Create client

post/oauth/clients
Internal-Use Only

Creates a new client. Authorization: Bearer token with clients.write, clients.admin, zones.{zoneId}.admin, or equivalent (SASAdministrators) scope.

Request Samples

1

Response Samples

1{
2 "scope": [
3 "openid",
4 "uaa.user"
5 ],
6 "client_id": "app",
7 "resource_ids": [
8 "none"
9 ],
10 "authorized_grant_types": [
11 "authorization_code"
12 ],
13 "redirect_uri": [
14 "http://example.com/app"
15 ],
16 "autoapprove": [
17 "true"
18 ],
19 "authorities": [
20 "uaa.none"
21 ],
22 "name": "My custom application",
23 "lastModified": 1548439765169
24}

Request Body

The client to be created.

The OAuth client information that is passed as input to the POST/PUT calls.

NameTypeRequiredDescription
client_id
string
true

The client identifier that is unique within identity zone.

authorized_grant_types
array [string]
true

The list of grant types that can be used to obtain a token with this client. Types can include authorization_code, password, implicit, and client_credentials.

redirect_uri
array [string]
false

The allowed URI pattern for redirect during authorization or "urn:ietf:wg:oauth:2.0:oob" for out-of-band delivery.

scope
array [string]
false

The list of scopes allowed for the client to obtain on behalf of users, when using any grant type other than "client_credentials". For most SAS Viya APIs, "openid" and "uaa.user" are sufficient. For client applications that only use the grant type "client_credentials" and therefore do not act on behalf of users, use the default scope "uaa.none".

resource_ids
array [string]
false

The resources that the client is allowed to access.

authorities
array [string]
false

The list of groups the client is a member of, to access resources and endpoints.

autoapprove
array [string]
false

The scopes that do not require user approval, or a simple Boolean value to apply to all scopes.

access_token_validity
integer
false

The time in seconds to access token expiration after it is issued.

refresh_token_validity
integer
false

The time in seconds to refresh token expiration after it is issued.

allowedproviders
array [string]
false

The list of the origin keys (alias) for identity providers that the client is limited to. Null implies any identity provider is allowed.

name
string
false

The human-readable name for the client.

token_salt
string
false

A random string that is used to generate the client's revocation key. Change this value to revoke all active tokens for the client.

createdwith
string
false

The scope that the bearer token had when the client was created.

approvals_deleted
boolean
false

An indication whether the approvals were deleted for the client and an audit event was sent.

required_user_groups
array [string]
false

A list of group names. If a user does not belong to all the required groups, the user will not be authenticated and no tokens are issued to this client for that user. If this field is not specified, authentication and token issuance proceeds normally.

client_secret
string
false

The secret string used for authenticating as this client. To support secret rotation this can be a space-delimited string of two secrets. This is required if the client allows authorization_code or client_credentials grant type.

Responses

StatusMeaningDescription
201CreatedA client object was created. The secret is masked in the response.HeadersSchema
400Bad RequestThe request was invalid.