OAuth Management API v1

Registers identity providers that store API resource owners' credentials, and allows external client apps to access your resource server.

Learn more:


Overview

OAuth Management is part of Akamai’s API Gateway product. The gateway acts as an authorization server that ensures the proper authorization of external client apps that request resources from your registered APIs.

The OAuth Management API lets you register and manage third-party client apps that want to access resource owners’ data residing on your resource server. It also provides a way for you to register identity providers (IdPs) that store resource owners’ credentials.

To fully understand Akamai’s OAuth 2.0 implementation, make sure you’re familiar with how the traditional OAuth 2.0 roles (as described in RFC6749) correspond to the parties involved in API traffic at Akamai:

  • Resource owner. A user who intends to use a client app and whose data you store in your API in the form of API resources. As an API publisher, you control which client apps can access the resources and which IdPs can verify the identities of resource owners.

  • Resource server. The origin server that hosts your APIs.

  • Client app. A third-party mobile or web application that consumes resources within your API.

  • Authorization server. A server that integrates with IdPs to verify resource owners’ identities and provides access tokens and refresh tokens to client apps.

  • Identity provider. An entity that stores resource owners’ information and verifies their identities. Based on IdP-issued authorization grants, the Authorization Server creates access tokens and refresh tokens.

Who should use this API

Akamai provides APIs for developers, DevOps, and operations personnel as an alternative to using Akamai Control Center. This API provides the same functions that are available under the OAuth Management menu selection of Control Center.

The OAuth Management API works closely with the API Endpoint Definition API which you use to register and manage API endpoints on the Gateway. By implementing OAuth 2.0, you protect the resource owners’ data stored in these registered API endpoints in the form of API resources. You may also use the API Endpoint Definition API to define and assign OAuth scopes to specific API resources. This is often the first step when setting up OAuth in your system. Use this API to register IdPs and client apps only after you assign OAuth scopes.

Client apps that you register use Akamai-provided OAuth 2.0 endpoints to take part in the available OAuth flows. For details on each endpoint, see OAuth 2.0 endpoints.

Getting started

To configure this API for the first time:

Resources

The OAuth Management API lets you interact with the following data objects:

  • A client app is a third-party web or mobile application that wants to access resource owners’ data residing on your resource server. The data is represented by API resources within your registered APIs. You can register a client app and associate it with specific APIs.

  • An identity provider is an entity that stores resource owners’ credentials and verifies their identities. You can register both third-party and your own IdPs.

  • A registered API is an API service you registered with Akamai that contains resource owners’ data in the form of API resources. You can grant third-party client apps access to registered APIs that are active and have the OAuth feature enabled. For details on registering and managing APIs, see API Endpoint Definition API.

API summary

Download the RAML descriptors for this API.

Operation Method Endpoint
APIs  
List APIs GET /gateway-oauth/v1/apis
Clients  
List client apps GET /gateway-oauth/v1/clients
Create a client app POST /gateway-oauth/v1/clients
Get a client app GET /gateway-oauth/v1/clients/{clientId}
Update a client app PUT /gateway-oauth/v1/clients/{clientId}
Remove a client app DELETE /gateway-oauth/v1/clients/{clientId}
Identity providers  
List identity providers GET /gateway-oauth/v1/idps
Create an identity provider POST /gateway-oauth/v1/idps
Get an identity provider GET /gateway-oauth/v1/idps/{idpId}
Update an identity provider PUT /gateway-oauth/v1/idps/{idpId}
Remove an identity provider DELETE /gateway-oauth/v1/idps/{idpId}

List APIs

Lists all active registered APIs associated with your current account context for which you enabled OAuth in API Endpoint Definition API. Use this operation’s response object before running the Create a client app operation.

GET /gateway-oauth/v1/apis

Status 200 application/json

Download schema: apis.schema.json

Response Body:

[
    {
        "id": "0IYdWc7WgIa8MVT1Ii1gWCphbLhOIPS8U8",
        "name": "Api QA AID no 86"
    },
    {
        "id": "0gA6xbdJp5Q6wJTehi6XndxUyu9QGMUaNL",
        "name": "Api QA AID no 47"
    },
    {
        "id": "1nFCFlfnmYFFcu9MIU5c2QyyOM6YzDVQUu",
        "name": "Api QA AID no 61"
    }
]

List client apps

Lists the details of registered client apps that have access to your resource server.

GET /gateway-oauth/v1/clients

Status 200 application/json

Download schema: clients.schema.json

Response Body:

[
    {
        "name": "App Management UI",
        "clientId": "2d45a874-c565-4869-95f9-464e17b686f0",
        "clientSecret": "b459080c05cba71725f661122aefe5e4d3733b3cc0f3264e7734e733cf567946",
        "contactEmail": "oauth@example.com",
        "createdBy": "oauth-user",
        "createdOn": "2018-12-04T14:59:45.078Z",
        "apiIds": [
            "1251fe6b2fc2ade45c90d3b063a7a73e",
            "0af7d190e227cfa0a492ddb057267e35"
        ],
        "authorizationGrantTypes": [
            "implicit",
            "client_credentials",
            "authorization_code"
        ],
        "redirectUris": [
            "https://app.domain.com/redirect"
        ]
    },
    {
        "name": "new client",
        "clientId": "38064359-9d1e-42cf-9c79-9b43198eb74f",
        "clientSecret": "58c2542ce5badd1faf31bce276dfab5790fdd4605aa453cacfe0812f810336aa",
        "contactEmail": "contact@email.com",
        "createdBy": "userA",
        "createdOn": "2019-01-17T12:48:25.093Z",
        "apiIds": [
            "0gA6xbdJp5Q6wJTehi6XndxUyu9QGMUaNL",
            "1nFCFlfnmYFFcu9MIU5c2QyyOM6YzDVQUu"
        ],
        "authorizationGrantTypes": [
            "client_credentials",
            "authorization_code"
        ],
        "redirectUris": [
            "https://mydomain.com/redirect"
        ]
    }
]

Create a client app

Registers a client app with Akamai. A registered client app may access your resource server.

POST /gateway-oauth/v1/clients

Content-Type: application/json

Object type: Client

Download schema: client.schema.json

Request Body:

{
    "name": "new client",
    "contactEmail": "contact@email.com",
    "authorizationGrantTypes": [
        "authorization_code",
        "client_credentials"
    ],
    "redirectUris": [
        "https://redirect.url"
    ],
    "apiIds": [
        "0gA6xbdJp5Q6wJTehi6XndxUyu9QGMUaNL",
        "1nFCFlfnmYFFcu9MIU5c2QyyOM6YzDVQUu"
    ]
}

Status 200 application/json

Object type: Client

Download schema: client.schema.json

Response Body:

{
    "name": "new client",
    "clientId": "38064359-9d1e-42cf-9c79-9b43198eb74f",
    "clientSecret": "58c2542ce5badd1faf31bce276dfab5790fdd4605aa453cacfe0812f810336aa",
    "contactEmail": "contact@email.com",
    "createdBy": "userA",
    "createdOn": "2019-01-17T12:48:25.093Z",
    "apiIds": [
        "0gA6xbdJp5Q6wJTehi6XndxUyu9QGMUaNL",
        "1nFCFlfnmYFFcu9MIU5c2QyyOM6YzDVQUu"
    ],
    "authorizationGrantTypes": [
        "client_credentials",
        "authorization_code"
    ],
    "redirectUris": [
        "https://mydomain.com/redirect"
    ]
}
  1. Contact the client app developer on whose behalf you are registering the client app. Note the redirectUris to associate with the client app and the contactEmail.

  2. If you don’t already have the apis that you want to allow the client app to access, run the List APIs operation. Store the appropriate objects from the response’s array.

  3. Build a Client object, specifying the unique name, the authorizationGrantTypes, contactEmail, redirectUris, and apis.

  4. POST the object to /oauth/v1/clients.

The response reflects back the complete Client object, from which you can store the clientId value. You can provide the clientId and clientSecret values to the client app developer.

Get a client app

Returns the details of a registered client app.

GET /gateway-oauth/v1/clients/{clientId}

Sample: /gateway-oauth/v1/clients/064dcef4-cf91-400a-b969-87bda8844193

Parameter Type Sample Description
URL parameters
clientId String 064dcef4-cf91-400a-b969-87bda8844193 The unique identifier for a registered client app.

Status 200 application/json

Object type: Client

Download schema: client.schema.json

Response Body:

[
    {
        "name": "App Management UI",
        "clientId": "2d45a874-c565-4869-95f9-464e17b686f0",
        "clientSecret": "b459080c05cba71725f661122aefe5e4d3733b3cc0f3264e7734e733cf567946",
        "contactEmail": "oauth@example.com",
        "createdBy": "oauth-user",
        "createdOn": "2018-12-04T14:59:45.078Z",
        "apiIds": [
            "1251fe6b2fc2ade45c90d3b063a7a73e",
            "0af7d190e227cfa0a492ddb057267e35"
        ],
        "authorizationGrantTypes": [
            "implicit",
            "client_credentials",
            "authorization_code"
        ],
        "redirectUris": [
            "https://app.domain.com/redirect"
        ]
    },
    {
        "name": "new client",
        "clientId": "38064359-9d1e-42cf-9c79-9b43198eb74f",
        "clientSecret": "58c2542ce5badd1faf31bce276dfab5790fdd4605aa453cacfe0812f810336aa",
        "contactEmail": "contact@email.com",
        "createdBy": "userA",
        "createdOn": "2019-01-17T12:48:25.093Z",
        "apiIds": [
            "0gA6xbdJp5Q6wJTehi6XndxUyu9QGMUaNL",
            "1nFCFlfnmYFFcu9MIU5c2QyyOM6YzDVQUu"
        ],
        "authorizationGrantTypes": [
            "client_credentials",
            "authorization_code"
        ],
        "redirectUris": [
            "https://mydomain.com/redirect"
        ]
    }
]
  1. If you don’t already have a clientId value, run the List client apps operation.

  2. Select the appropriate client app from the returned array and store its clientId value.

  3. Make a GET request to /oauth/v1/clients/{clientId}.

The response is a Client object.

Update a client app

Updates the details of a registered client app.

PUT /gateway-oauth/v1/clients/{clientId}

Sample: /gateway-oauth/v1/clients/064dcef4-cf91-400a-b969-87bda8844193

Content-Type: application/json

Object type: Client

Download schema: client.schema.json

Request Body:

{
    "name": "new client",
    "contactEmail": "contact@email.com",
    "authorizationGrantTypes": [
        "authorization_code",
        "client_credentials"
    ],
    "redirectUris": [
        "https://redirect.url"
    ],
    "apiIds": [
        "0gA6xbdJp5Q6wJTehi6XndxUyu9QGMUaNL",
        "1nFCFlfnmYFFcu9MIU5c2QyyOM6YzDVQUu"
    ]
}
Parameter Type Sample Description
URL parameters
clientId String 064dcef4-cf91-400a-b969-87bda8844193 The unique identifier for a registered client app.

Status 200 application/json

Object type: Client

Download schema: client.schema.json

Response Body:

{
    "name": "new client",
    "clientId": "38064359-9d1e-42cf-9c79-9b43198eb74f",
    "clientSecret": "58c2542ce5badd1faf31bce276dfab5790fdd4605aa453cacfe0812f810336aa",
    "contactEmail": "contact@email.com",
    "createdBy": "userA",
    "createdOn": "2019-01-17T12:48:25.093Z",
    "apiIds": [
        "0gA6xbdJp5Q6wJTehi6XndxUyu9QGMUaNL",
        "1nFCFlfnmYFFcu9MIU5c2QyyOM6YzDVQUu"
    ],
    "authorizationGrantTypes": [
        "client_credentials",
        "authorization_code"
    ],
    "redirectUris": [
        "https://mydomain.com/redirect"
    ]
}
  1. If you don’t already have an clientId value, run the List client apps operation.

  2. Select the appropriate client app from the returned array and store its clientId value.

  3. Run the Get a client app operation for the complete representation of the object.

  4. Modify the returned Client object.

  5. PUT the object back to the same URL as the GET: /oauth/v1/clients/{clientId}.

A 200 response confirms success, and the response object reflects your modifications.

Remove a client app

Removes a registered client app.

DELETE /gateway-oauth/v1/clients/{clientId}

Sample: /gateway-oauth/v1/clients/064dcef4-cf91-400a-b969-87bda8844193

Parameter Type Sample Description
URL parameters
clientId String 064dcef4-cf91-400a-b969-87bda8844193 The unique identifier for a registered client app.

Status 204

  1. If you don’t already have an clientId value, run the List client apps operation.

  2. Select the appropriate client app from the returned array and store its clientId value.

  3. Make a DELETE request to /oauth/v1/clients/{clientId}.

A 204 response confirms the object has been deleted.

List identity providers

Lists the details of registered identity providers.

GET /gateway-oauth/v1/idps

Status 200 application/json

Download schema: idps.schema.json

Response Body:

[
    {
        "id": "1e32cfb6-fe86-453c-a100-3ac6f2145604",
        "name": "Google",
        "clientId": "e5ce6475562c5886437db775ad5eb78f.apps.googleusercontent.com",
        "clientSecret": "977490fef3182b8fa6fead0918960927",
        "clientAuthenticationMethod": "BASIC",
        "authorizationEndpoint": "https://accounts.google.com/o/oauth2/v2/auth",
        "tokenEndpoint": "https://www.googleapis.com/oauth2/v4/token",
        "userInfoEndpoint": "",
        "userInfoUserNameAttributeName": "",
        "jwksUri": "https://www.googleapis.com/oauth2/v3/certs",
        "scopes": [
            "openid"
        ],
        "type": "OIDC",
        "redirectUri": "https://oauth.akamai.com/oauth-api/login/oauth2/code/1e32cfb6-fe86-453c-a100-3ac6f2145604",
        "createdBy": "userA",
        "createdOn": "2018-09-25T15:49:57.802Z"
    },
    {
        "id": "c514b894-b8f2-4815-90ca-24bfed29cd90",
        "name": "Github",
        "clientId": "b04c8720433e52c0bb45",
        "clientSecret": "1677886e84abba104c8efa4a6c967b5f",
        "clientAuthenticationMethod": "BASIC",
        "authorizationEndpoint": "https://github.com/login/oauth/authorize",
        "tokenEndpoint": "https://github.com/login/oauth/access_token",
        "userInfoEndpoint": "https://api.github.com/user",
        "userInfoUserNameAttributeName": "id",
        "jwksUri": "",
        "scopes": [
            "read:user"
        ],
        "type": "OAUTH2",
        "redirectUri": "https://oauth.akamai.com/oauth-api/login/oauth2/code/c514b894-b8f2-4815-90ca-24bfed29cd90",
        "createdBy": "userA",
        "createdOn": "2018-09-19T13:19:03.948Z",
        "updatedBy": "userB",
        "updatedOn": "2018-09-19T13:43:10.419Z"
    }
]

Create an identity provider

Registers an identity provider (IdP) with Akamai. The Akamai Authorization Server can integrate with registered IdPs to verify the identity of client apps’ users.

POST /gateway-oauth/v1/idps

Content-Type: application/json

Object type: Idp

Download schema: idp.schema.json

Request Body:

{
    "name": "GitHub",
    "clientId": "222fedffc11d937ee20",
    "clientSecret": "57715f962d5347498f5fab3f842d46dd",
    "clientAuthenticationMethod": "BASIC",
    "authorizationEndpoint": "https://github.com/login/oauth/authorize",
    "tokenEndpoint": "https://github.com/login/oauth/access_token",
    "userInfoEndpoint": "https://api.github.com/user",
    "userInfoUserNameAttributeName": "id",
    "jwksUri": "",
    "type": "OAUTH2",
    "scopes": [
        "read:user"
    ]
}

Status 200 application/json

Object type: Idp

Download schema: idp.schema.json

Response Body:

{
    "id": "36be6260-6b8a-4032-b74a-c82dfe1c99b1",
    "name": "Google",
    "clientId": "b7b7c4a86e958ea522afe844b7c46c7f.apps.googleusercontent.com",
    "clientSecret": "e55491231ba6f1bc07f15cce4ac3f9dd",
    "clientAuthenticationMethod": "BASIC",
    "authorizationEndpoint": "https://accounts.google.com/o/oauth2/v2/auth",
    "tokenEndpoint": "https://www.googleapis.com/oauth2/v4/token",
    "userInfoEndpoint": "",
    "userInfoUserNameAttributeName": "",
    "jwksUri": "https://www.googleapis.com/oauth2/v3/certs",
    "scopes": [
        "openid"
    ],
    "type": "OIDC",
    "redirectUri": "https://oauth.akamai.com/oauth-api/login/oauth2/code/36be6260-6b8a-4032-b74a-c82dfe1c99b1",
    "createdBy": "userA",
    "createdOn": "2018-09-25T15:49:57.802Z"
}
  1. Provide the necessary details about the Akamai Authorization Server to the IdP that you want register.

  2. Note the details that the IdP provided in response to your requests, such as clientId, clientSecret, clientAuthenticationMethod, authorizationEndpoint, tokenEndpoint, the IdP type, and client scopes. Depending on the IdP type, note also the userInfoEndpoint and userInfoUserNameAttributeName (for the OAUTH2 IdP type), or the jwksUri (for the OIDC IdP type).

  3. Build an Idp object, specifying a unique name for the IdP and all the details that you received from the IdP.

  4. POST the object to /oauth/v1/idps.

The response reflects back the complete Idp object, from which you can store the id value. You can provide the redirectUri value to the IdP to finish registering the Akamai Authorization Server at the IdP.

Get an identity provider

Returns the details of a registered identity provider.

GET /gateway-oauth/v1/idps/{idpId}

Sample: /gateway-oauth/v1/idps/1d331399-1e0a–405c–9531-1f65de55b511

Parameter Type Sample Description
URL parameters
idpId String 1d331399-1e0a-405c-9531-1f65de55b511 The unique identifier for a registered identity provider.

Status 200 application/json

Object type: Idp

Download schema: idp.schema.json

Response Body:

{
    "id": "36be6260-6b8a-4032-b74a-c82dfe1c99b1",
    "name": "Google",
    "clientId": "b7b7c4a86e958ea522afe844b7c46c7f.apps.googleusercontent.com",
    "clientSecret": "e55491231ba6f1bc07f15cce4ac3f9dd",
    "clientAuthenticationMethod": "BASIC",
    "authorizationEndpoint": "https://accounts.google.com/o/oauth2/v2/auth",
    "tokenEndpoint": "https://www.googleapis.com/oauth2/v4/token",
    "userInfoEndpoint": "",
    "userInfoUserNameAttributeName": "",
    "jwksUri": "https://www.googleapis.com/oauth2/v3/certs",
    "scopes": [
        "openid"
    ],
    "type": "OIDC",
    "redirectUri": "https://oauth.akamai.com/oauth-api/login/oauth2/code/36be6260-6b8a-4032-b74a-c82dfe1c99b1",
    "createdBy": "userA",
    "createdOn": "2018-09-25T15:49:57.802Z"
}
  1. If you don’t already have an id value, run the List identity providers operation.

  2. Select the appropriate IdP from the returned array and store its id value as idpId.

  3. Make a GET request to /oauth/v1/idps/{idpId}.

The response is an Idp object.

Update an identity provider

Updates the details of a registered identity provider.

PUT /gateway-oauth/v1/idps/{idpId}

Sample: /gateway-oauth/v1/idps/1d331399-1e0a–405c–9531-1f65de55b511

Content-Type: application/json

Object type: Idp

Download schema: idp.schema.json

Request Body:

{
    "name": "GitHub",
    "clientId": "222fedffc11d937ee20",
    "clientSecret": "57715f962d5347498f5fab3f842d46dd",
    "clientAuthenticationMethod": "BASIC",
    "authorizationEndpoint": "https://github.com/login/oauth/authorize",
    "tokenEndpoint": "https://github.com/login/oauth/access_token",
    "userInfoEndpoint": "https://api.github.com/user",
    "userInfoUserNameAttributeName": "id",
    "jwksUri": "",
    "type": "OAUTH2",
    "scopes": [
        "read:user"
    ]
}
Parameter Type Sample Description
URL parameters
idpId String 1d331399-1e0a-405c-9531-1f65de55b511 The unique identifier for a registered identity provider.

Status 200 application/json

Object type: Idp

Download schema: idp.schema.json

Response Body:

{
    "id": "36be6260-6b8a-4032-b74a-c82dfe1c99b1",
    "name": "Google",
    "clientId": "b7b7c4a86e958ea522afe844b7c46c7f.apps.googleusercontent.com",
    "clientSecret": "e55491231ba6f1bc07f15cce4ac3f9dd",
    "clientAuthenticationMethod": "BASIC",
    "authorizationEndpoint": "https://accounts.google.com/o/oauth2/v2/auth",
    "tokenEndpoint": "https://www.googleapis.com/oauth2/v4/token",
    "userInfoEndpoint": "",
    "userInfoUserNameAttributeName": "",
    "jwksUri": "https://www.googleapis.com/oauth2/v3/certs",
    "scopes": [
        "openid"
    ],
    "type": "OIDC",
    "redirectUri": "https://oauth.akamai.com/oauth-api/login/oauth2/code/36be6260-6b8a-4032-b74a-c82dfe1c99b1",
    "createdBy": "userA",
    "createdOn": "2018-09-25T15:49:57.802Z"
}
  1. If you don’t already have an id value, run the List identity providersoperation.

  2. Select the appropriate IdP from the returned array and store its id value as idpId.

  3. Run the Get an identity provider operation for the complete representation of the object.

  4. Modify the returned Idp object.

  5. PUT the object back to the same URL as the GET: /oauth/v1/idps/{idpId}.

A 200 response confirms success, and the response object reflects your modifications.

Remove an identity provider

Removes a registered identity provider. Once removed, you can no longer use an identity provider to verify client apps’ users identity.

DELETE /gateway-oauth/v1/idps/{idpId}

Sample: /gateway-oauth/v1/idps/1d331399-1e0a–405c–9531-1f65de55b511

Parameter Type Sample Description
URL parameters
idpId String 1d331399-1e0a-405c-9531-1f65de55b511 The unique identifier for a registered identity provider.

Status 204

  1. If you don’t already have an id value, run the List identity providers operation.

  2. Select the appropriate IdP from the returned array and store its id value as idpId.

  3. Make a DELETE request to /oauth/v1/idps/{idpId}.

A 204 response confirms the object has been deleted.

Data

This section provides details for each type of data object the API exchanges.

Download the JSON schemas for this API.

The data schema tables below list membership requirements as follows:

Member is required in requests, or always present in responses, even if its value is empty or null.
Member is optional, and may be omitted in some cases.

Api

Collects information about an active registered API associated with your current account context and for which you enabled OAuth in API Endpoint Definition API.

Download schema: api.schema.json

Sample GET response:

[
    {
        "id": "0IYdWc7WgIa8MVT1Ii1gWCphbLhOIPS8U8",
        "name": "Api QA AID no 86"
    },
    {
        "id": "0gA6xbdJp5Q6wJTehi6XndxUyu9QGMUaNL",
        "name": "Api QA AID no 47"
    },
    {
        "id": "1nFCFlfnmYFFcu9MIU5c2QyyOM6YzDVQUu",
        "name": "Api QA AID no 61"
    }
]

Api members

Member Type Required Description
Api: Collects information about an active registered API associated with your current account context and for which you enabled OAuth in API Endpoint Definition API.
id String The unique identifier for the registered API.
name String The name of the registered API.

Client

Collects information about a client app that you register in OAuth Management.

Download schema: client.schema.json

Sample GET response:

{
    "name": "new client",
    "clientId": "38064359-9d1e-42cf-9c79-9b43198eb74f",
    "clientSecret": "58c2542ce5badd1faf31bce276dfab5790fdd4605aa453cacfe0812f810336aa",
    "contactEmail": "contact@email.com",
    "createdBy": "userA",
    "createdOn": "2019-01-17T12:48:25.093Z",
    "apiIds": [
        "0gA6xbdJp5Q6wJTehi6XndxUyu9QGMUaNL",
        "1nFCFlfnmYFFcu9MIU5c2QyyOM6YzDVQUu"
    ],
    "authorizationGrantTypes": [
        "client_credentials",
        "authorization_code"
    ],
    "redirectUris": [
        "https://mydomain.com/redirect"
    ]
}

Client members

Member Type Required Description
Client: Collects information about a client app that you register in OAuth Management.
apiIds Array The collection of unique identifiers of active registered APIs for which you enabled OAuth in API Endpoint Definition API. The APIs must be associated with your current account context.
authorizationGrantTypes Array The collection of authorization grant types that you want to allow for the client app. The authorization_code grant type is about sending to a client app an authorization code that the client app exchanges for access and refresh tokens. It’s the most secure option suitable for confidential client apps. The implicit grant type involves passing an access token directly to the client app and is suitable for public client apps. The client_credentials grant type is best for trusted client apps that act as resource owners. Specify at least one authorization grant type.
clientId String Read-only. The unique identifier of the client app at the Authorization Server. Provide this value and the clientSecret to client app developers to let them access resources within your registered APIs.
clientSecret String Read-only. The secret that allows the client app to exchange an authorization code for an access token. Provide this value and the clientId to client app developers to let them access resources within your registered APIs.
contactEmail String The contact email of the client app developer on whose behalf you register the client app.
createdBy String Read-only. The name of the Akamai user who registered the client app.
createdOn String Read-only. The ISO 8601 timestamp indicating when you registered the client app.
name String The name under which you register the client app. Resource owners see this name on a consent page when they give the client app permissions to use their data.
redirectUris Array The collection of URLs where the Authorization Server may redirect the resource owner after the client app successfully authorizes. Specify this only if you selected authorization_code or implicit for the associated authorizationGrantTypes member. Make sure each URL starts with https.
updatedBy String Read-only. The name of the Akamai user who last updated the client app.
updatedOn String Read-only. The ISO 8601 timestamp indicating when you last updated the client app.

Idp

Collects information about an identity provider (IdP) you register in OAuth Management.

Download schema: idp.schema.json

Sample GET response:

{
    "id": "36be6260-6b8a-4032-b74a-c82dfe1c99b1",
    "name": "Google",
    "clientId": "b7b7c4a86e958ea522afe844b7c46c7f.apps.googleusercontent.com",
    "clientSecret": "e55491231ba6f1bc07f15cce4ac3f9dd",
    "clientAuthenticationMethod": "BASIC",
    "authorizationEndpoint": "https://accounts.google.com/o/oauth2/v2/auth",
    "tokenEndpoint": "https://www.googleapis.com/oauth2/v4/token",
    "userInfoEndpoint": "",
    "userInfoUserNameAttributeName": "",
    "jwksUri": "https://www.googleapis.com/oauth2/v3/certs",
    "scopes": [
        "openid"
    ],
    "type": "OIDC",
    "redirectUri": "https://oauth.akamai.com/oauth-api/login/oauth2/code/36be6260-6b8a-4032-b74a-c82dfe1c99b1",
    "createdBy": "userA",
    "createdOn": "2018-09-25T15:49:57.802Z"
}

Idp members

Member Type Required Description
Idp: Collects information about an identity provider (IdP) you register in OAuth Management.
authorizationEndpoint String The IdP-provided URL that the Authorization Server uses to obtain an authorization grant. Make sure the URL starts with https.
clientAuthenticationMethod Enumeration The method that the IdP uses to authenticate client requests. Either BASIC for the HTTP basic authentication, or POST for the POST body authentication.
clientId String The unique identifier the IdP generates for the Authorization Server.
clientSecret String The secret generated by the IdP that allows the Authorization Server to exchange an IdP-issued authorization code for an access token.
createdBy String Read-only. The name of the Akamai user who registered the IdP.
createdOn String Read-only. The ISO 8601 timestamp indicating when you registered the IdP.
id String Read-only. The unique identifier for the IdP.
jwksUri String The URL to a JSON web key set that contains a set of public keys to use for verification of JSON web tokens. Specify this only if you set the corresponding type member to OIDC and make sure the URL starts with https.
name String The name under which you register the IdP. Resource owners see this name on a consent page when they choose the IdP to authenticate with.
redirectUri String Read-only. The Akamai-generated redirect URL that you can use to register Akamai at an IdP.
scopes Array The set of permissions that a resource owner grants to the Authorization Server so that an IdP can verify the resource owner’s credentials. The first consent page that a resource owner encounters during the OAuth process contains this set of scopes. For the type member set to OIDC, include the openid scope in this member. For the type member set to OUATH2, don’t include the openid scope in this member.
tokenEndpoint String The IdP-provided URL that the Authorization Server uses to exchange an authorization grant for an access token. Make sure the URL starts with https.
type Enumeration The type of the IdP. Either OIDC for IdPs that use JSON web token authentication, or OAUTH2 for IdPs that use opaque token authentication.
updatedBy String Read-only. The name of the Akamai user who last updated the IdP.
updatedOn String Read-only. The ISO 8601 timestamp indicating when you last updated the IdP.
userInfoEndpoint String The IdP-provided URL that the Authorization Server uses to validate the access token against the information present at the IdP. Specify this only if you set the corresponding type member to OAUTH2 and make sure the URL starts with https.
userInfoUserNameAttributeName String The attribute name returned by the user info endpoint that contains a user name as its value. Specify this only if you set the corresponding type member to OAUTH2.

Errors

This section provides details on the data object that reflects the API’s common response to error cases, and lists the API’s range of response status codes for both error and success cases.

Error responses

This API responds with Akamai HTTP Problem Details JSON objects for all 4xx and 5xx error codes. This sample shows an incorrect request error, where detail explains why the error occurred and instance may be useful if you need to communicate about the problem with your Akamai support representative:

{
    "type": "https://control.akamai.com/apps/oauth-portal/open/v1/errors/idp-validation",
    "title": "Validation Exception",
    "detail": "The value 'abc' of property 'tokenEndpoint' is not valid URL.",
    "instance": "909e5901-ae6f-4f2d-8b25-89b02ad0ddc9",
    "illegalParameter": "tokenEndpoint",
    "illegalValue": "abc"
}

HTTP status codes

The API responds with the following set of HTTP status codes for both success and failure scenarios.

Code Description
200 The operation was successful.
204 The resource was successfully deleted.
400 Bad Request.
401 Unauthorized access.
403 Access is forbidden.
404 Resource not found.
500 Internal server error.

Last modified: 3/20/2019