraitsVisibility
Copy link

EXPERIMENTAL. visibility allows to specify whether the object should be visible for certain APIs.

Expand
Enum Values

VISIBLE

HIDDEN

5.5. UpdateAuthProvider
Copy link

PATCH /v1/authProviders/{id}

5.5.1. Description
Copy link

5.5.2. Parameters
Copy link

5.5.2.1. Path Parameters
Copy link

Expand
NameDescriptionRequiredDefaultPattern

id

 

X

null

 

5.5.2.2. Body Parameter
Copy link

Expand
NameDescriptionRequiredDefaultPattern

body

V1UpdateAuthProviderRequest

X

  

5.5.3. Return Type
Copy link

StorageAuthProvider

5.5.4. Content Type
Copy link

  • application/json

5.5.5. Responses
Copy link

Expand
Table 5.5. HTTP Response Codes
CodeMessageDatatype

200

A successful response.

StorageAuthProvider

0

An unexpected error response.

RuntimeError

5.5.6. Samples
Copy link

5.5.7. Common object reference
Copy link

5.5.7.1. AuthProviderRequiredAttribute
Copy link

RequiredAttribute allows to specify a set of attributes which ALL are required to be returned by the auth provider. If any attribute is missing within the external claims of the token issued by Central, the authentication request to this IdP is considered failed.

Expand
Field NameRequiredNullableTypeDescriptionFormat

attributeKey

  

String

  

attributeValue

  

String

  

5.5.7.2. ProtobufAny
Copy link

Any contains an arbitrary serialized protocol buffer message along with a URL that describes the type of the serialized message.

Protobuf library provides support to pack/unpack Any values in the form of utility functions or additional generated methods of the Any type.

Example 1: Pack and unpack a message in C++. 

Foo foo = ...;
Any any;
any.PackFrom(foo);
...
if (any.UnpackTo(&foo)) {
  ...
}

Example 2: Pack and unpack a message in Java. 

Foo foo = ...;
Any any = Any.pack(foo);
...
if (any.is(Foo.class)) {
  foo = any.unpack(Foo.class);
}
// or ...
if (any.isSameTypeAs(Foo.getDefaultInstance())) {
  foo = any.unpack(Foo.getDefaultInstance());
}
 
Example 3: Pack and unpack a message in Python.
 
foo = Foo(...)
any = Any()
any.Pack(foo)
...
if any.Is(Foo.DESCRIPTOR):
  any.Unpack(foo)
  ...
 
Example 4: Pack and unpack a message in Go
 
foo := &pb.Foo{...}
any, err := anypb.New(foo)
if err != nil {
  ...
}
...
foo := &pb.Foo{}
if err := any.UnmarshalTo(foo); err != nil {
  ...
}

The pack methods provided by protobuf library will by default use 'type.googleapis.com/full.type.name' as the type URL and the unpack methods only use the fully qualified type name after the last '/' in the type URL, for example "foo.bar.com/x/y.z" will yield type name "y.z".

5.5.7.2.1. JSON representation
Copy link

The JSON representation of an Any value uses the regular representation of the deserialized, embedded message, with an additional field @type which contains the type URL. Example: 

package google.profile;
message Person {
  string first_name = 1;
  string last_name = 2;
}
 
{
  "@type": "type.googleapis.com/google.profile.Person",
  "firstName": <string>,
  "lastName": <string>
}

If the embedded message type is well-known and has a custom JSON representation, that representation will be embedded adding a field value which holds the custom JSON in addition to the @type field. Example (for message [google.protobuf.Duration][]): 

{
  "@type": "type.googleapis.com/google.protobuf.Duration",
  "value": "1.212s"
}
Expand
Field NameRequiredNullableTypeDescriptionFormat

typeUrl

  

String

A URL/resource name that uniquely identifies the type of the serialized protocol buffer message. This string must contain at least one \"/\" character. The last segment of the URL’s path must represent the fully qualified name of the type (as in path/google.protobuf.Duration). The name should be in a canonical form (e.g., leading \".\" is not accepted). In practice, teams usually precompile into the binary all types that they expect it to use in the context of Any. However, for URLs which use the scheme http, https, or no scheme, one can optionally set up a type server that maps type URLs to message definitions as follows: * If no scheme is provided, https is assumed. * An HTTP GET on the URL must yield a [google.protobuf.Type][] value in binary format, or produce an error. * Applications are allowed to cache lookup results based on the URL, or have them precompiled into a binary to avoid any lookup. Therefore, binary compatibility needs to be preserved on changes to types. (Use versioned type names to manage breaking changes.) Note: this functionality is not currently available in the official protobuf release, and it is not used for type URLs beginning with type.googleapis.com. As of May 2023, there are no widely used type server implementations and no plans to implement one. Schemes other than http, https (or the empty scheme) might be used with implementation specific semantics.

 

value

  

byte[]

Must be a valid serialized protocol buffer of the above specified type.

byte

5.5.7.3. RuntimeError
Copy link

Expand
Field NameRequiredNullableTypeDescriptionFormat

error

  

String

  

code

  

Integer

 

int32

message

  

String

  

details

  

List of ProtobufAny

  

5.5.7.4. StorageAuthProvider
Copy link

Next Tag: 15.

Expand
Field NameRequiredNullableTypeDescriptionFormat

id

  

String

  

name

  

String

  

type

  

String

  

uiEndpoint

  

String

  

enabled

  

Boolean

  

config

  

Map of string

Config holds auth provider specific configuration. Each configuration options are different based on the given auth provider type. OIDC: - \"issuer\": the OIDC issuer according to https://openid.net/specs/openid-connect-core-1_0.html#IssuerIdentifier. - \"client_id\": the client ID according to https://www.rfc-editor.org/rfc/rfc6749.html#section-2.2. - \"client_secret\": the client secret according to https://www.rfc-editor.org/rfc/rfc6749.html#section-2.3.1. - \"do_not_use_client_secret\": set to \"true\" if you want to create a configuration with only a client ID and no client secret. - \"mode\": the OIDC callback mode, choosing from \"fragment\", \"post\", or \"query\". - \"disable_offline_access_scope\": set to \"true\" if no offline tokens shall be issued. - \"extra_scopes\": a space-delimited string of additional scopes to request in addition to \"openid profile email\" according to https://www.rfc-editor.org/rfc/rfc6749.html#section-3.3. OpenShift Auth: supports no extra configuration options. User PKI: - \"keys\": the trusted certificates PEM encoded. SAML: - \"sp_issuer\": the service provider issuer according to https://datatracker.ietf.org/doc/html/rfc7522#section-3. - \"idp_metadata_url\": the metadata URL according to https://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf. - \"idp_issuer\": the IdP issuer. - \"idp_cert_pem\": the cert PEM encoded for the IdP endpoint. - \"idp_sso_url\": the IdP SSO URL. - \"idp_nameid_format\": the IdP name ID format. IAP: - \"audience\": the audience to use.

 

loginUrl

  

String

The login URL will be provided by the backend, and may not be specified in a request.

 

validated

  

Boolean

  

extraUiEndpoints

  

List of string

UI endpoints which to allow in addition to ui_endpoint. I.e., if a login request is coming from any of these, the auth request will use these for the callback URL, not ui_endpoint.

 

active

  

Boolean

  

requiredAttributes

  

List of AuthProviderRequiredAttribute

  

traits

  

StorageTraits

  

claimMappings

  

Map of string

Specifies claims from IdP token that will be copied to Rox token attributes. Each key in this map contains a path in IdP token we want to map. Path is separated by \".\" symbol. For example, if IdP token payload looks like: { \"a\": { \"b\" : \"c\", \"d\": true, \"e\": [ \"val1\", \"val2\", \"val3\" ], \"f\": [ true, false, false ], \"g\": 123.0, \"h\": [ 1, 2, 3] } } then \"a.b\" would be a valid key and \"a.z\" is not. We support the following types of claims: * string(path \"a.b\") * bool(path \"a.d\") * string array(path \"a.e\") * bool array (path \"a.f.\") We do NOT support the following types of claims: * complex claims(path \"a\") * float/integer claims(path \"a.g\") * float/integer array claims(path \"a.h\") Each value in this map contains a Rox token attribute name we want to add claim to. If, for example, value is \"groups\", claim would be found in \"external_user.Attributes.groups\" in token. Note: we only support this feature for OIDC auth provider.

 

lastUpdated

  

Date

Last updated indicates the last time the auth provider has been updated. In case there have been tokens issued by an auth provider before this timestamp, they will be considered invalid. Subsequently, all clients will have to re-issue their tokens (either by refreshing or by an additional login attempt).

date-time

5.5.7.5. StorageTraits
Copy link

Expand
Field NameRequiredNullableTypeDescriptionFormat

mutabilityMode

  

TraitsMutabilityMode

 

ALLOW_MUTATE, ALLOW_MUTATE_FORCED,

visibility

  

TraitsVisibility

 

VISIBLE, HIDDEN,

origin

  

TraitsOrigin

 

IMPERATIVE, DEFAULT, DECLARATIVE, DECLARATIVE_ORPHANED,

5.5.7.6. TraitsMutabilityMode
Copy link

EXPERIMENTAL. NOTE: Please refer from using MutabilityMode for the time being. It will be replaced in the future (ROX-14276). MutabilityMode specifies whether and how an object can be modified. Default is ALLOW_MUTATE and means there are no modification restrictions; this is equivalent to the absence of MutabilityMode specification. ALLOW_MUTATE_FORCED forbids all modifying operations except object removal with force bit on.

Be careful when changing the state of this field. For example, modifying an object from ALLOW_MUTATE to ALLOW_MUTATE_FORCED is allowed but will prohibit any further changes to it, including modifying it back to ALLOW_MUTATE.

Expand
Enum Values

ALLOW_MUTATE

ALLOW_MUTATE_FORCED

5.5.7.7. TraitsOrigin
Copy link

Origin specifies the origin of an object. Objects can have four different origins: - IMPERATIVE: the object was created via the API. This is assumed by default. - DEFAULT: the object is a default object, such as default roles, access scopes etc. - DECLARATIVE: the object is created via declarative configuration. - DECLARATIVE_ORPHANED: the object is created via declarative configuration and then unsuccessfully deleted(for example, because it is referenced by another object) Based on the origin, different rules apply to the objects. Objects with the DECLARATIVE origin are not allowed to be modified via API, only via declarative configuration. Additionally, they may not reference objects with the IMPERATIVE origin. Objects with the DEFAULT origin are not allowed to be modified via either API or declarative configuration. They may be referenced by all other objects. Objects with the IMPERATIVE origin are allowed to be modified via API, not via declarative configuration. They may reference all other objects. Objects with the DECLARATIVE_ORPHANED origin are not allowed to be modified via either API or declarative configuration. DECLARATIVE_ORPHANED resource can become DECLARATIVE again if it is redefined in declarative configuration. Objects with this origin will be cleaned up from the system immediately after they are not referenced by other resources anymore. They may be referenced by all other objects.

Expand
Enum Values

IMPERATIVE

DEFAULT

DECLARATIVE

DECLARATIVE_ORPHANED

5.5.7.8. TraitsVisibility
Copy link

EXPERIMENTAL. visibility allows to specify whether the object should be visible for certain APIs.

Expand
Enum Values

VISIBLE

HIDDEN

5.5.7.9. V1UpdateAuthProviderRequest
Copy link

Expand
Field NameRequiredNullableTypeDescriptionFormat

id

  

String

  

name

  

String

  

enabled

  

Boolean

  

5.6. PutAuthProvider
Copy link

PUT /v1/authProviders/{id}

5.6.1. Description
Copy link

5.6.2. Parameters
Copy link

5.6.2.1. Path Parameters
Copy link

Expand
NameDescriptionRequiredDefaultPattern

id

 

X

null

 

5.6.2.2. Body Parameter
Copy link

Expand
NameDescriptionRequiredDefaultPattern

body

StorageAuthProvider

X

  

5.6.3. Return Type
Copy link

StorageAuthProvider

5.6.4. Content Type
Copy link

  • application/json

5.6.5. Responses
Copy link

Expand
Table 5.6. HTTP Response Codes
CodeMessageDatatype

200

A successful response.

StorageAuthProvider

0

An unexpected error response.

RuntimeError

5.6.6. Samples
Copy link

5.6.7. Common object reference
Copy link

5.6.7.1. AuthProviderRequiredAttribute
Copy link

RequiredAttribute allows to specify a set of attributes which ALL are required to be returned by the auth provider. If any attribute is missing within the external claims of the token issued by Central, the authentication request to this IdP is considered failed.

Expand
Field NameRequiredNullableTypeDescriptionFormat

attributeKey

  

String

  

attributeValue

  

String

  

5.6.7.2. ProtobufAny
Copy link

Any contains an arbitrary serialized protocol buffer message along with a URL that describes the type of the serialized message.

Protobuf library provides support to pack/unpack Any values in the form of utility functions or additional generated methods of the Any type.

Example 1: Pack and unpack a message in C++. 

Foo foo = ...;
Any any;
any.PackFrom(foo);
...
if (any.UnpackTo(&foo)) {
  ...
}

Example 2: Pack and unpack a message in Java. 

Foo foo = ...;
Any any = Any.pack(foo);
...
if (any.is(Foo.class)) {
  foo = any.unpack(Foo.class);
}
// or ...
if (any.isSameTypeAs(Foo.getDefaultInstance())) {
  foo = any.unpack(Foo.getDefaultInstance());
}
 
Example 3: Pack and unpack a message in Python.
 
foo = Foo(...)
any = Any()
any.Pack(foo)
...
if any.Is(Foo.DESCRIPTOR):
  any.Unpack(foo)
  ...
 
Example 4: Pack and unpack a message in Go
 
foo := &pb.Foo{...}
any, err := anypb.New(foo)
if err != nil {
  ...
}
...
foo := &pb.Foo{}
if err := any.UnmarshalTo(foo); err != nil {
  ...
}

The pack methods provided by protobuf library will by default use 'type.googleapis.com/full.type.name' as the type URL and the unpack methods only use the fully qualified type name after the last '/' in the type URL, for example "foo.bar.com/x/y.z" will yield type name "y.z".

5.6.7.2.1. JSON representation
Copy link

The JSON representation of an Any value uses the regular representation of the deserialized, embedded message, with an additional field @type which contains the type URL. Example: 

package google.profile;
message Person {
  string first_name = 1;
  string last_name = 2;
}
 
{
  "@type": "type.googleapis.com/google.profile.Person",
  "firstName": <string>,
  "lastName": <string>
}

If the embedded message type is well-known and has a custom JSON representation, that representation will be embedded adding a field value which holds the custom JSON in addition to the @type field. Example (for message [google.protobuf.Duration][]): 

{
  "@type": "type.googleapis.com/google.protobuf.Duration",
  "value": "1.212s"
}
Expand
Field NameRequiredNullableTypeDescriptionFormat

typeUrl

  

String

A URL/resource name that uniquely identifies the type of the serialized protocol buffer message. This string must contain at least one \"/\" character. The last segment of the URL’s path must represent the fully qualified name of the type (as in path/google.protobuf.Duration). The name should be in a canonical form (e.g., leading \".\" is not accepted). In practice, teams usually precompile into the binary all types that they expect it to use in the context of Any. However, for URLs which use the scheme http, https, or no scheme, one can optionally set up a type server that maps type URLs to message definitions as follows: * If no scheme is provided, https is assumed. * An HTTP GET on the URL must yield a [google.protobuf.Type][] value in binary format, or produce an error. * Applications are allowed to cache lookup results based on the URL, or have them precompiled into a binary to avoid any lookup. Therefore, binary compatibility needs to be preserved on changes to types. (Use versioned type names to manage breaking changes.) Note: this functionality is not currently available in the official protobuf release, and it is not used for type URLs beginning with type.googleapis.com. As of May 2023, there are no widely used type server implementations and no plans to implement one. Schemes other than http, https (or the empty scheme) might be used with implementation specific semantics.

 

value

  

byte[]

Must be a valid serialized protocol buffer of the above specified type.

byte

5.6.7.3. RuntimeError
Copy link

Expand
Field NameRequiredNullableTypeDescriptionFormat

error

  

String

  

code

  

Integer

 

int32

message

  

String

  

details

  

List of ProtobufAny

  

5.6.7.4. StorageAuthProvider
Copy link

Next Tag: 15.

Expand
Field NameRequiredNullableTypeDescriptionFormat

id

  

String

  

name

  

String

  

type

  

String

  

uiEndpoint

  

String

  

enabled

  

Boolean

  

config

  

Map of string

Config holds auth provider specific configuration. Each configuration options are different based on the given auth provider type. OIDC: - \"issuer\": the OIDC issuer according to https://openid.net/specs/openid-connect-core-1_0.html#IssuerIdentifier. - \"client_id\": the client ID according to https://www.rfc-editor.org/rfc/rfc6749.html#section-2.2. - \"client_secret\": the client secret according to https://www.rfc-editor.org/rfc/rfc6749.html#section-2.3.1. - \"do_not_use_client_secret\": set to \"true\" if you want to create a configuration with only a client ID and no client secret. - \"mode\": the OIDC callback mode, choosing from \"fragment\", \"post\", or \"query\". - \"disable_offline_access_scope\": set to \"true\" if no offline tokens shall be issued. - \"extra_scopes\": a space-delimited string of additional scopes to request in addition to \"openid profile email\" according to https://www.rfc-editor.org/rfc/rfc6749.html#section-3.3. OpenShift Auth: supports no extra configuration options. User PKI: - \"keys\": the trusted certificates PEM encoded. SAML: - \"sp_issuer\": the service provider issuer according to https://datatracker.ietf.org/doc/html/rfc7522#section-3. - \"idp_metadata_url\": the metadata URL according to https://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf. - \"idp_issuer\": the IdP issuer. - \"idp_cert_pem\": the cert PEM encoded for the IdP endpoint. - \"idp_sso_url\": the IdP SSO URL. - \"idp_nameid_format\": the IdP name ID format. IAP: - \"audience\": the audience to use.

 

loginUrl

  

String

The login URL will be provided by the backend, and may not be specified in a request.

 

validated

  

Boolean

  

extraUiEndpoints

  

List of string

UI endpoints which to allow in addition to ui_endpoint. I.e., if a login request is coming from any of these, the auth request will use these for the callback URL, not ui_endpoint.

 

active

  

Boolean

  

requiredAttributes

  

List of AuthProviderRequiredAttribute

  

traits

  

StorageTraits

  

claimMappings

  

Map of string

Specifies claims from IdP token that will be copied to Rox token attributes. Each key in this map contains a path in IdP token we want to map. Path is separated by \".\" symbol. For example, if IdP token payload looks like: { \"a\": { \"b\" : \"c\", \"d\": true, \"e\": [ \"val1\", \"val2\", \"val3\" ], \"f\": [ true, false, false ], \"g\": 123.0, \"h\": [ 1, 2, 3] } } then \"a.b\" would be a valid key and \"a.z\" is not. We support the following types of claims: * string(path \"a.b\") * bool(path \"a.d\") * string array(path \"a.e\") * bool array (path \"a.f.\") We do NOT support the following types of claims: * complex claims(path \"a\") * float/integer claims(path \"a.g\") * float/integer array claims(path \"a.h\") Each value in this map contains a Rox token attribute name we want to add claim to. If, for example, value is \"groups\", claim would be found in \"external_user.Attributes.groups\" in token. Note: we only support this feature for OIDC auth provider.

 

lastUpdated

  

Date

Last updated indicates the last time the auth provider has been updated. In case there have been tokens issued by an auth provider before this timestamp, they will be considered invalid. Subsequently, all clients will have to re-issue their tokens (either by refreshing or by an additional login attempt).

date-time

5.6.7.5. StorageTraits
Copy link

Expand
Field NameRequiredNullableTypeDescriptionFormat

mutabilityMode

  

TraitsMutabilityMode

 

ALLOW_MUTATE, ALLOW_MUTATE_FORCED,

visibility

  

TraitsVisibility

 

VISIBLE, HIDDEN,

origin

  

TraitsOrigin

 

IMPERATIVE, DEFAULT, DECLARATIVE, DECLARATIVE_ORPHANED,

5.6.7.6. TraitsMutabilityMode
Copy link

EXPERIMENTAL. NOTE: Please refer from using MutabilityMode for the time being. It will be replaced in the future (ROX-14276). MutabilityMode specifies whether and how an object can be modified. Default is ALLOW_MUTATE and means there are no modification restrictions; this is equivalent to the absence of MutabilityMode specification. ALLOW_MUTATE_FORCED forbids all modifying operations except object removal with force bit on.

Be careful when changing the state of this field. For example, modifying an object from ALLOW_MUTATE to ALLOW_MUTATE_FORCED is allowed but will prohibit any further changes to it, including modifying it back to ALLOW_MUTATE.

Expand
Enum Values

ALLOW_MUTATE

ALLOW_MUTATE_FORCED

5.6.7.7. TraitsOrigin
Copy link

Origin specifies the origin of an object. Objects can have four different origins: - IMPERATIVE: the object was created via the API. This is assumed by default. - DEFAULT: the object is a default object, such as default roles, access scopes etc. - DECLARATIVE: the object is created via declarative configuration. - DECLARATIVE_ORPHANED: the object is created via declarative configuration and then unsuccessfully deleted(for example, because it is referenced by another object) Based on the origin, different rules apply to the objects. Objects with the DECLARATIVE origin are not allowed to be modified via API, only via declarative configuration. Additionally, they may not reference objects with the IMPERATIVE origin. Objects with the DEFAULT origin are not allowed to be modified via either API or declarative configuration. They may be referenced by all other objects. Objects with the IMPERATIVE origin are allowed to be modified via API, not via declarative configuration. They may reference all other objects. Objects with the DECLARATIVE_ORPHANED origin are not allowed to be modified via either API or declarative configuration. DECLARATIVE_ORPHANED resource can become DECLARATIVE again if it is redefined in declarative configuration. Objects with this origin will be cleaned up from the system immediately after they are not referenced by other resources anymore. They may be referenced by all other objects.

Expand
Enum Values

IMPERATIVE

DEFAULT

DECLARATIVE

DECLARATIVE_ORPHANED

5.6.7.8. TraitsVisibility
Copy link

EXPERIMENTAL. visibility allows to specify whether the object should be visible for certain APIs.

Expand
Enum Values

VISIBLE

HIDDEN

5.7. PostAuthProvider
Copy link

POST /v1/authProviders

5.7.1. Description
Copy link

5.7.2. Parameters
Copy link

5.7.2.1. Body Parameter
Copy link

Expand
NameDescriptionRequiredDefaultPattern

body

StorageAuthProvider

X

  

5.7.3. Return Type
Copy link

StorageAuthProvider

5.7.4. Content Type
Copy link

  • application/json

5.7.5. Responses
Copy link

Expand
Table 5.7. HTTP Response Codes
CodeMessageDatatype

200

A successful response.

StorageAuthProvider

0

An unexpected error response.

RuntimeError

5.7.6. Samples
Copy link

5.7.7. Common object reference
Copy link

5.7.7.1. AuthProviderRequiredAttribute
Copy link

RequiredAttribute allows to specify a set of attributes which ALL are required to be returned by the auth provider. If any attribute is missing within the external claims of the token issued by Central, the authentication request to this IdP is considered failed.

Expand
Field NameRequiredNullableTypeDescriptionFormat

attributeKey

  

String

  

attributeValue

  

String

  

5.7.7.2. ProtobufAny
Copy link

Any contains an arbitrary serialized protocol buffer message along with a URL that describes the type of the serialized message.

Protobuf library provides support to pack/unpack Any values in the form of utility functions or additional generated methods of the Any type.

Example 1: Pack and unpack a message in C++. 

Foo foo = ...;
Any any;
any.PackFrom(foo);
...
if (any.UnpackTo(&foo)) {
  ...
}

Example 2: Pack and unpack a message in Java. 

Foo foo = ...;
Any any = Any.pack(foo);
...
if (any.is(Foo.class)) {
  foo = any.unpack(Foo.class);
}
// or ...
if (any.isSameTypeAs(Foo.getDefaultInstance())) {
  foo = any.unpack(Foo.getDefaultInstance());
}
 
Example 3: Pack and unpack a message in Python.
 
foo = Foo(...)
any = Any()
any.Pack(foo)
...
if any.Is(Foo.DESCRIPTOR):
  any.Unpack(foo)
  ...
 
Example 4: Pack and unpack a message in Go
 
foo := &pb.Foo{...}
any, err := anypb.New(foo)
if err != nil {
  ...
}
...
foo := &pb.Foo{}
if err := any.UnmarshalTo(foo); err != nil {
  ...
}

The pack methods provided by protobuf library will by default use 'type.googleapis.com/full.type.name' as the type URL and the unpack methods only use the fully qualified type name after the last '/' in the type URL, for example "foo.bar.com/x/y.z" will yield type name "y.z".

5.7.7.2.1. JSON representation
Copy link

The JSON representation of an Any value uses the regular representation of the deserialized, embedded message, with an additional field @type which contains the type URL. Example: 

package google.profile;
message Person {
  string first_name = 1;
  string last_name = 2;
}
 
{
  "@type": "type.googleapis.com/google.profile.Person",
  "firstName": <string>,
  "lastName": <string>
}

If the embedded message type is well-known and has a custom JSON representation, that representation will be embedded adding a field value which holds the custom JSON in addition to the @type field. Example (for message [google.protobuf.Duration][]): 

{
  "@type": "type.googleapis.com/google.protobuf.Duration",
  "value": "1.212s"
}
Expand
Field NameRequiredNullableTypeDescriptionFormat

typeUrl

  

String

A URL/resource name that uniquely identifies the type of the serialized protocol buffer message. This string must contain at least one \"/\" character. The last segment of the URL’s path must represent the fully qualified name of the type (as in path/google.protobuf.Duration). The name should be in a canonical form (e.g., leading \".\" is not accepted). In practice, teams usually precompile into the binary all types that they expect it to use in the context of Any. However, for URLs which use the scheme http, https, or no scheme, one can optionally set up a type server that maps type URLs to message definitions as follows: * If no scheme is provided, https is assumed. * An HTTP GET on the URL must yield a [google.protobuf.Type][] value in binary format, or produce an error. * Applications are allowed to cache lookup results based on the URL, or have them precompiled into a binary to avoid any lookup. Therefore, binary compatibility needs to be preserved on changes to types. (Use versioned type names to manage breaking changes.) Note: this functionality is not currently available in the official protobuf release, and it is not used for type URLs beginning with type.googleapis.com. As of May 2023, there are no widely used type server implementations and no plans to implement one. Schemes other than http, https (or the empty scheme) might be used with implementation specific semantics.

 

value

  

byte[]

Must be a valid serialized protocol buffer of the above specified type.

byte

5.7.7.3. RuntimeError
Copy link

Expand
Field NameRequiredNullableTypeDescriptionFormat

error

  

String

  

code

  

Integer

 

int32

message

  

String

  

details

  

List of ProtobufAny

  

5.7.7.4. StorageAuthProvider
Copy link

Next Tag: 15.

Expand
Field NameRequiredNullableTypeDescriptionFormat

id

  

String

  

name

  

String

  

type

  

String

  

uiEndpoint

  

String

  

enabled

  

Boolean

  

config

  

Map of string

Config holds auth provider specific configuration. Each configuration options are different based on the given auth provider type. OIDC: - \"issuer\": the OIDC issuer according to https://openid.net/specs/openid-connect-core-1_0.html#IssuerIdentifier. - \"client_id\": the client ID according to https://www.rfc-editor.org/rfc/rfc6749.html#section-2.2. - \"client_secret\": the client secret according to https://www.rfc-editor.org/rfc/rfc6749.html#section-2.3.1. - \"do_not_use_client_secret\": set to \"true\" if you want to create a configuration with only a client ID and no client secret. - \"mode\": the OIDC callback mode, choosing from \"fragment\", \"post\", or \"query\". - \"disable_offline_access_scope\": set to \"true\" if no offline tokens shall be issued. - \"extra_scopes\": a space-delimited string of additional scopes to request in addition to \"openid profile email\" according to https://www.rfc-editor.org/rfc/rfc6749.html#section-3.3. OpenShift Auth: supports no extra configuration options. User PKI: - \"keys\": the trusted certificates PEM encoded. SAML: - \"sp_issuer\": the service provider issuer according to https://datatracker.ietf.org/doc/html/rfc7522#section-3. - \"idp_metadata_url\": the metadata URL according to https://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf. - \"idp_issuer\": the IdP issuer. - \"idp_cert_pem\": the cert PEM encoded for the IdP endpoint. - \"idp_sso_url\": the IdP SSO URL. - \"idp_nameid_format\": the IdP name ID format. IAP: - \"audience\": the audience to use.

 

loginUrl

  

String

The login URL will be provided by the backend, and may not be specified in a request.

 

validated

  

Boolean

  

extraUiEndpoints

  

List of string

UI endpoints which to allow in addition to ui_endpoint. I.e., if a login request is coming from any of these, the auth request will use these for the callback URL, not ui_endpoint.

 

active

  

Boolean

  

requiredAttributes

  

List of AuthProviderRequiredAttribute

  

traits

  

StorageTraits

  

claimMappings

  

Map of string

Specifies claims from IdP token that will be copied to Rox token attributes. Each key in this map contains a path in IdP token we want to map. Path is separated by \".\" symbol. For example, if IdP token payload looks like: { \"a\": { \"b\" : \"c\", \"d\": true, \"e\": [ \"val1\", \"val2\", \"val3\" ], \"f\": [ true, false, false ], \"g\": 123.0, \"h\": [ 1, 2, 3] } } then \"a.b\" would be a valid key and \"a.z\" is not. We support the following types of claims: * string(path \"a.b\") * bool(path \"a.d\") * string array(path \"a.e\") * bool array (path \"a.f.\") We do NOT support the following types of claims: * complex claims(path \"a\") * float/integer claims(path \"a.g\") * float/integer array claims(path \"a.h\") Each value in this map contains a Rox token attribute name we want to add claim to. If, for example, value is \"groups\", claim would be found in \"external_user.Attributes.groups\" in token. Note: we only support this feature for OIDC auth provider.

 

lastUpdated

  

Date

Last updated indicates the last time the auth provider has been updated. In case there have been tokens issued by an auth provider before this timestamp, they will be considered invalid. Subsequently, all clients will have to re-issue their tokens (either by refreshing or by an additional login attempt).

date-time

5.7.7.5. StorageTraits
Copy link

Expand
Field NameRequiredNullableTypeDescriptionFormat

mutabilityMode

  

TraitsMutabilityMode

 

ALLOW_MUTATE, ALLOW_MUTATE_FORCED,

visibility

  

TraitsVisibility

 

VISIBLE, HIDDEN,

origin

  

TraitsOrigin

 

IMPERATIVE, DEFAULT, DECLARATIVE, DECLARATIVE_ORPHANED,

5.7.7.6. TraitsMutabilityMode
Copy link

EXPERIMENTAL. NOTE: Please refer from using MutabilityMode for the time being. It will be replaced in the future (ROX-14276). MutabilityMode specifies whether and how an object can be modified. Default is ALLOW_MUTATE and means there are no modification restrictions; this is equivalent to the absence of MutabilityMode specification. ALLOW_MUTATE_FORCED forbids all modifying operations except object removal with force bit on.

Be careful when changing the state of this field. For example, modifying an object from ALLOW_MUTATE to ALLOW_MUTATE_FORCED is allowed but will prohibit any further changes to it, including modifying it back to ALLOW_MUTATE.

Expand
Enum Values

ALLOW_MUTATE

ALLOW_MUTATE_FORCED

5.7.7.7. TraitsOrigin
Copy link

Origin specifies the origin of an object. Objects can have four different origins: - IMPERATIVE: the object was created via the API. This is assumed by default. - DEFAULT: the object is a default object, such as default roles, access scopes etc. - DECLARATIVE: the object is created via declarative configuration. - DECLARATIVE_ORPHANED: the object is created via declarative configuration and then unsuccessfully deleted(for example, because it is referenced by another object) Based on the origin, different rules apply to the objects. Objects with the DECLARATIVE origin are not allowed to be modified via API, only via declarative configuration. Additionally, they may not reference objects with the IMPERATIVE origin. Objects with the DEFAULT origin are not allowed to be modified via either API or declarative configuration. They may be referenced by all other objects. Objects with the IMPERATIVE origin are allowed to be modified via API, not via declarative configuration. They may reference all other objects. Objects with the DECLARATIVE_ORPHANED origin are not allowed to be modified via either API or declarative configuration. DECLARATIVE_ORPHANED resource can become DECLARATIVE again if it is redefined in declarative configuration. Objects with this origin will be cleaned up from the system immediately after they are not referenced by other resources anymore. They may be referenced by all other objects.

Expand
Enum Values

IMPERATIVE

DEFAULT

DECLARATIVE

DECLARATIVE_ORPHANED

5.7.7.8. TraitsVisibility
Copy link

EXPERIMENTAL. visibility allows to specify whether the object should be visible for certain APIs.

Expand
Enum Values

VISIBLE

HIDDEN

5.8. ListAvailableProviderTypes
Copy link

GET /v1/availableAuthProviders

5.8.1. Description
Copy link

5.8.2. Parameters
Copy link

5.8.3. Return Type
Copy link

V1AvailableProviderTypesResponse

5.8.4. Content Type
Copy link

  • application/json

5.8.5. Responses
Copy link

Expand
Table 5.8. HTTP Response Codes
CodeMessageDatatype

200

A successful response.

V1AvailableProviderTypesResponse

0

An unexpected error response.

RuntimeError

5.8.6. Samples
Copy link

5.8.7. Common object reference
Copy link

Expand
Field NameRequiredNullableTypeDescriptionFormat

type

  

String

  

suggestedAttributes

  

List of string

  

5.8.7.2. ProtobufAny
Copy link

Any contains an arbitrary serialized protocol buffer message along with a URL that describes the type of the serialized message.

Protobuf library provides support to pack/unpack Any values in the form of utility functions or additional generated methods of the Any type.

Example 1: Pack and unpack a message in C++. 

Foo foo = ...;
Any any;
any.PackFrom(foo);
...
if (any.UnpackTo(&foo)) {
  ...
}

Example 2: Pack and unpack a message in Java. 

Foo foo = ...;
Any any = Any.pack(foo);
...
if (any.is(Foo.class)) {
  foo = any.unpack(Foo.class);
}
// or ...
if (any.isSameTypeAs(Foo.getDefaultInstance())) {
  foo = any.unpack(Foo.getDefaultInstance());
}
 
Example 3: Pack and unpack a message in Python.
 
foo = Foo(...)
any = Any()
any.Pack(foo)
...
if any.Is(Foo.DESCRIPTOR):
  any.Unpack(foo)
  ...
 
Example 4: Pack and unpack a message in Go
 
foo := &pb.Foo{...}
any, err := anypb.New(foo)
if err != nil {
  ...
}
...
foo := &pb.Foo{}
if err := any.UnmarshalTo(foo); err != nil {
  ...
}

The pack methods provided by protobuf library will by default use 'type.googleapis.com/full.type.name' as the type URL and the unpack methods only use the fully qualified type name after the last '/' in the type URL, for example "foo.bar.com/x/y.z" will yield type name "y.z".

5.8.7.2.1. JSON representation
Copy link

The JSON representation of an Any value uses the regular representation of the deserialized, embedded message, with an additional field @type which contains the type URL. Example: 

package google.profile;
message Person {
  string first_name = 1;
  string last_name = 2;
}
 
{
  "@type": "type.googleapis.com/google.profile.Person",
  "firstName": <string>,
  "lastName": <string>
}

If the embedded message type is well-known and has a custom JSON representation, that representation will be embedded adding a field value which holds the custom JSON in addition to the @type field. Example (for message [google.protobuf.Duration][]): 

{
  "@type": "type.googleapis.com/google.protobuf.Duration",
  "value": "1.212s"
}
Expand
Field NameRequiredNullableTypeDescriptionFormat

typeUrl

  

String

A URL/resource name that uniquely identifies the type of the serialized protocol buffer message. This string must contain at least one \"/\" character. The last segment of the URL’s path must represent the fully qualified name of the type (as in path/google.protobuf.Duration). The name should be in a canonical form (e.g., leading \".\" is not accepted). In practice, teams usually precompile into the binary all types that they expect it to use in the context of Any. However, for URLs which use the scheme http, https, or no scheme, one can optionally set up a type server that maps type URLs to message definitions as follows: * If no scheme is provided, https is assumed. * An HTTP GET on the URL must yield a [google.protobuf.Type][] value in binary format, or produce an error. * Applications are allowed to cache lookup results based on the URL, or have them precompiled into a binary to avoid any lookup. Therefore, binary compatibility needs to be preserved on changes to types. (Use versioned type names to manage breaking changes.) Note: this functionality is not currently available in the official protobuf release, and it is not used for type URLs beginning with type.googleapis.com. As of May 2023, there are no widely used type server implementations and no plans to implement one. Schemes other than http, https (or the empty scheme) might be used with implementation specific semantics.

 

value

  

byte[]

Must be a valid serialized protocol buffer of the above specified type.

byte

5.8.7.3. RuntimeError
Copy link

Expand
Field NameRequiredNullableTypeDescriptionFormat

error

  

String

  

code

  

Integer

 

int32

message

  

String

  

details

  

List of ProtobufAny

  

5.8.7.4. V1AvailableProviderTypesResponse
Copy link

Expand
Field NameRequiredNullableTypeDescriptionFormat

authProviderTypes

  

List of AvailableProviderTypesResponseAuthProviderType

  

5.9. GetLoginAuthProviders
Copy link

GET /v1/login/authproviders

5.9.1. Description
Copy link

5.9.2. Parameters
Copy link

5.9.3. Return Type
Copy link

V1GetLoginAuthProvidersResponse

5.9.4. Content Type
Copy link

  • application/json

5.9.5. Responses
Copy link

Expand
Table 5.9. HTTP Response Codes
CodeMessageDatatype

200

A successful response.

V1GetLoginAuthProvidersResponse

0

An unexpected error response.

RuntimeError

5.9.6. Samples
Copy link

5.9.7. Common object reference
Copy link

Expand
Field NameRequiredNullableTypeDescriptionFormat

id

  

String

  

name

  

String

  

type

  

String

  

loginUrl

  

String

  

5.9.7.2. ProtobufAny
Copy link

Any contains an arbitrary serialized protocol buffer message along with a URL that describes the type of the serialized message.

Protobuf library provides support to pack/unpack Any values in the form of utility functions or additional generated methods of the Any type.

Example 1: Pack and unpack a message in C++. 

Foo foo = ...;
Any any;
any.PackFrom(foo);
...
if (any.UnpackTo(&foo)) {
  ...
}

Example 2: Pack and unpack a message in Java. 

Foo foo = ...;
Any any = Any.pack(foo);
...
if (any.is(Foo.class)) {
  foo = any.unpack(Foo.class);
}
// or ...
if (any.isSameTypeAs(Foo.getDefaultInstance())) {
  foo = any.unpack(Foo.getDefaultInstance());
}
 
Example 3: Pack and unpack a message in Python.
 
foo = Foo(...)
any = Any()
any.Pack(foo)
...
if any.Is(Foo.DESCRIPTOR):
  any.Unpack(foo)
  ...
 
Example 4: Pack and unpack a message in Go
 
foo := &pb.Foo{...}
any, err := anypb.New(foo)
if err != nil {
  ...
}
...
foo := &pb.Foo{}
if err := any.UnmarshalTo(foo); err != nil {
  ...
}

The pack methods provided by protobuf library will by default use 'type.googleapis.com/full.type.name' as the type URL and the unpack methods only use the fully qualified type name after the last '/' in the type URL, for example "foo.bar.com/x/y.z" will yield type name "y.z".

5.9.7.2.1. JSON representation
Copy link

The JSON representation of an Any value uses the regular representation of the deserialized, embedded message, with an additional field @type which contains the type URL. Example: 

package google.profile;
message Person {
  string first_name = 1;
  string last_name = 2;
}
 
{
  "@type": "type.googleapis.com/google.profile.Person",
  "firstName": <string>,
  "lastName": <string>
}

If the embedded message type is well-known and has a custom JSON representation, that representation will be embedded adding a field value which holds the custom JSON in addition to the @type field. Example (for message [google.protobuf.Duration][]): 

{
  "@type": "type.googleapis.com/google.protobuf.Duration",
  "value": "1.212s"
}
Expand
Field NameRequiredNullableTypeDescriptionFormat

typeUrl

  

String

A URL/resource name that uniquely identifies the type of the serialized protocol buffer message. This string must contain at least one \"/\" character. The last segment of the URL’s path must represent the fully qualified name of the type (as in path/google.protobuf.Duration). The name should be in a canonical form (e.g., leading \".\" is not accepted). In practice, teams usually precompile into the binary all types that they expect it to use in the context of Any. However, for URLs which use the scheme http, https, or no scheme, one can optionally set up a type server that maps type URLs to message definitions as follows: * If no scheme is provided, https is assumed. * An HTTP GET on the URL must yield a [google.protobuf.Type][] value in binary format, or produce an error. * Applications are allowed to cache lookup results based on the URL, or have them precompiled into a binary to avoid any lookup. Therefore, binary compatibility needs to be preserved on changes to types. (Use versioned type names to manage breaking changes.) Note: this functionality is not currently available in the official protobuf release, and it is not used for type URLs beginning with type.googleapis.com. As of May 2023, there are no widely used type server implementations and no plans to implement one. Schemes other than http, https (or the empty scheme) might be used with implementation specific semantics.

 

value

  

byte[]

Must be a valid serialized protocol buffer of the above specified type.

byte

5.9.7.3. RuntimeError
Copy link

Expand
Field NameRequiredNullableTypeDescriptionFormat

error

  

String

  

code

  

Integer

 

int32

message

  

String

  

details

  

List of ProtobufAny

  

5.9.7.4. V1GetLoginAuthProvidersResponse
Copy link

Expand
Field NameRequiredNullableTypeDescriptionFormat

authProviders

  

List of GetLoginAuthProvidersResponseLoginAuthProvider

  
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Legal Notice

Theme

© 2026 Red HatBack to top