OAuth Management API v1

Registers identity providers that store API resource owners' credentials, and allows external client apps to access your resource server.

Learn more:


Overview

OAuth Management is part of Akamai’s API Gateway product. The gateway acts as an authorization server that ensures the proper authorization of external client apps that request resources from your registered APIs.

The OAuth Management API lets you register and manage third-party client apps that want to access resource owners’ data residing on your resource server. It also provides a way for you to register identity providers (IdPs) that store resource owners’ credentials.

To fully understand Akamai’s OAuth 2.0 implementation, make sure you’re familiar with how the traditional OAuth 2.0 roles (as described in RFC6749) correspond to the parties involved in API traffic at Akamai:

  • Resource owner. A user who intends to use a client app and whose data you store in your API in the form of API resources. As an API publisher, you control which client apps can access the resources and which IdPs can verify the identities of resource owners.

  • Resource server. The origin server that hosts your APIs.

  • Client app. A third-party mobile or web application that consumes resources within your API.

  • Authorization server. A server that integrates with IdPs to verify resource owners’ identities and provides access tokens and refresh tokens to client apps.

  • Identity provider. An entity that stores resource owners’ information and verifies their identities. Based on IdP-issued authorization grants, the Authorization Server creates access tokens and refresh tokens.

Who should use this API

Akamai provides APIs for developers, DevOps, and operations personnel as an alternative to using Akamai Control Center. This API provides the same functions that are available under the OAuth Management menu selection of Control Center.

The OAuth Management API works closely with the API Endpoint Definition API which you use to register and manage API endpoints on the Gateway. By implementing OAuth 2.0, you protect the resource owners’ data stored in these registered API endpoints in the form of API resources. You may also use the API Endpoint Definition API to define and assign OAuth scopes to specific API resources. This is often the first step when setting up OAuth in your system. Use this API to register IdPs and client apps only after you assign OAuth scopes.

Client apps that you register use Akamai-provided OAuth 2.0 endpoints to take part in the available OAuth flows. For details on each endpoint, see OAuth 2.0 endpoints.

Get started

To configure this API for the first time:

Resources

The OAuth Management API lets you interact with the following data objects:

  • A client app is a third-party web or mobile application that wants to access resource owners’ data residing on your resource server. The data is represented by API resources within your registered APIs. You can register a client app and associate it with specific APIs.

  • An identity provider is an entity that stores resource owners’ credentials and verifies their identities. You can register both third-party and your own IdPs.

  • A registered API is an API service you registered with Akamai that contains resource owners’ data in the form of API resources. You can grant third-party client apps access to registered APIs that are active and have the OAuth feature enabled. For details on registering and managing APIs, see API Endpoint Definition API.

API summary

Download the RAML descriptors for this API.

Operation Method Endpoint
APIs  
List registered APIs GET /gateway-oauth/v1/apis
Clients  
List client apps GET /gateway-oauth/v1/clients
Register a client app POST /gateway-oauth/v1/clients
Get a client app GET /gateway-oauth/v1/clients/{clientId}
Edit a client app PUT /gateway-oauth/v1/clients/{clientId}
Delete a client app DELETE /gateway-oauth/v1/clients/{clientId}
Identity providers  
List identity providers GET /gateway-oauth/v1/idps
Register an identity provider POST /gateway-oauth/v1/idps
Get an identity provider GET /gateway-oauth/v1/idps/{idpId}
Edit an identity provider PUT /gateway-oauth/v1/idps/{idpId}
Delete an identity provider DELETE /gateway-oauth/v1/idps/{idpId}

List registered APIs

Lists all registered APIs associated with your current account context for which you enabled OAuth in the API Endpoint Definition API. It also provides a status, geographic location, and security context for returned APIs. Use this operation’s response object to monitor your API’s status changes and before running the Create a client app and Update a client app operations.

GET /gateway-oauth/v1/apis

Status 200 application/json

Download schema: apis.schema.json

Response body:

[
    {
        "id": "0IYdWc7WgIa8MVT1Ii1gWCphbLhOIPS8U8",
        "name": "Bookstore Main API",
        "status": "READY",
        "geo": "core",
        "network": "L1"
    },
    {
        "id": "0gA6xbdJp5Q6wJTehi6XndxUyu9QGMUaNL",
        "name": "Bookstore Premium API",
        "status": "PENDING"
    }
]

List client apps

Lists the details of registered client apps that have access to your resource server.

GET /gateway-oauth/v1/clients

Status 200 application/json

Download schema: clients.schema.json

Response body:

[
    {
        "name": "Fast Book Orders",
        "clientId": "2d45a874-c565-4869-95f9-464e17b686f0",
        "clientSecret": "b459080c05cba71725f661122aefe5e4d3733b3cc0f3264e7734e733cf567946",
        "apiIds": [
            "1251fe6b2fc2ade45c90d3b063a7a73e",
            "0af7d190e227cfa0a492ddb057267e35"
        ],
        "authorizationGrantTypes": [
            "implicit"
        ],
        "redirectUris": [
            "https://fastbookorders.akamai.com/redirect"
        ],
        "contactEmail": "fbo_admin@akamai.com",
        "createdBy": "bookstore_admin",
        "createdOn": "2018-12-04T14:59:45.078Z"
    },
    {
        "name": "Book Order Management",
        "clientId": "38064359-9d1e-42cf-9c79-9b43198eb74f",
        "clientSecret": "58c2542ce5badd1faf31bce276dfab5790fdd4605aa453cacfe0812f810336aa",
        "apiIds": [
            "0gA6xbdJp5Q6wJTehi6XndxUyu9QGMUaNL",
            "1nFCFlfnmYFFcu9MIU5c2QyyOM6YzDVQUu"
        ],
        "authorizationGrantTypes": [
            "authorization_code"
        ],
        "redirectUris": [
            "http://bookorder.akamai.com/redirect"
        ],
        "contactEmail": "bookorder_admin@akamai.com",
        "createdBy": "bookstore_admin",
        "createdOn": "2019-01-17T12:48:25.093Z"
    }
]

Register a client app

Registers a client app with Akamai. A registered client app may access your resource server.

POST /gateway-oauth/v1/clients

Content-Type: application/json

Object type: Client

Download schema: client.schema.json

Request body:

{
    "name": "Book Order Management",
    "authorizationGrantTypes": [
        "authorization_code"
    ],
    "redirectUris": [
        "http://bookorder.akamai.com/redirect"
    ],
    "contactEmail": "bookorder_admin@akamai.com",
    "apiIds": [
        "0gA6xbdJp5Q6wJTehi6XndxUyu9QGMUaNL",
        "1nFCFlfnmYFFcu9MIU5c2QyyOM6YzDVQUu"
    ]
}

Status 200 application/json

Object type: Client

Download schema: client.schema.json

Response body:

{
    "name": "Book Order Management",
    "clientId": "38064359-9d1e-42cf-9c79-9b43198eb74f",
    "clientSecret": "58c2542ce5badd1faf31bce276dfab5790fdd4605aa453cacfe0812f810336aa",
    "apiIds": [
        "0gA6xbdJp5Q6wJTehi6XndxUyu9QGMUaNL",
        "1nFCFlfnmYFFcu9MIU5c2QyyOM6YzDVQUu"
    ],
    "authorizationGrantTypes": [
        "authorization_code"
    ],
    "redirectUris": [
        "http://bookorder.akamai.com/redirect"
    ],
    "contactEmail": "bookorder_admin@akamai.com",
    "createdBy": "bookstore_admin",
    "createdOn": "2019-01-17T12:48:25.093Z"
}
  1. Provide the redirectUris to associate with the client app and the contactEmail. NOTE: You may need to contact the client app developer on whose behalf you are registering the client app to get the required information.

  2. If you don’t already have IDs of the APIs that you want to allow the client app to access, run the List registered APIs operation. Use the appropriate objects from the response’s array.

  3. Build a Client object, specifying the unique name, the authorizationGrantTypes, contactEmail, redirectUris, and apiIds.

  4. POST the object to /oauth/v1/clients.

The response reflects back the complete Client object, from which you can get the clientId value. You can provide the clientId and clientSecret values to the client app developer.

Get a client app

Returns the details of a registered client app.

GET /gateway-oauth/v1/clients/{clientId}

Sample: /gateway-oauth/v1/clients/064dcef4-cf91-400a-b969-87bda8844193

Parameter Type Sample Description
URL path parameters
clientId String 064dcef4-cf91-400a-b969-87bda8844193 The unique identifier for a registered client app.

Status 200 application/json

Object type: Client

Download schema: client.schema.json

Response body:

[
    {
        "name": "Fast Book Orders",
        "clientId": "2d45a874-c565-4869-95f9-464e17b686f0",
        "clientSecret": "b459080c05cba71725f661122aefe5e4d3733b3cc0f3264e7734e733cf567946",
        "apiIds": [
            "1251fe6b2fc2ade45c90d3b063a7a73e",
            "0af7d190e227cfa0a492ddb057267e35"
        ],
        "authorizationGrantTypes": [
            "implicit"
        ],
        "redirectUris": [
            "https://fastbookorders.akamai.com/redirect"
        ],
        "contactEmail": "fbo_admin@akamai.com",
        "createdBy": "bookstore_admin",
        "createdOn": "2018-12-04T14:59:45.078Z"
    },
    {
        "name": "Book Order Management",
        "clientId": "38064359-9d1e-42cf-9c79-9b43198eb74f",
        "clientSecret": "58c2542ce5badd1faf31bce276dfab5790fdd4605aa453cacfe0812f810336aa",
        "apiIds": [
            "0gA6xbdJp5Q6wJTehi6XndxUyu9QGMUaNL",
            "1nFCFlfnmYFFcu9MIU5c2QyyOM6YzDVQUu"
        ],
        "authorizationGrantTypes": [
            "authorization_code"
        ],
        "redirectUris": [
            "http://bookorder.akamai.com/redirect"
        ],
        "contactEmail": "bookorder_admin@akamai.com",
        "createdBy": "bookstore_admin",
        "createdOn": "2019-01-17T12:48:25.093Z"
    }
]
  1. If you don’t already have a clientId value, run the List client apps operation.

  2. Select the appropriate client app from the returned array and store its clientId value.

  3. Make a GET request to /oauth/v1/clients/{clientId}.

The response is a Client object.

Edit a client app

Updates the details of a registered client app.

PUT /gateway-oauth/v1/clients/{clientId}

Sample: /gateway-oauth/v1/clients/064dcef4-cf91-400a-b969-87bda8844193

Content-Type: application/json

Object type: Client

Download schema: client.schema.json

Request body:

{
    "name": "Book Order Management",
    "authorizationGrantTypes": [
        "authorization_code"
    ],
    "redirectUris": [
        "http://bookorder.akamai.com/redirect"
    ],
    "contactEmail": "bookorder_admin@akamai.com",
    "apiIds": [
        "0gA6xbdJp5Q6wJTehi6XndxUyu9QGMUaNL",
        "1nFCFlfnmYFFcu9MIU5c2QyyOM6YzDVQUu"
    ]
}
Parameter Type Sample Description
URL path parameters
clientId String 064dcef4-cf91-400a-b969-87bda8844193 The unique identifier for a registered client app.

Status 200 application/json

Object type: Client

Download schema: client.schema.json

Response body:

{
    "name": "Book Order Management",
    "clientId": "38064359-9d1e-42cf-9c79-9b43198eb74f",
    "clientSecret": "58c2542ce5badd1faf31bce276dfab5790fdd4605aa453cacfe0812f810336aa",
    "apiIds": [
        "0gA6xbdJp5Q6wJTehi6XndxUyu9QGMUaNL",
        "1nFCFlfnmYFFcu9MIU5c2QyyOM6YzDVQUu"
    ],
    "authorizationGrantTypes": [
        "authorization_code"
    ],
    "redirectUris": [
        "http://bookorder.akamai.com/redirect"
    ],
    "contactEmail": "bookorder_admin@akamai.com",
    "createdBy": "bookstore_admin",
    "createdOn": "2019-01-17T12:48:25.093Z"
}
  1. If you don’t already have a clientId value, run the List client apps operation to get it.

  2. Select the appropriate client app from the returned array and store its clientId value.

  3. Run the Get a client app operation for the complete representation of the object.

  4. If you don’t already have IDs of the APIs that you want to allow the client app to access, run the List registered APIs operation. Use the appropriate objects from the response’s array.

  5. Modify the returned Client object.

  6. PUT the object back to the same URL as the GET: /oauth/v1/clients/{clientId}.

A 200 response confirms success, and the response object reflects your modifications.

Delete a client app

Removes a registered client app.

DELETE /gateway-oauth/v1/clients/{clientId}

Sample: /gateway-oauth/v1/clients/064dcef4-cf91-400a-b969-87bda8844193

Parameter Type Sample Description
URL path parameters
clientId String 064dcef4-cf91-400a-b969-87bda8844193 The unique identifier for a registered client app.

Status 204

  1. If you don’t already have an clientId value, run the List client apps operation.

  2. Select the appropriate client app from the returned array and store its clientId value.

  3. Make a DELETE request to /oauth/v1/clients/{clientId}.

A 204 response confirms the object has been deleted.

List identity providers

Lists the details of registered identity providers.

GET /gateway-oauth/v1/idps

Status 200 application/json

Download schema: idps.schema.json

Response body:

[
    {
        "id": "1e32cfb6-fe86-453c-a100-3ac6f2145604",
        "name": "Google",
        "clientId": "e5ce6475562c5886437db775ad5eb78f.apps.googleusercontent.com",
        "clientSecret": "977490fef3182b8fa6fead0918960927",
        "clientAuthenticationMethod": "BASIC",
        "authorizationEndpoint": "https://accounts.google.com/o/oauth2/v2/auth",
        "tokenEndpoint": "https://www.googleapis.com/oauth2/v4/token",
        "userInfoEndpoint": "",
        "userInfoUserNameAttributeName": "",
        "jwksUri": "https://www.googleapis.com/oauth2/v3/certs",
        "scopes": [
            "openid"
        ],
        "type": "OIDC",
        "redirectUri": "https://oauth.akamai.com/oauth-api/login/oauth2/code/1e32cfb6-fe86-453c-a100-3ac6f2145604",
        "createdBy": "userA",
        "createdOn": "2018-09-25T15:49:57.802Z"
    },
    {
        "id": "c514b894-b8f2-4815-90ca-24bfed29cd90",
        "name": "Github",
        "clientId": "b04c8720433e52c0bb45",
        "clientSecret": "1677886e84abba104c8efa4a6c967b5f",
        "clientAuthenticationMethod": "BASIC",
        "authorizationEndpoint": "https://github.com/login/oauth/authorize",
        "tokenEndpoint": "https://github.com/login/oauth/access_token",
        "userInfoEndpoint": "https://api.github.com/user",
        "userInfoUserNameAttributeName": "id",
        "jwksUri": "",
        "scopes": [
            "read:user"
        ],
        "type": "OAUTH2",
        "redirectUri": "https://oauth.akamai.com/oauth-api/login/oauth2/code/c514b894-b8f2-4815-90ca-24bfed29cd90",
        "createdBy": "userA",
        "createdOn": "2018-09-19T13:19:03.948Z",
        "updatedBy": "userB",
        "updatedOn": "2018-09-19T13:43:10.419Z"
    }
]

Register an identity provider

Registers an identity provider (IdP) with Akamai. The Akamai Authorization Server can integrate with registered IdPs to verify the identity of client apps’ users.

POST /gateway-oauth/v1/idps

Content-Type: application/json

Object type: Idp

Download schema: idp.schema.json

Request body:

{
    "name": "GitHub",
    "clientId": "222fedffc11d937ee20",
    "clientSecret": "57715f962d5347498f5fab3f842d46dd",
    "clientAuthenticationMethod": "BASIC",
    "authorizationEndpoint": "https://github.com/login/oauth/authorize",
    "tokenEndpoint": "https://github.com/login/oauth/access_token",
    "userInfoEndpoint": "https://api.github.com/user",
    "userInfoUserNameAttributeName": "id",
    "jwksUri": "",
    "scopes": [
        "read:user"
    ],
    "type": "OAUTH2"
}

Status 200 application/json

Object type: Idp

Download schema: idp.schema.json

Response body:

{
    "id": "36be6260-6b8a-4032-b74a-c82dfe1c99b1",
    "name": "Google",
    "clientId": "b7b7c4a86e958ea522afe844b7c46c7f.apps.googleusercontent.com",
    "clientSecret": "e55491231ba6f1bc07f15cce4ac3f9dd",
    "clientAuthenticationMethod": "BASIC",
    "authorizationEndpoint": "https://accounts.google.com/o/oauth2/v2/auth",
    "tokenEndpoint": "https://www.googleapis.com/oauth2/v4/token",
    "userInfoEndpoint": "",
    "userInfoUserNameAttributeName": "",
    "jwksUri": "https://www.googleapis.com/oauth2/v3/certs",
    "scopes": [
        "openid"
    ],
    "type": "OIDC",
    "redirectUri": "https://oauth.akamai.com/oauth-api/login/oauth2/code/36be6260-6b8a-4032-b74a-c82dfe1c99b1",
    "createdBy": "userA",
    "createdOn": "2018-09-25T15:49:57.802Z"
}
  1. Provide the necessary details about the Akamai Authorization Server to the IdP that you want register.

  2. Note the details that the IdP provided in response to your requests, such as clientId, clientSecret, clientAuthenticationMethod, authorizationEndpoint, tokenEndpoint, the IdP type, and client scopes. Depending on the IdP type, note also the userInfoEndpoint and userInfoUserNameAttributeName (for the OAUTH2 IdP type), or the jwksUri (for the OIDC IdP type).

  3. Build an Idp object, specifying a unique name for the IdP and all the details that you received from the IdP.

  4. POST the object to /oauth/v1/idps.

The response reflects back the complete Idp object, from which you can store the id value. You can provide the redirectUri value to the IdP to finish registering the Akamai Authorization Server at the IdP.

Get an identity provider

Returns the details of a registered identity provider.

GET /gateway-oauth/v1/idps/{idpId}

Sample: /gateway-oauth/v1/idps/1d331399-1e0a–405c–9531-1f65de55b511

Parameter Type Sample Description
URL path parameters
idpId String 1d331399-1e0a-405c-9531-1f65de55b511 The unique identifier for a registered identity provider.

Status 200 application/json

Object type: Idp

Download schema: idp.schema.json

Response body:

{
    "id": "36be6260-6b8a-4032-b74a-c82dfe1c99b1",
    "name": "Google",
    "clientId": "b7b7c4a86e958ea522afe844b7c46c7f.apps.googleusercontent.com",
    "clientSecret": "e55491231ba6f1bc07f15cce4ac3f9dd",
    "clientAuthenticationMethod": "BASIC",
    "authorizationEndpoint": "https://accounts.google.com/o/oauth2/v2/auth",
    "tokenEndpoint": "https://www.googleapis.com/oauth2/v4/token",
    "userInfoEndpoint": "",
    "userInfoUserNameAttributeName": "",
    "jwksUri": "https://www.googleapis.com/oauth2/v3/certs",
    "scopes": [
        "openid"
    ],
    "type": "OIDC",
    "redirectUri": "https://oauth.akamai.com/oauth-api/login/oauth2/code/36be6260-6b8a-4032-b74a-c82dfe1c99b1",
    "createdBy": "userA",
    "createdOn": "2018-09-25T15:49:57.802Z"
}
  1. If you don’t already have an id value, run the List identity providers operation.

  2. Select the appropriate IdP from the returned array and store its id value as idpId.

  3. Make a GET request to /oauth/v1/idps/{idpId}.

The response is an Idp object.

Edit an identity provider

Updates the details of a registered identity provider.

PUT /gateway-oauth/v1/idps/{idpId}

Sample: /gateway-oauth/v1/idps/1d331399-1e0a–405c–9531-1f65de55b511

Content-Type: application/json

Object type: Idp

Download schema: idp.schema.json

Request body:

{
    "name": "GitHub",
    "clientId": "222fedffc11d937ee20",
    "clientSecret": "57715f962d5347498f5fab3f842d46dd",
    "clientAuthenticationMethod": "BASIC",
    "authorizationEndpoint": "https://github.com/login/oauth/authorize",
    "tokenEndpoint": "https://github.com/login/oauth/access_token",
    "userInfoEndpoint": "https://api.github.com/user",
    "userInfoUserNameAttributeName": "id",
    "jwksUri": "",
    "scopes": [
        "read:user"
    ],
    "type": "OAUTH2"
}
Parameter Type Sample Description
URL path parameters
idpId String 1d331399-1e0a-405c-9531-1f65de55b511 The unique identifier for a registered identity provider.

Status 200 application/json

Object type: Idp

Download schema: idp.schema.json

Response body:

{
    "id": "36be6260-6b8a-4032-b74a-c82dfe1c99b1",
    "name": "Google",
    "clientId": "b7b7c4a86e958ea522afe844b7c46c7f.apps.googleusercontent.com",
    "clientSecret": "e55491231ba6f1bc07f15cce4ac3f9dd",
    "clientAuthenticationMethod": "BASIC",
    "authorizationEndpoint": "https://accounts.google.com/o/oauth2/v2/auth",
    "tokenEndpoint": "https://www.googleapis.com/oauth2/v4/token",
    "userInfoEndpoint": "",
    "userInfoUserNameAttributeName": "",
    "jwksUri": "https://www.googleapis.com/oauth2/v3/certs",
    "scopes": [
        "openid"
    ],
    "type": "OIDC",
    "redirectUri": "https://oauth.akamai.com/oauth-api/login/oauth2/code/36be6260-6b8a-4032-b74a-c82dfe1c99b1",
    "createdBy": "userA",
    "createdOn": "2018-09-25T15:49:57.802Z"
}
  1. If you don’t already have an id value, run the List identity providersoperation.

  2. Select the appropriate IdP from the returned array and store its id value as idpId.

  3. Run the Get an identity provider operation for the complete representation of the object.

  4. Modify the returned Idp object.

  5. PUT the object back to the same URL as the GET: /oauth/v1/idps/{idpId}.

A 200 response confirms success, and the response object reflects your modifications.

Delete an identity provider

Removes a registered identity provider. Once removed, you can no longer use an identity provider to verify client apps’ users identity.

DELETE /gateway-oauth/v1/idps/{idpId}

Sample: /gateway-oauth/v1/idps/1d331399-1e0a–405c–9531-1f65de55b511

Parameter Type Sample Description
URL path parameters
idpId String 1d331399-1e0a-405c-9531-1f65de55b511 The unique identifier for a registered identity provider.

Status 204

  1. If you don’t already have an id value, run the List identity providers operation.

  2. Select the appropriate IdP from the returned array and store its id value as idpId.

  3. Make a DELETE request to /oauth/v1/idps/{idpId}.

A 204 response confirms the object has been deleted.

Data

This section provides details for each type of data object the API exchanges.

Download the JSON schemas for this API.

The data schema tables below list membership requirements as follows:

Member is required in requests, or always present in responses, even if its value is empty or null.
Member is optional, and may be omitted in some cases.

Api

Collects information about a registered API associated with your current account context and for which you enabled OAuth in the API Endpoint Definition API.

Download schema: api.schema.json

Sample GET response:

[
    {
        "id": "0IYdWc7WgIa8MVT1Ii1gWCphbLhOIPS8U8",
        "name": "Bookstore Main API",
        "status": "READY",
        "geo": "core",
        "network": "L1"
    },
    {
        "id": "0gA6xbdJp5Q6wJTehi6XndxUyu9QGMUaNL",
        "name": "Bookstore Premium API",
        "status": "PENDING"
    }
]

Api members

Member Type Required Description
Api: Collects information about a registered API associated with your current account context and for which you enabled OAuth in the API Endpoint Definition API.
geo Enumeration The geographic area where the API is available. These are the available values: core, china, or russia. This member is only available for APIs whose status is set to READY.
id String The unique identifier for the registered API.
name String The name of the registered API.
network Enumeration The type of security used for traffic served by the API. Either L1 for Standard TLS hostnames, or L3 for Shared Certificate and Enhanced TLS hostnames. You decide on the type of security when creating edge hostnames in Property Manager. To learn more about Standard and Enhanced TLS, see Creating edge hostnames. This member is only available for APIs whose status is set to READY.
status Enumeration The status of the API. These are the available values: PENDING for an API that is being processed. Processing time may range from a few seconds to a few minutes. READY for an API that has successfully been processed. You can use APIs with this status in the configuration of your client app. INVALID for an API that has either caused an internal server error or included hostnames from mutually exclusive geographies in its configuration.

Client

Collects information about a client app that you register in OAuth Management.

Download schema: client.schema.json

Sample GET response:

{
    "name": "Book Order Management",
    "clientId": "38064359-9d1e-42cf-9c79-9b43198eb74f",
    "clientSecret": "58c2542ce5badd1faf31bce276dfab5790fdd4605aa453cacfe0812f810336aa",
    "apiIds": [
        "0gA6xbdJp5Q6wJTehi6XndxUyu9QGMUaNL",
        "1nFCFlfnmYFFcu9MIU5c2QyyOM6YzDVQUu"
    ],
    "authorizationGrantTypes": [
        "authorization_code"
    ],
    "redirectUris": [
        "http://bookorder.akamai.com/redirect"
    ],
    "contactEmail": "bookorder_admin@akamai.com",
    "createdBy": "bookstore_admin",
    "createdOn": "2019-01-17T12:48:25.093Z"
}

Client members

Member Type Required Description
Client: Collects information about a client app that you register in OAuth Management.
apiIds Array The collection of unique identifiers of active registered APIs for which you enabled OAuth in the API Endpoint Definition API. The APIs must be associated with your current account context. Note that you can only use IDs of the APIs that have their status set to READY, operate in one network - either L1 or L3, and that don’t belong to mutually exclusive geographies - that is china and russia. To learn more about status, geo, and network members, see the Api object.
authorizationGrantTypes Array The collection of authorization grant types that you want to allow for the client app. The authorization_code grant type is about sending to a client app an authorization code that the client app exchanges for access and refresh tokens. It’s the most secure option suitable for confidential client apps. The implicit grant type involves passing an access token directly to the client app and is suitable for public client apps. The client_credentials grant type is best for trusted client apps that act as resource owners. Specify at least one authorization grant type.
clientId String Read-only. The unique identifier of the client app at the Authorization Server. Provide this value and the clientSecret to client app developers to let them access resources within your registered APIs.
clientSecret String Read-only. The secret that allows the client app to exchange an authorization code for an access token. Provide this value and the clientId to client app developers to let them access resources within your registered APIs.
contactEmail String The contact email of the client app developer on whose behalf you register the client app.
createdBy String Read-only. The name of the Akamai user who registered the client app.
createdOn String Read-only. The ISO 8601 timestamp indicating when you registered the client app.
name String The name under which you register the client app. Resource owners see this name on a consent page when they give the client app permissions to use their data.
redirectUris Array The collection of URLs where the Authorization Server may redirect the resource owner after the client app successfully authorizes. Specify this only if you selected authorization_code or implicit for the associated authorizationGrantTypes member. Make sure each URL starts with https.
updatedBy String Read-only. The name of the Akamai user who last updated the client app.
updatedOn String Read-only. The ISO 8601 timestamp indicating when you last updated the client app.

Idp

Collects information about an identity provider (IdP) you register in OAuth Management.

Download schema: idp.schema.json

Sample GET response:

{
    "id": "36be6260-6b8a-4032-b74a-c82dfe1c99b1",
    "name": "Google",
    "clientId": "b7b7c4a86e958ea522afe844b7c46c7f.apps.googleusercontent.com",
    "clientSecret": "e55491231ba6f1bc07f15cce4ac3f9dd",
    "clientAuthenticationMethod": "BASIC",
    "authorizationEndpoint": "https://accounts.google.com/o/oauth2/v2/auth",
    "tokenEndpoint": "https://www.googleapis.com/oauth2/v4/token",
    "userInfoEndpoint": "",
    "userInfoUserNameAttributeName": "",
    "jwksUri": "https://www.googleapis.com/oauth2/v3/certs",
    "scopes": [
        "openid"
    ],
    "type": "OIDC",
    "redirectUri": "https://oauth.akamai.com/oauth-api/login/oauth2/code/36be6260-6b8a-4032-b74a-c82dfe1c99b1",
    "createdBy": "userA",
    "createdOn": "2018-09-25T15:49:57.802Z"
}

Idp members

Member Type Required Description
Idp: Collects information about an identity provider (IdP) you register in OAuth Management.
authorizationEndpoint String The IdP-provided URL that the Authorization Server uses to obtain an authorization grant. Make sure the URL starts with https.
clientAuthenticationMethod Enumeration The method that the IdP uses to authenticate client requests. Either BASIC for the HTTP basic authentication, or POST for the POST body authentication.
clientId String The unique identifier the IdP generates for the Authorization Server.
clientSecret String The secret generated by the IdP that allows the Authorization Server to exchange an IdP-issued authorization code for an access token.
createdBy String Read-only. The name of the Akamai user who registered the IdP.
createdOn String Read-only. The ISO 8601 timestamp indicating when you registered the IdP.
id String Read-only. The unique identifier for the IdP.
jwksUri String The URL to a JSON web key set that contains a set of public keys to use for verification of JSON web tokens. Specify this only if you set the corresponding type member to OIDC and make sure the URL starts with https.
name String The name under which you register the IdP. Resource owners see this name on a consent page when they choose the IdP to authenticate with.
redirectUri String Read-only. The Akamai-generated redirect URL that you can use to register Akamai at an IdP.
scopes Array The set of permissions that a resource owner grants to the Authorization Server so that an IdP can verify the resource owner’s credentials. The first consent page that a resource owner encounters during the OAuth process contains this set of scopes. For the type member set to OIDC, include the openid scope in this member. For the type member set to OUATH2, don’t include the openid scope in this member.
tokenEndpoint String The IdP-provided URL that the Authorization Server uses to exchange an authorization grant for an access token. Make sure the URL starts with https.
type Enumeration The type of the IdP. Either OIDC for IdPs that use JSON web token authentication, or OAUTH2 for IdPs that use opaque token authentication.
updatedBy String Read-only. The name of the Akamai user who last updated the IdP.
updatedOn String Read-only. The ISO 8601 timestamp indicating when you last updated the IdP.
userInfoEndpoint String The IdP-provided URL that the Authorization Server uses to validate the access token against the information present at the IdP. Specify this only if you set the corresponding type member to OAUTH2 and make sure the URL starts with https.
userInfoUserNameAttributeName String The attribute name returned by the user info endpoint that contains a user name as its value. Specify this only if you set the corresponding type member to OAUTH2.

Errors

This section provides details on the data object that reflects the API’s common response to error cases, and lists the API’s range of response status codes for both error and success cases.

Error responses

This API responds with Akamai HTTP Problem Details JSON objects for all 4xx and 5xx error codes. This sample shows an incorrect request error, where detail explains why the error occurred and instance may be useful if you need to communicate about the problem with your Akamai support representative:

{
    "type": "https://control.akamai.com/apps/oauth-portal/open/v1/errors/idp-validation",
    "title": "Validation Exception",
    "detail": "The value 'abc' of property 'tokenEndpoint' is not valid URL.",
    "instance": "909e5901-ae6f-4f2d-8b25-89b02ad0ddc9",
    "illegalParameter": "tokenEndpoint",
    "illegalValue": "abc"
}

HTTP status codes

The API responds with the following set of HTTP status codes for both success and failure scenarios.

Code Description
200 The operation was successful.
204 The resource was successfully deleted.
400 Bad Request.
401 Unauthorized access.
403 Access is forbidden.
404 Resource not found.
500 Internal server error.

Last modified: 10/2/2019