Identity

Overview

The Identity service is an essential YaaS service. Use it to register custom identity providers for your organization.

Create and register a custom identity provider for your organization to allow your users to use YaaS with their existing accounts. With a properly configured custom identity provider in place, the YaaS OAuth2 service communicates with a remote user base to issue tokens. This allows your users to access the resources within the context of the organization for which you registered the identity provider without the need to create a new account to use with YaaS.

You can register multiple identity providers for a single organization. The custom identity provider is bound to the organization for which you register it. Using a custom identity provider, you can get tokens only for the organization you registered the custom identity provider for, as well as for all projects in that organization.

The Identity service is a central custom identity provider registry deployed in the EU region. To register a custom identity provider for the production environment, you must call the service at https://api.eu.yaas.io/hybris/identity/v1/.
After you register a custom identity provider, you can use it in both the US and the EU regions of YaaS.

API Reference

/registration-metadata

/registration-metadata

get

Get the YaaS OAuth2 service configuration metadata. You must register this metadata in the identity provider to establish successful communication between the identity provider and the OAuth2 service.

/providers

/providers

get

Use this endpoint to fetch all identity providers registered for your organization in YaaS.
Security/Access Control: To access this method, an access token must be issued for the requested organization and have the hybris.org_manage scope.

post

Use this endpoint to register a new identity provider for your organization in YaaS.
Security / Access Control: To access this method, an access token must be issued for the requested organization and have the hybris.org_manage scope.

Use this endpoint to register a new identity provider for your organization in YaaS.
Security / Access Control: To access this method, an access token must be issued for the requested organization and have the hybris.org_manage scope.

Headers

  • Authorization: required (string)

    Used to send a valid OAuth2 access token.

    Example:

    Bearer access_token

Body

Type: application/json

Schema:

{
    "$schema": "http://json-schema.org/draft-04/schema",
    "type": "object",
    "title": "Payload for the new Identity Provider.",
    "required": [
        "displayName"
    ],
    "properties": {
        "displayName": {
            "description": "Display name of the Identity Provider.",
            "type": "string"
        },
        "credentials": {
            "description": "Credentials which will be used in communication with the Identity Provider. Client registered with these credentials in the Identity Provider must be configured according to the settings which can be fetched from the /registration-metadata endpoint.",
            "type": "object",
            "$schema": "http://json-schema.org/draft-04/schema",
            "required": [
                "clientId",
                "clientSecret"
            ],
            "properties": {
                "clientId": {
                    "description": "Client identifier",
                    "type": "string"
                },
                "clientSecret": {
                    "description": "Client secret",
                    "type": "string"
                }
            }
        },
        "openidConfiguration": {
            "description": "OpenID Provider metadata in the format defined in the specification: http://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata. If the Identity Provider supports OpenID Connect Discovery (http://openid.net/specs/openid-connect-discovery-1_0.html) you can make GET request to its /.well-known/openid-configuration endpoint, copy the response, and paste it to this section.",
            "type": "object",
            "$schema": "http://json-schema.org/draft-04/schema",
            "required": [
                "issuer"
            ],
            "properties": {
                "issuer": {
                    "description": "URL using the https scheme with no query or fragment component that the Identity Provider asserts as its Issuer Identifier. If Issuer discovery is supported (see Section 2), this value MUST be identical to the issuer value returned by WebFinger. This also MUST be identical to the iss Claim value in ID Tokens issued from this Issuer.",
                    "type": "string"
                },
                "end_session_endpoint": {
                    "description": "URL of the Identity Provider's OpenID Connect 1.0 end_session endpoint.",
                    "type": "string"
                },
                "authorization_endpoint": {
                    "description": "URL of the Identity Provider's OAuth 2.0 Authorization Endpoint.",
                    "type": "string"
                },
                "token_endpoint": {
                    "description": "URL of the Identity Provider's OAuth 2.0 Token Endpoint.",
                    "type": "string"
                },
                "jwks_uri": {
                    "description": "REQUIRED if jwks is NOT specified. URL of the Identity Provider's JSON Web Key Set [JWK] document. This contains the signing key(s) the RP uses to validate signatures from the Identity Provider. The JWK Set MAY also contain the Server's encryption key(s), which are used by RPs to encrypt requests to the Server. When both signing and encryption keys are made available, a use (Key Use) parameter value is REQUIRED for all keys in the referenced JWK Set to indicate each key's intended usage. Although some algorithms allow the same key to be used for both signatures and encryption, doing so is NOT RECOMMENDED, as it is less secure. The JWK x5c parameter MAY be used to provide X.509 representations of keys provided. When used, the bare key values MUST still be present and MUST match those in the certificate.",
                    "type": "string"
                },
                "jwks": {
                    "description": "The JSON Web Key Set [JWKS] document. This contains the signing key(s) the RP uses to validate signatures from the **Identity Provider**. The JWK Set MAY also contain the Server's encryption key(s), which are used by RPs to encrypt requests to the Server. When both signing and encryption keys are made available, a use (Key Use) parameter value is REQUIRED for all keys in the referenced JWK Set to indicate each key's intended usage. Although some algorithms allow the same key to be used for both signatures and encryption, doing so is NOT RECOMMENDED, as it is less secure. The JWK x5c parameter MAY be used to provide X.509 representations of keys provided. When used, the bare key values MUST still be present and MUST match those in the certificate.",
                    "type": "array",
                    "$schema": "http://json-schema.org/draft-04/schema",
                    "title": "Set of the *JSON Web Key*'s",
                    "items": {
                        "$schema": "http://json-schema.org/draft-04/schema",
                        "title": "JSON Web Key",
                        "description": "The JSON Web Key [JWK] document.",
                        "type": "object",
                        "required": [
                            "kty"
                        ],
                        "properties": {
                            "kty": {
                                "description": "Key Type - identifies the cryptographic algorithm family used with the key, such as 'RSA' or 'EC'. The parameter values should either be registered in the IANA 'JSON Web Key Types' registry established by [JWA - https://tools.ietf.org/html/rfc7517#ref-JWA] or be a value that contains a Collision-Resistant Name. The parameter value is a case-sensitive string. A list of defined values can be found in the IANA 'JSON Web Key Types' registry established by [JWA]; the initial contents of this registry are the values defined in Section 6.1 of [JWA].",
                                "type": "string"
                            },
                            "use": {
                                "description": "Public Key Use - identifies the intended use of the public key.  The parameter is employed to indicate whether a public key is used for encrypting data or verifying the signature on data. Values defined by this specification are: 'sig' - signature; 'enc' - encryption.",
                                "type": "string"
                            },
                            "alg": {
                                "description": "Algorithm - identifies the algorithm intended for use with the key. The values used should either be registered in the IANA 'JSON Web Signature and Encryption Algorithms' registry established by [JWA - https://tools.ietf.org/html/rfc7517#ref-JWA] or be a value that contains a Collision-Resistant Name. The value is a case-sensitive ASCII string.",
                                "type": "string"
                            },
                            "kid": {
                                "description": "Key ID - is used to match a specific key. This is used, for instance, to choose among a set of keys within a JWK Set during key rollover. The structure of the value is unspecified. When 'kid' values are used within a JWK Set, different keys within the JWK Set SHOULD use distinct 'kid' values (one example in which different keys might use the same 'kid' value is if they have different 'kty' (key type) values but are considered to be equivalent alternatives by the application using them). The 'kid' value is a case-sensitive string. When used with JWS or JWE, the 'kid' value is used to match a JWS or JWE 'kid' Header Parameter value.",
                                "type": "string"
                            },
                            "x5c": {
                                "description": "X.509 Certificate Chain - contains a chain of one or more PKIX certificates [RFC5280]. The certificate chain is represented as a JSON array of certificate value strings. Each string in the array is a base64-encoded (Section 4 of [RFC4648] --not base64url-encoded) DER [ITU.X690.1994] PKIX certificate value. The PKIX certificate containing the key value MUST be the first certificate. This MAY be followed by additional certificates, with each subsequent certificate being the one used to certify the previous one. The key in the first certificate MUST match the public key represented by other members of the JWK",
                                "type": "string"
                            },
                            "n": {
                                "description": "RSA public key modulus, supported only with the RSA key type.",
                                "type": "string"
                            },
                            "e": {
                                "description": "RSA public key exponent, supported only with the RSA key type.",
                                "type": "string"
                            }
                        }
                    }
                },
                "scopes_supported": {
                    "description": "Scopes supported by the OpenID Provider",
                    "type": "array",
                    "items": {
                        "type": "string"
                    }
                }
            }
        },
        "openidMetadata": {
            "description": "Required if openidConfiguration not specified. OpenID Provider metadata in the format defined in the specification: http://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata. If the Identity Provider supports OpenID Connect Discovery (http://openid.net/specs/openid-connect-discovery-1_0.html) you can make GET request to its '/.well-known/openid-configuration' endpoint, copy the response, and paste it to this section.",
            "type": "object",
            "$ref": "openid-metadata"
        },
        "scopesGrant": {
            "description": "Allows to adjust scopes grant.",
            "type": "object",
            "$schema": "http://json-schema.org/draft-04/schema",
            "title": "Scopes grant",
            "required": [
                "scopesSource"
            ],
            "properties": {
                "scopesSource": {
                    "description": "Determines the source of scopes granted to authenticated users. Available values are: 'yaas' - for scopes managed in YaaS Builder, 'claim' - for scopes managed in the Identity Provider and returned in ID token claim. Default value: 'yaas'",
                    "type": "string",
                    "enum": [
                        "yaas",
                        "claim"
                    ]
                },
                "claimName": {
                    "description": "Name of the claim containing scopes granted to the authenticated users. Works only if 'scopesSource' parameter is set to claim. If the 'claimName' is not specified, the service by default sets the 'claimName' to 'scope'.",
                    "type": "string"
                }
            }
        }
    }
}

Example:

{
    "displayName": "Production IDP (https://someorg.io)",
    "credentials": {
        "clientId": "a9883977-97e2-44d9-a4cb-7c2df0f7a267",
        "clientSecret": "2loftph991j058ud"
    },
    "openidMetadata": {
        "issuer": "https://accounts.google.com",
        "authorization_endpoint": "https://accounts.google.com/o/oauth2/v2/auth",
        "token_endpoint": "https://www.googleapis.com/oauth2/v4/token",
        "jwks_uri": "https://www.googleapis.com/oauth2/v3/certs",
        "scopes_supported": [
            "openid",
            "email",
            "profile"
        ]
    }
}

HTTP status code 201

Identity provider has been successfully registered.

Body

Type: application/json

Schema:

{
    "$schema": "http://json-schema.org/draft-04/schema#",
    "type": "object",
    "title": "Resource Location",
    "description": "Schema for showing location of the new resource.",
    "properties": {
        "id": {
            "description": "The identifier of the created resource",
            "type": "string"
        },
        "link": {
            "description": "The link to the created resource",
            "type": "string",
            "format": "uri"
        }
    },
    "required": [
        "id",
        "link"
    ]
}

Example:

{
    "id": "15bca5db-ff30-41cc-b514-7e83d93ec8d9",
    "link": "http://api.eu.yaas.io/hybris/identity/v1/providers/15bca5db-ff30-41cc-b514-7e83d93ec8d9"
}

HTTP status code 400

Payload validation error

Body

Type: application/json

Schema:

errorMessage

Example:

{
    "status": 400,
    "type": "validation_violation",
    "message": "Field credentials cannot be empty",
    "moreInfo": "https://api.yaas.io/patterns/errortypes.html"
}

HTTP status code 401

Given request is unauthorized. Bad or expired token. Reauthenticate the user. Any details will be provided within the response payload.

Body

Type: application/json

Schema:

{
    "$schema": "http://json-schema.org/draft-04/schema#",
    "title": "error",
    "description": "Schema for API specified errors.",
    "type": "object",
    "properties": {
        "status": {
            "type": "integer",
            "description": "original HTTP error code, should be consistent with the response HTTP code",
            "minimum": 100,
            "maximum": 599
        },
        "type": {
            "type": "string",
            "description": "classification of the error type, lower case with underscore eg validation_failure",
            "pattern": "[a-z]+[a-z_]*[a-z]+"
        },
        "message": {
            "type": "string",
            "description": "descriptive error message for debugging"
        },
        "moreInfo": {
            "type": "string",
            "format": "uri",
            "description": "link to documentation to investigate further and finding support"
        },
        "details": {
            "type": "array",
            "description": "list of problems causing this error",
            "items": {
                "$schema": "http://json-schema.org/draft-04/schema#",
                "title": "errorDetail",
                "description": "schema for specific error cause",
                "type": "object",
                "properties": {
                    "field": {
                        "type": "string",
                        "description": "a bean notation expression specifying the element in request data causing the error, eg product.variants[3].name, this can be empty if violation was not field specific"
                    },
                    "type": {
                        "type": "string",
                        "description": "classification of the error detail type, lower case with underscore eg missing_value, this value must be always interpreted in context of the general error type.",
                        "pattern": "[a-z]+[a-z_]*[a-z]+"
                    },
                    "message": {
                        "type": "string",
                        "description": "descriptive error detail message for debugging"
                    },
                    "moreInfo": {
                        "type": "string",
                        "format": "uri",
                        "description": "link to documentation to investigate further and finding support for error detail"
                    }
                },
                "required": [
                    "type"
                ]
            }
        }
    },
    "required": [
        "status",
        "type"
    ]
}

Example:

{
    "status": 401,
    "message": "Authorization: Unauthorized. Bearer TOKEN is invalid",
    "type": "insufficient_credentials",
    "moreInfo": "https://api.yaas.io/patterns/errortypes.html"
}

HTTP status code 403

Evaluated request scopes in access token are not sufficient and do not match required scopes.

Body

Type: application/json

Schema:

{
    "$schema": "http://json-schema.org/draft-04/schema#",
    "title": "error",
    "description": "Schema for API specified errors.",
    "type": "object",
    "properties": {
        "status": {
            "type": "integer",
            "description": "original HTTP error code, should be consistent with the response HTTP code",
            "minimum": 100,
            "maximum": 599
        },
        "type": {
            "type": "string",
            "description": "classification of the error type, lower case with underscore eg validation_failure",
            "pattern": "[a-z]+[a-z_]*[a-z]+"
        },
        "message": {
            "type": "string",
            "description": "descriptive error message for debugging"
        },
        "moreInfo": {
            "type": "string",
            "format": "uri",
            "description": "link to documentation to investigate further and finding support"
        },
        "details": {
            "type": "array",
            "description": "list of problems causing this error",
            "items": {
                "$schema": "http://json-schema.org/draft-04/schema#",
                "title": "errorDetail",
                "description": "schema for specific error cause",
                "type": "object",
                "properties": {
                    "field": {
                        "type": "string",
                        "description": "a bean notation expression specifying the element in request data causing the error, eg product.variants[3].name, this can be empty if violation was not field specific"
                    },
                    "type": {
                        "type": "string",
                        "description": "classification of the error detail type, lower case with underscore eg missing_value, this value must be always interpreted in context of the general error type.",
                        "pattern": "[a-z]+[a-z_]*[a-z]+"
                    },
                    "message": {
                        "type": "string",
                        "description": "descriptive error detail message for debugging"
                    },
                    "moreInfo": {
                        "type": "string",
                        "format": "uri",
                        "description": "link to documentation to investigate further and finding support for error detail"
                    }
                },
                "required": [
                    "type"
                ]
            }
        }
    },
    "required": [
        "status",
        "type"
    ]
}

Example:

{
    "status": 403,
    "message": "Given request does not have required scopes in access token. It is not authorized to perform this operation.",
    "type": "insufficient_permissions"
}

/providers/{id}

get

Use this endpoint to fetch information about the identity provider with the specified ID.
Security/Access Control: To access this method, an access token must be issued for the organization which owns the identity provider and have the hybris.org_manage scope.

put

Use this endpoint to update the identity provider's information.
Security / Access Control: To access this method, an access token must be issued for the organization which owns the identity provider, and have the hybris.org_manage scope.

delete

Use this endpoint to delete a registered identity provider.
Security / Access Control: To access this method, an access token must be issued for the organization which owns the identity provider, and have the hybris.org_manage scope.

Use this endpoint to fetch information about the identity provider with the specified ID.
Security/Access Control: To access this method, an access token must be issued for the organization which owns the identity provider and have the hybris.org_manage scope.

URI Parameters

  • id: required (string)

Headers

  • Authorization: required (string)

    Used to send a valid OAuth2 access token.

    Example:

    Bearer access_token
  • If-None-Match: (string)

    The service returns a code 200 "successfull" response and payload in the body only when the ETag header value is different to the values passed in this header. If you don't meet these criteria, the client returns a code 304 "not modified" response and does not include the payload in the body. Use this header to implement objects cache.

HTTP status code 200

Information about the specified identity provider has been retrieved successfully.

Headers

  • ETag: (string)

    An entity tag, is an opaque token associated with a particular state of a resource. Whenever the resource state changes, the entity tag is changed accordingly. The ETag value can be used by clients and servers to determine if a request to a resource is up-to-date by comparing the value of the ETag header on the incoming request, to the value of the ETag header present on the server. If the values match, the client request is using an up-to-date representation of the resource. If the values do not match, the client should refresh its copy of the resource to make sure it is up-to-date.

Body

Type: application/json

Schema:

{
    "$schema": "http://json-schema.org/draft-04/schema",
    "type": "object",
    "title": "Create Application",
    "required": [
        "id",
        "displayName",
        "openidMetadata",
        "metadata"
    ],
    "properties": {
        "id": {
            "description": "Identifier of the Identity Provider in YaaS.",
            "type": "string"
        },
        "displayName": {
            "description": "Display name of the Identity Provider.",
            "type": "string"
        },
        "credentials": {
            "description": "Credentials which will be used in communication with the Identity Provider. Client registered with these credentials in the Identity Provider must be configured according to the settings which can be fetched from the /registration-metadata endpoint.",
            "type": "object",
            "$schema": "http://json-schema.org/draft-04/schema",
            "required": [
                "clientId",
                "clientSecret"
            ],
            "properties": {
                "clientId": {
                    "description": "Client identifier",
                    "type": "string"
                },
                "clientSecret": {
                    "description": "Client secret",
                    "type": "string"
                }
            }
        },
        "openidConfiguration": {
            "description": "OpenID Provider metadata in the format defined in the specification: http://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata. If the Identity Provider supports OpenID Connect Discovery (http://openid.net/specs/openid-connect-discovery-1_0.html) you can make GET request to its /.well-known/openid-configuration endpoint, copy the response, and paste it to this section.",
            "type": "object",
            "$schema": "http://json-schema.org/draft-04/schema",
            "required": [
                "issuer"
            ],
            "properties": {
                "issuer": {
                    "description": "URL using the https scheme with no query or fragment component that the Identity Provider asserts as its Issuer Identifier. If Issuer discovery is supported (see Section 2), this value MUST be identical to the issuer value returned by WebFinger. This also MUST be identical to the iss Claim value in ID Tokens issued from this Issuer.",
                    "type": "string"
                },
                "end_session_endpoint": {
                    "description": "URL of the Identity Provider's OpenID Connect 1.0 end_session endpoint.",
                    "type": "string"
                },
                "authorization_endpoint": {
                    "description": "URL of the Identity Provider's OAuth 2.0 Authorization Endpoint.",
                    "type": "string"
                },
                "token_endpoint": {
                    "description": "URL of the Identity Provider's OAuth 2.0 Token Endpoint.",
                    "type": "string"
                },
                "jwks_uri": {
                    "description": "REQUIRED if jwks is NOT specified. URL of the Identity Provider's JSON Web Key Set [JWK] document. This contains the signing key(s) the RP uses to validate signatures from the Identity Provider. The JWK Set MAY also contain the Server's encryption key(s), which are used by RPs to encrypt requests to the Server. When both signing and encryption keys are made available, a use (Key Use) parameter value is REQUIRED for all keys in the referenced JWK Set to indicate each key's intended usage. Although some algorithms allow the same key to be used for both signatures and encryption, doing so is NOT RECOMMENDED, as it is less secure. The JWK x5c parameter MAY be used to provide X.509 representations of keys provided. When used, the bare key values MUST still be present and MUST match those in the certificate.",
                    "type": "string"
                },
                "jwks": {
                    "description": "The JSON Web Key Set [JWKS] document. This contains the signing key(s) the RP uses to validate signatures from the **Identity Provider**. The JWK Set MAY also contain the Server's encryption key(s), which are used by RPs to encrypt requests to the Server. When both signing and encryption keys are made available, a use (Key Use) parameter value is REQUIRED for all keys in the referenced JWK Set to indicate each key's intended usage. Although some algorithms allow the same key to be used for both signatures and encryption, doing so is NOT RECOMMENDED, as it is less secure. The JWK x5c parameter MAY be used to provide X.509 representations of keys provided. When used, the bare key values MUST still be present and MUST match those in the certificate.",
                    "type": "array",
                    "$schema": "http://json-schema.org/draft-04/schema",
                    "title": "Set of the *JSON Web Key*'s",
                    "items": {
                        "$schema": "http://json-schema.org/draft-04/schema",
                        "title": "JSON Web Key",
                        "description": "The JSON Web Key [JWK] document.",
                        "type": "object",
                        "required": [
                            "kty"
                        ],
                        "properties": {
                            "kty": {
                                "description": "Key Type - identifies the cryptographic algorithm family used with the key, such as 'RSA' or 'EC'. The parameter values should either be registered in the IANA 'JSON Web Key Types' registry established by [JWA - https://tools.ietf.org/html/rfc7517#ref-JWA] or be a value that contains a Collision-Resistant Name. The parameter value is a case-sensitive string. A list of defined values can be found in the IANA 'JSON Web Key Types' registry established by [JWA]; the initial contents of this registry are the values defined in Section 6.1 of [JWA].",
                                "type": "string"
                            },
                            "use": {
                                "description": "Public Key Use - identifies the intended use of the public key.  The parameter is employed to indicate whether a public key is used for encrypting data or verifying the signature on data. Values defined by this specification are: 'sig' - signature; 'enc' - encryption.",
                                "type": "string"
                            },
                            "alg": {
                                "description": "Algorithm - identifies the algorithm intended for use with the key. The values used should either be registered in the IANA 'JSON Web Signature and Encryption Algorithms' registry established by [JWA - https://tools.ietf.org/html/rfc7517#ref-JWA] or be a value that contains a Collision-Resistant Name. The value is a case-sensitive ASCII string.",
                                "type": "string"
                            },
                            "kid": {
                                "description": "Key ID - is used to match a specific key. This is used, for instance, to choose among a set of keys within a JWK Set during key rollover. The structure of the value is unspecified. When 'kid' values are used within a JWK Set, different keys within the JWK Set SHOULD use distinct 'kid' values (one example in which different keys might use the same 'kid' value is if they have different 'kty' (key type) values but are considered to be equivalent alternatives by the application using them). The 'kid' value is a case-sensitive string. When used with JWS or JWE, the 'kid' value is used to match a JWS or JWE 'kid' Header Parameter value.",
                                "type": "string"
                            },
                            "x5c": {
                                "description": "X.509 Certificate Chain - contains a chain of one or more PKIX certificates [RFC5280]. The certificate chain is represented as a JSON array of certificate value strings. Each string in the array is a base64-encoded (Section 4 of [RFC4648] --not base64url-encoded) DER [ITU.X690.1994] PKIX certificate value. The PKIX certificate containing the key value MUST be the first certificate. This MAY be followed by additional certificates, with each subsequent certificate being the one used to certify the previous one. The key in the first certificate MUST match the public key represented by other members of the JWK",
                                "type": "string"
                            },
                            "n": {
                                "description": "RSA public key modulus, supported only with the RSA key type.",
                                "type": "string"
                            },
                            "e": {
                                "description": "RSA public key exponent, supported only with the RSA key type.",
                                "type": "string"
                            }
                        }
                    }
                },
                "scopes_supported": {
                    "description": "Scopes supported by the OpenID Provider",
                    "type": "array",
                    "items": {
                        "type": "string"
                    }
                }
            }
        },
        "openidMetadata": {
            "description": "Required if openidConfiguration not specified. OpenID Provider metadata in the format defined in the specification: http://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata. If the Identity Provider supports OpenID Connect Discovery (http://openid.net/specs/openid-connect-discovery-1_0.html) you can make GET request to its /.well-known/openid-configuration endpoint, copy the response, and paste it to this section.",
            "type": "object",
            "$ref": "openid-metadata"
        },
        "scopesGrant": {
            "description": "Allows to adjust scopes grant.",
            "type": "object",
            "$schema": "http://json-schema.org/draft-04/schema",
            "title": "Scopes grant",
            "required": [
                "scopesSource"
            ],
            "properties": {
                "scopesSource": {
                    "description": "Determines the source of scopes granted to authenticated users. Available values are: 'yaas' - for scopes managed in YaaS Builder, 'claim' - for scopes managed in the Identity Provider and returned in ID token claim. Default value: 'yaas'",
                    "type": "string",
                    "enum": [
                        "yaas",
                        "claim"
                    ]
                },
                "claimName": {
                    "description": "Name of the claim containing scopes granted to the authenticated users. Works only if 'scopesSource' parameter is set to claim. If the 'claimName' is not specified, the service by default sets the 'claimName' to 'scope'.",
                    "type": "string"
                }
            }
        },
        "metadata": {
            "description": "Object metadata",
            "type": "object",
            "$schema": "http://json-schema.org/draft-04/schema",
            "required": [
                "version",
                "createdAt",
                "modifiedAt"
            ],
            "properties": {
                "version": {
                    "description": "Object version",
                    "type": "string"
                },
                "createdAt": {
                    "description": "Object creation date and time",
                    "type": "string",
                    "format": "date-time"
                },
                "modifiedAt": {
                    "description": "Object last modification date and time",
                    "type": "string",
                    "format": "date-time"
                }
            }
        }
    }
}

Example:

{
    "id": "15bca5db-ff30-41cc-b514-7e83d93ec8d9",
    "displayName": "Production IDP (https://someorg.io)",
    "credentials": {
        "clientId": "a9883977-97e2-44d9-a4cb-7c2df0f7a267",
        "clientSecret": "2loftph991j058ud"
    },
    "openidMetadata": {
        "issuer": "https://accounts.google.com",
        "authorization_endpoint": "https://accounts.google.com/o/oauth2/v2/auth",
        "token_endpoint": "https://www.googleapis.com/oauth2/v4/token",
        "jwks_uri": "https://www.googleapis.com/oauth2/v3/certs",
        "scopes_supported": [
            "openid",
            "email",
            "profile"
        ]
    },
    "metadata": {
        "version": "645b0cca-8d90-4382-ba0e-c52e1f327e73",
        "createdAt": "2017-06-14T09:53:42.523+0000",
        "modifiedAt": "2017-06-14T12:45:21.146+0000"
    }
}

HTTP status code 304

The object's data hasn't been modified. The service returns this status only if you passed the If-None-Match header in the request. Response does not contain any payload.

Headers

  • ETag: (string)

    An entity tag, is an opaque token associated with a particular state of a resource. Whenever the resource state changes, the entity tag is changed accordingly. The ETag value can be used by clients and servers to determine if a request to a resource is up-to-date by comparing the value of the ETag header on the incoming request, to the value of the ETag header present on the server. If the values match, the client request is using an up-to-date representation of the resource. If the values do not match, the client should refresh its copy of the resource to make sure it is up-to-date.

HTTP status code 401

Given request is unauthorized. Bad or expired token. Reauthenticate the user. Any details will be provided within the response payload.

Body

Type: application/json

Schema:

{
    "$schema": "http://json-schema.org/draft-04/schema#",
    "title": "error",
    "description": "Schema for API specified errors.",
    "type": "object",
    "properties": {
        "status": {
            "type": "integer",
            "description": "original HTTP error code, should be consistent with the response HTTP code",
            "minimum": 100,
            "maximum": 599
        },
        "type": {
            "type": "string",
            "description": "classification of the error type, lower case with underscore eg validation_failure",
            "pattern": "[a-z]+[a-z_]*[a-z]+"
        },
        "message": {
            "type": "string",
            "description": "descriptive error message for debugging"
        },
        "moreInfo": {
            "type": "string",
            "format": "uri",
            "description": "link to documentation to investigate further and finding support"
        },
        "details": {
            "type": "array",
            "description": "list of problems causing this error",
            "items": {
                "$schema": "http://json-schema.org/draft-04/schema#",
                "title": "errorDetail",
                "description": "schema for specific error cause",
                "type": "object",
                "properties": {
                    "field": {
                        "type": "string",
                        "description": "a bean notation expression specifying the element in request data causing the error, eg product.variants[3].name, this can be empty if violation was not field specific"
                    },
                    "type": {
                        "type": "string",
                        "description": "classification of the error detail type, lower case with underscore eg missing_value, this value must be always interpreted in context of the general error type.",
                        "pattern": "[a-z]+[a-z_]*[a-z]+"
                    },
                    "message": {
                        "type": "string",
                        "description": "descriptive error detail message for debugging"
                    },
                    "moreInfo": {
                        "type": "string",
                        "format": "uri",
                        "description": "link to documentation to investigate further and finding support for error detail"
                    }
                },
                "required": [
                    "type"
                ]
            }
        }
    },
    "required": [
        "status",
        "type"
    ]
}

Example:

{
    "status": 401,
    "message": "Authorization: Unauthorized. Bearer TOKEN is invalid",
    "type": "insufficient_credentials",
    "moreInfo": "https://api.yaas.io/patterns/errortypes.html"
}

HTTP status code 403

Evaluated request scopes in access token are not sufficient and do not match required scopes.

Body

Type: application/json

Schema:

{
    "$schema": "http://json-schema.org/draft-04/schema#",
    "title": "error",
    "description": "Schema for API specified errors.",
    "type": "object",
    "properties": {
        "status": {
            "type": "integer",
            "description": "original HTTP error code, should be consistent with the response HTTP code",
            "minimum": 100,
            "maximum": 599
        },
        "type": {
            "type": "string",
            "description": "classification of the error type, lower case with underscore eg validation_failure",
            "pattern": "[a-z]+[a-z_]*[a-z]+"
        },
        "message": {
            "type": "string",
            "description": "descriptive error message for debugging"
        },
        "moreInfo": {
            "type": "string",
            "format": "uri",
            "description": "link to documentation to investigate further and finding support"
        },
        "details": {
            "type": "array",
            "description": "list of problems causing this error",
            "items": {
                "$schema": "http://json-schema.org/draft-04/schema#",
                "title": "errorDetail",
                "description": "schema for specific error cause",
                "type": "object",
                "properties": {
                    "field": {
                        "type": "string",
                        "description": "a bean notation expression specifying the element in request data causing the error, eg product.variants[3].name, this can be empty if violation was not field specific"
                    },
                    "type": {
                        "type": "string",
                        "description": "classification of the error detail type, lower case with underscore eg missing_value, this value must be always interpreted in context of the general error type.",
                        "pattern": "[a-z]+[a-z_]*[a-z]+"
                    },
                    "message": {
                        "type": "string",
                        "description": "descriptive error detail message for debugging"
                    },
                    "moreInfo": {
                        "type": "string",
                        "format": "uri",
                        "description": "link to documentation to investigate further and finding support for error detail"
                    }
                },
                "required": [
                    "type"
                ]
            }
        }
    },
    "required": [
        "status",
        "type"
    ]
}

Example:

{
    "status": 403,
    "message": "Given request does not have required scopes in access token. It is not authorized to perform this operation.",
    "type": "insufficient_permissions"
}

HTTP status code 404

There is no client with the given identifier.

Body

Type: application/json

Schema:

errorMessage

Example:

{
    "status": 404,
    "type": "element_non_existing",
    "message": "Identity Provider with requested ID does not exist or belongs to the other organization.",
    "moreInfo": "https://api.yaas.io/patterns/errortypes.html"
}

Use this endpoint to update the identity provider's information.
Security / Access Control: To access this method, an access token must be issued for the organization which owns the identity provider, and have the hybris.org_manage scope.

URI Parameters

  • id: required (string)

Headers

  • Authorization: required (string)

    Used to send a valid OAuth2 access token.

    Example:

    Bearer access_token
  • If-Match: (string)

    The request succeeds only when the value of this header matches the object version, stored in the ETag header. If the criteria is not met, the service returns a code 412 response and doesn't update the object. Use it to implement Optimistic Locking.

Body

Type: application/json

Schema:

{
    "$schema": "http://json-schema.org/draft-04/schema",
    "type": "object",
    "title": "Payload for the new Identity Provider.",
    "required": [
        "displayName"
    ],
    "properties": {
        "displayName": {
            "description": "Display name of the Identity Provider.",
            "type": "string"
        },
        "credentials": {
            "description": "Credentials which will be used in communication with the Identity Provider. Client registered with these credentials in the Identity Provider must be configured according to the settings which can be fetched from the /registration-metadata endpoint.",
            "type": "object",
            "$schema": "http://json-schema.org/draft-04/schema",
            "required": [
                "clientId",
                "clientSecret"
            ],
            "properties": {
                "clientId": {
                    "description": "Client identifier",
                    "type": "string"
                },
                "clientSecret": {
                    "description": "Client secret",
                    "type": "string"
                }
            }
        },
        "openidConfiguration": {
            "description": "OpenID Provider metadata in the format defined in the specification: http://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata. If the Identity Provider supports OpenID Connect Discovery (http://openid.net/specs/openid-connect-discovery-1_0.html) you can make GET request to its /.well-known/openid-configuration endpoint, copy the response, and paste it to this section.",
            "type": "object",
            "$schema": "http://json-schema.org/draft-04/schema",
            "required": [
                "issuer"
            ],
            "properties": {
                "issuer": {
                    "description": "URL using the https scheme with no query or fragment component that the Identity Provider asserts as its Issuer Identifier. If Issuer discovery is supported (see Section 2), this value MUST be identical to the issuer value returned by WebFinger. This also MUST be identical to the iss Claim value in ID Tokens issued from this Issuer.",
                    "type": "string"
                },
                "end_session_endpoint": {
                    "description": "URL of the Identity Provider's OpenID Connect 1.0 end_session endpoint.",
                    "type": "string"
                },
                "authorization_endpoint": {
                    "description": "URL of the Identity Provider's OAuth 2.0 Authorization Endpoint.",
                    "type": "string"
                },
                "token_endpoint": {
                    "description": "URL of the Identity Provider's OAuth 2.0 Token Endpoint.",
                    "type": "string"
                },
                "jwks_uri": {
                    "description": "REQUIRED if jwks is NOT specified. URL of the Identity Provider's JSON Web Key Set [JWK] document. This contains the signing key(s) the RP uses to validate signatures from the Identity Provider. The JWK Set MAY also contain the Server's encryption key(s), which are used by RPs to encrypt requests to the Server. When both signing and encryption keys are made available, a use (Key Use) parameter value is REQUIRED for all keys in the referenced JWK Set to indicate each key's intended usage. Although some algorithms allow the same key to be used for both signatures and encryption, doing so is NOT RECOMMENDED, as it is less secure. The JWK x5c parameter MAY be used to provide X.509 representations of keys provided. When used, the bare key values MUST still be present and MUST match those in the certificate.",
                    "type": "string"
                },
                "jwks": {
                    "description": "The JSON Web Key Set [JWKS] document. This contains the signing key(s) the RP uses to validate signatures from the **Identity Provider**. The JWK Set MAY also contain the Server's encryption key(s), which are used by RPs to encrypt requests to the Server. When both signing and encryption keys are made available, a use (Key Use) parameter value is REQUIRED for all keys in the referenced JWK Set to indicate each key's intended usage. Although some algorithms allow the same key to be used for both signatures and encryption, doing so is NOT RECOMMENDED, as it is less secure. The JWK x5c parameter MAY be used to provide X.509 representations of keys provided. When used, the bare key values MUST still be present and MUST match those in the certificate.",
                    "type": "array",
                    "$schema": "http://json-schema.org/draft-04/schema",
                    "title": "Set of the *JSON Web Key*'s",
                    "items": {
                        "$schema": "http://json-schema.org/draft-04/schema",
                        "title": "JSON Web Key",
                        "description": "The JSON Web Key [JWK] document.",
                        "type": "object",
                        "required": [
                            "kty"
                        ],
                        "properties": {
                            "kty": {
                                "description": "Key Type - identifies the cryptographic algorithm family used with the key, such as 'RSA' or 'EC'. The parameter values should either be registered in the IANA 'JSON Web Key Types' registry established by [JWA - https://tools.ietf.org/html/rfc7517#ref-JWA] or be a value that contains a Collision-Resistant Name. The parameter value is a case-sensitive string. A list of defined values can be found in the IANA 'JSON Web Key Types' registry established by [JWA]; the initial contents of this registry are the values defined in Section 6.1 of [JWA].",
                                "type": "string"
                            },
                            "use": {
                                "description": "Public Key Use - identifies the intended use of the public key.  The parameter is employed to indicate whether a public key is used for encrypting data or verifying the signature on data. Values defined by this specification are: 'sig' - signature; 'enc' - encryption.",
                                "type": "string"
                            },
                            "alg": {
                                "description": "Algorithm - identifies the algorithm intended for use with the key. The values used should either be registered in the IANA 'JSON Web Signature and Encryption Algorithms' registry established by [JWA - https://tools.ietf.org/html/rfc7517#ref-JWA] or be a value that contains a Collision-Resistant Name. The value is a case-sensitive ASCII string.",
                                "type": "string"
                            },
                            "kid": {
                                "description": "Key ID - is used to match a specific key. This is used, for instance, to choose among a set of keys within a JWK Set during key rollover. The structure of the value is unspecified. When 'kid' values are used within a JWK Set, different keys within the JWK Set SHOULD use distinct 'kid' values (one example in which different keys might use the same 'kid' value is if they have different 'kty' (key type) values but are considered to be equivalent alternatives by the application using them). The 'kid' value is a case-sensitive string. When used with JWS or JWE, the 'kid' value is used to match a JWS or JWE 'kid' Header Parameter value.",
                                "type": "string"
                            },
                            "x5c": {
                                "description": "X.509 Certificate Chain - contains a chain of one or more PKIX certificates [RFC5280]. The certificate chain is represented as a JSON array of certificate value strings. Each string in the array is a base64-encoded (Section 4 of [RFC4648] --not base64url-encoded) DER [ITU.X690.1994] PKIX certificate value. The PKIX certificate containing the key value MUST be the first certificate. This MAY be followed by additional certificates, with each subsequent certificate being the one used to certify the previous one. The key in the first certificate MUST match the public key represented by other members of the JWK",
                                "type": "string"
                            },
                            "n": {
                                "description": "RSA public key modulus, supported only with the RSA key type.",
                                "type": "string"
                            },
                            "e": {
                                "description": "RSA public key exponent, supported only with the RSA key type.",
                                "type": "string"
                            }
                        }
                    }
                },
                "scopes_supported": {
                    "description": "Scopes supported by the OpenID Provider",
                    "type": "array",
                    "items": {
                        "type": "string"
                    }
                }
            }
        },
        "openidMetadata": {
            "description": "Required if openidConfiguration not specified. OpenID Provider metadata in the format defined in the specification: http://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata. If the Identity Provider supports OpenID Connect Discovery (http://openid.net/specs/openid-connect-discovery-1_0.html) you can make GET request to its '/.well-known/openid-configuration' endpoint, copy the response, and paste it to this section.",
            "type": "object",
            "$ref": "openid-metadata"
        },
        "scopesGrant": {
            "description": "Allows to adjust scopes grant.",
            "type": "object",
            "$schema": "http://json-schema.org/draft-04/schema",
            "title": "Scopes grant",
            "required": [
                "scopesSource"
            ],
            "properties": {
                "scopesSource": {
                    "description": "Determines the source of scopes granted to authenticated users. Available values are: 'yaas' - for scopes managed in YaaS Builder, 'claim' - for scopes managed in the Identity Provider and returned in ID token claim. Default value: 'yaas'",
                    "type": "string",
                    "enum": [
                        "yaas",
                        "claim"
                    ]
                },
                "claimName": {
                    "description": "Name of the claim containing scopes granted to the authenticated users. Works only if 'scopesSource' parameter is set to claim. If the 'claimName' is not specified, the service by default sets the 'claimName' to 'scope'.",
                    "type": "string"
                }
            }
        }
    }
}

Example:

{
    "displayName": "Production IDP (https://someorg.io)",
    "credentials": {
        "clientId": "a9883977-97e2-44d9-a4cb-7c2df0f7a267",
        "clientSecret": "2loftph991j058ud"
    },
    "openidMetadata": {
        "issuer": "https://accounts.google.com",
        "authorization_endpoint": "https://accounts.google.com/o/oauth2/v2/auth",
        "token_endpoint": "https://www.googleapis.com/oauth2/v4/token",
        "jwks_uri": "https://www.googleapis.com/oauth2/v3/certs",
        "scopes_supported": [
            "openid",
            "email",
            "profile"
        ]
    }
}

HTTP status code 204

Identity provider's information has been successfully updated.

HTTP status code 400

Payload validation error.

Body

Type: application/json

Schema:

errorMessage

Example:

{
    "status": 400,
    "type": "validation_violation",
    "message": "Field credentials cannot be empty",
    "moreInfo": "https://api.yaas.io/patterns/errortypes.html"
}

HTTP status code 401

Given request is unauthorized. Bad or expired token. Reauthenticate the user. Any details will be provided within the response payload.

Body

Type: application/json

Schema:

{
    "$schema": "http://json-schema.org/draft-04/schema#",
    "title": "error",
    "description": "Schema for API specified errors.",
    "type": "object",
    "properties": {
        "status": {
            "type": "integer",
            "description": "original HTTP error code, should be consistent with the response HTTP code",
            "minimum": 100,
            "maximum": 599
        },
        "type": {
            "type": "string",
            "description": "classification of the error type, lower case with underscore eg validation_failure",
            "pattern": "[a-z]+[a-z_]*[a-z]+"
        },
        "message": {
            "type": "string",
            "description": "descriptive error message for debugging"
        },
        "moreInfo": {
            "type": "string",
            "format": "uri",
            "description": "link to documentation to investigate further and finding support"
        },
        "details": {
            "type": "array",
            "description": "list of problems causing this error",
            "items": {
                "$schema": "http://json-schema.org/draft-04/schema#",
                "title": "errorDetail",
                "description": "schema for specific error cause",
                "type": "object",
                "properties": {
                    "field": {
                        "type": "string",
                        "description": "a bean notation expression specifying the element in request data causing the error, eg product.variants[3].name, this can be empty if violation was not field specific"
                    },
                    "type": {
                        "type": "string",
                        "description": "classification of the error detail type, lower case with underscore eg missing_value, this value must be always interpreted in context of the general error type.",
                        "pattern": "[a-z]+[a-z_]*[a-z]+"
                    },
                    "message": {
                        "type": "string",
                        "description": "descriptive error detail message for debugging"
                    },
                    "moreInfo": {
                        "type": "string",
                        "format": "uri",
                        "description": "link to documentation to investigate further and finding support for error detail"
                    }
                },
                "required": [
                    "type"
                ]
            }
        }
    },
    "required": [
        "status",
        "type"
    ]
}

Example:

{
    "status": 401,
    "message": "Authorization: Unauthorized. Bearer TOKEN is invalid",
    "type": "insufficient_credentials",
    "moreInfo": "https://api.yaas.io/patterns/errortypes.html"
}

HTTP status code 403

Evaluated request scopes in access token are not sufficient and do not match required scopes.

Body

Type: application/json

Schema:

{
    "$schema": "http://json-schema.org/draft-04/schema#",
    "title": "error",
    "description": "Schema for API specified errors.",
    "type": "object",
    "properties": {
        "status": {
            "type": "integer",
            "description": "original HTTP error code, should be consistent with the response HTTP code",
            "minimum": 100,
            "maximum": 599
        },
        "type": {
            "type": "string",
            "description": "classification of the error type, lower case with underscore eg validation_failure",
            "pattern": "[a-z]+[a-z_]*[a-z]+"
        },
        "message": {
            "type": "string",
            "description": "descriptive error message for debugging"
        },
        "moreInfo": {
            "type": "string",
            "format": "uri",
            "description": "link to documentation to investigate further and finding support"
        },
        "details": {
            "type": "array",
            "description": "list of problems causing this error",
            "items": {
                "$schema": "http://json-schema.org/draft-04/schema#",
                "title": "errorDetail",
                "description": "schema for specific error cause",
                "type": "object",
                "properties": {
                    "field": {
                        "type": "string",
                        "description": "a bean notation expression specifying the element in request data causing the error, eg product.variants[3].name, this can be empty if violation was not field specific"
                    },
                    "type": {
                        "type": "string",
                        "description": "classification of the error detail type, lower case with underscore eg missing_value, this value must be always interpreted in context of the general error type.",
                        "pattern": "[a-z]+[a-z_]*[a-z]+"
                    },
                    "message": {
                        "type": "string",
                        "description": "descriptive error detail message for debugging"
                    },
                    "moreInfo": {
                        "type": "string",
                        "format": "uri",
                        "description": "link to documentation to investigate further and finding support for error detail"
                    }
                },
                "required": [
                    "type"
                ]
            }
        }
    },
    "required": [
        "status",
        "type"
    ]
}

Example:

{
    "status": 403,
    "message": "Given request does not have required scopes in access token. It is not authorized to perform this operation.",
    "type": "insufficient_permissions"
}

HTTP status code 404

Identity provider with given ID was not found.

Body

Type: application/json

Schema:

errorMessage

Example:

{
    "status": 404,
    "type": "element_non_existing",
    "message": "Identity Provider with requested ID does not exist or belongs to the other organization.",
    "moreInfo": "https://api.yaas.io/patterns/errortypes.html"
}

HTTP status code 412

Update failed. Object version determined by the ETag header value does not match any of the values listed in the If-Match header. Update the local copy of the resource to the latest version and resend the request.

Use this endpoint to delete a registered identity provider.
Security / Access Control: To access this method, an access token must be issued for the organization which owns the identity provider, and have the hybris.org_manage scope.

URI Parameters

  • id: required (string)

Headers

  • Authorization: required (string)

    Used to send a valid OAuth2 access token.

    Example:

    Bearer access_token
  • If-Match: (string)

    The request succeeds only when the value of this header matches the object version, stored in the ETag header. If the criteria is not met, the service returns a code 412 response and doesn't update the object. Use it to implement Optimistic Locking.

HTTP status code 204

The identity provider has been successfully deleted.

HTTP status code 401

Given request is unauthorized. Bad or expired token. Reauthenticate the user. Any details will be provided within the response payload.

Body

Type: application/json

Schema:

{
    "$schema": "http://json-schema.org/draft-04/schema#",
    "title": "error",
    "description": "Schema for API specified errors.",
    "type": "object",
    "properties": {
        "status": {
            "type": "integer",
            "description": "original HTTP error code, should be consistent with the response HTTP code",
            "minimum": 100,
            "maximum": 599
        },
        "type": {
            "type": "string",
            "description": "classification of the error type, lower case with underscore eg validation_failure",
            "pattern": "[a-z]+[a-z_]*[a-z]+"
        },
        "message": {
            "type": "string",
            "description": "descriptive error message for debugging"
        },
        "moreInfo": {
            "type": "string",
            "format": "uri",
            "description": "link to documentation to investigate further and finding support"
        },
        "details": {
            "type": "array",
            "description": "list of problems causing this error",
            "items": {
                "$schema": "http://json-schema.org/draft-04/schema#",
                "title": "errorDetail",
                "description": "schema for specific error cause",
                "type": "object",
                "properties": {
                    "field": {
                        "type": "string",
                        "description": "a bean notation expression specifying the element in request data causing the error, eg product.variants[3].name, this can be empty if violation was not field specific"
                    },
                    "type": {
                        "type": "string",
                        "description": "classification of the error detail type, lower case with underscore eg missing_value, this value must be always interpreted in context of the general error type.",
                        "pattern": "[a-z]+[a-z_]*[a-z]+"
                    },
                    "message": {
                        "type": "string",
                        "description": "descriptive error detail message for debugging"
                    },
                    "moreInfo": {
                        "type": "string",
                        "format": "uri",
                        "description": "link to documentation to investigate further and finding support for error detail"
                    }
                },
                "required": [
                    "type"
                ]
            }
        }
    },
    "required": [
        "status",
        "type"
    ]
}

Example:

{
    "status": 401,
    "message": "Authorization: Unauthorized. Bearer TOKEN is invalid",
    "type": "insufficient_credentials",
    "moreInfo": "https://api.yaas.io/patterns/errortypes.html"
}

HTTP status code 403

Evaluated request scopes in access token are not sufficient and do not match required scopes.

Body

Type: application/json

Schema:

{
    "$schema": "http://json-schema.org/draft-04/schema#",
    "title": "error",
    "description": "Schema for API specified errors.",
    "type": "object",
    "properties": {
        "status": {
            "type": "integer",
            "description": "original HTTP error code, should be consistent with the response HTTP code",
            "minimum": 100,
            "maximum": 599
        },
        "type": {
            "type": "string",
            "description": "classification of the error type, lower case with underscore eg validation_failure",
            "pattern": "[a-z]+[a-z_]*[a-z]+"
        },
        "message": {
            "type": "string",
            "description": "descriptive error message for debugging"
        },
        "moreInfo": {
            "type": "string",
            "format": "uri",
            "description": "link to documentation to investigate further and finding support"
        },
        "details": {
            "type": "array",
            "description": "list of problems causing this error",
            "items": {
                "$schema": "http://json-schema.org/draft-04/schema#",
                "title": "errorDetail",
                "description": "schema for specific error cause",
                "type": "object",
                "properties": {
                    "field": {
                        "type": "string",
                        "description": "a bean notation expression specifying the element in request data causing the error, eg product.variants[3].name, this can be empty if violation was not field specific"
                    },
                    "type": {
                        "type": "string",
                        "description": "classification of the error detail type, lower case with underscore eg missing_value, this value must be always interpreted in context of the general error type.",
                        "pattern": "[a-z]+[a-z_]*[a-z]+"
                    },
                    "message": {
                        "type": "string",
                        "description": "descriptive error detail message for debugging"
                    },
                    "moreInfo": {
                        "type": "string",
                        "format": "uri",
                        "description": "link to documentation to investigate further and finding support for error detail"
                    }
                },
                "required": [
                    "type"
                ]
            }
        }
    },
    "required": [
        "status",
        "type"
    ]
}

Example:

{
    "status": 403,
    "message": "Given request does not have required scopes in access token. It is not authorized to perform this operation.",
    "type": "insufficient_permissions"
}

HTTP status code 404

Identity provider with given ID was not found.

Body

Type: application/json

Schema:

errorMessage

Example:

{
    "status": 404,
    "type": "element_non_existing",
    "message": "Identity Provider with requested ID does not exist or belongs to the other organization.",
    "moreInfo": "https://api.yaas.io/patterns/errortypes.html"
}

HTTP status code 412

Update failed. Object version determined by the ETag header value does not match any of the values listed in the If-Match header. Update the local copy of the resource to the latest version and resend the request.

Custom Identity Provider integration - available models

The Identity service allows you to register custom identity providers using two integration models: full and simplified.

In the full integration model, you must create a client for the YaaS OAuth2 service in your custom identity provider. Additionally, your custom identity provider must comply with OpenID Connect basic flow. In this model, the OAuth2 service handles every request for an access token and redirects to the identity provider's authorization endpoint to get an authorization code. The service exchanges the authorization code for an ID token. Finally, it exchanges the ID token for a valid YaaS access token.

In the simplified integration model, you must make sure that the client you create for your application in the custom identity can fetch ID tokens from the custom identity provider and then exchange such tokens for YaaS access tokens in the YaaS OAuth2 service.

Find detailed information about each integration model in the respective sections of this documentation.

Choose the right integration model

The two available custom identity provider integration models differ from each other in some key areas. Read this section to learn about the differences between the integration models and to decide which model suits your use case better.

Full integration model

To use the full integration model, the identity provider you want to use with YaaS must be OpenID Connect-compliant and implement the basic OpenID Connect flow.

In this model, the YaaS OAuth2 service handles all of the authorization steps: exchanging authorization codes for ID tokens, fetching ID tokens, and exchanging ID tokens for access tokens.

To enable this, you need to create a client in your identity provider. The OAuth2 service uses this client to interact with your identity provider. You must ensure successful communication between the client and the OAuth2 service. This is a simple operation as it only requires you to register the OAuth2 metadata you get from the /registration-metadata endpoint of the Identity service in the configuration of the client.

In the full integration model, the process of registering a custom identity provider requires you to provide more details. You must provide the token and authorization endpoints of your identity provider, as well as the JSON Web Key URI or the JSON Web Key. The OAuth2 service needs to perform all of the necessary authorization steps.

For a successful implementation of the full integration model, the YaaS OAuth2 service must be able to call the token endpoints and, if you decide to use it, the JSON Web Key Set (JWKS) URI of the identity provider. This can be impossible in some scenarios, as the network in which the identity provider resides might be inaccessible to the OAuth2 service because of the security mechanisms used.

Summary

  • To use the full integration model, the custom identity provider must be OpenID Connect-compliant and implement the basic OpenID Connect flow.
  • In this integration model, the client setup is remarkably easy.
  • The process of registering a custom identity provider for use with the full integration model requires more details.
  • The OAuth2 service must be able to call the custom identity provider's token endpoint and, if you decide to use it, the JWKS URI.

Simplified integration model

The simplified integration model works with any custom identity provider. You can use this model with custom identity providers that are not OpenID Connect-compliant. The only requirement is that the identity provider must issue valid ID tokens.

In this model, the client performs most of the steps required to authenticate the user. It calls the custom identity provider to get an ID token and then exchanges it for an access token in the OAuth2 service. Therefore, you must configure the client to contact both the custom identity provider and YaaS OAuth2 service and store two different pairs of credentials. The client must also pass the ID tokens in the id_token_hint parameter and handle two additional error types that the OAuth2 service sends. Furthermore, the client must know the location of the custom identity provider's sign-in form and use it as part of handling one of the error scenarios.

In the simplified integration model, the process of registering a custom identity provider requires a minimal amount of configuration details. You must specify the issuer of the ID tokens, as well as the JSON Web Key Set or JSON Web Key Set URI of the identity provider. If the OAuth2 service cannot access the JWKS URI of the custom identity provider, you can substitute the URI with an array of JSON Web Key objects. In such a case, it is vital to maintain up-to-date JSON Web Keys so that the OAuth2 service recognizes the ID tokens it receives from a custom identity provider as valid and not forged.

Use this integration model in scenarios where the OAuth2 service cannot reach the custom identity provider in its network. As an intermediary, the client lives outside of YaaS network, and outside of the network of the identity provider, which allows these components to communicate.

Summary

  • You can use the simplified integration flow with any custom identity provider, whether it is OpenID Connect-compliant or not.
  • In this integration model, the client setup requires more effort.
  • The custom identity provider registration for the simplified integration model requires a minimal amount of details.
  • The simplified integration model works even when the OAuth2 service and the custom identity provider cannot communicate because of the security restrictions on the networks they live in.

Choose the JSON Web Key source

The mechanism of JSON Web Key verification is vital for the security of your custom identity provider implementation. It helps to ensure that the tokens circulating between the identity provider, the clients, and the OAuth2 service are valid and not forged.

To ensure that the JWKS used in your implementation is always up-to-date and does not require manual updating, set the JSON Web Key source to a URI in the identity provider. This way, the OAuth2 service has access to the JSON Web Key directly in the identity provider. If the current key set changes in the identity provider, the OAuth2 has access to the new set without the need to reconfigure the implementation manually.

Both integration models give you the option to provide the JSON Web Key as an array of objects directly in the identity provider configuration. This is a valid solution in scenarios where the OAuth2 service cannot reach the identity provider JWKS URI for reasons such as network security restrictions. When choosing this solution, remember to maintain up-to-date JWKS in the custom identity provider.

Whether you use the simplified or the full integration model, always set the JSON Web Key source to a URI in the identity provider. This gives you the most convenient way to handle JWKS, as well as the best possible security.
Treat the option to provide the JSON Web Key directly in the identity provider configuration as an alternative solution for use in special circumstances.

Custom Identity Provider - full integration model

The process of registering a custom identity provider in YaaS consists of three basic steps:

  1. Get the registration meta-data for the OAuth2 service.

  2. Create a client for YaaS OAuth2 service in your identity provider and obtain the client ID and the client secret.

  3. Register your custom identity provider in the Identity service.

    4. Get the registration meta-data from the OAuth2 service

    To get the meta-data required to register a custom identity provider in YaaS, you must call the /registration-metadata endpoint of the Identity service.

    This is a sample request to the /registration-metadata endpoint. It is an open resource, which means that you don't have to include an access token when you call this endpoint.

    curl -X GET "http://api.eu.yaas.io/hybris/identity/v1/registration-metadata"

    The response includes an array of redirectURIs and an array of postLogoutRedirectURIs. To ensure that you use up-to-date information, call the /registration-metadata endpoint every time you register a new custom identity provider for your organization.

    Create a client for YaaS OAuth2 service in your identity provider and obtain the client ID and client secret

    Create a new client in your custom identity provider. Use the meta-data you obtained from the /registration-metadata endpoint.
    Get the client ID and client secret from the newly created client. You need this information to register your custom identity provider in YaaS.

    Register your custom identity provider in the Identity service

    To register your custom identity provider, you must call the /providers endpoint of the Identity service. The request must include an access token issued for the organization for which you want to register the custom identity provider. The token must also include the hybris.org_manage scope.

    Pass the OpenID configuration, client ID and client secret you obtained from the client you created in the previous step. Additionally, include the display name of your custom identity provider.

    This is a sample identity provider registration request to the /providers endpoint. Line breaks are added for better readability.
    curl -X POST "http://api.eu.yaas.io/hybris/identity/v1/providers" \
-H 'Authorization: Bearer ACCESS_TOKEN_HERE \
-H 'Content-Type: application/json' \
-d '{"displayName":"My IDprovider","credentials":{"clientId":"a9883977-97e3-44d9-a4cb-7c2df0f7a267","clientSecret":"2loftph991j058u3"}, \
"openidConfiguration":{"issuer":"https://someorg.io","authorization_endpoint":"https://someorg.io/authorize", \
"token_endpoint":"https://someorg.io/token","jwks_uri":"https://someorg.io/jwks"}}' \


    The successful response from the Identity service confirms the registration of the custom identity provider and returns the alpha-numeric ID of the custom identity provider, as well as a link to the registered provider. This is a sample code 201 response from the service:

    {"id":"594b8c8176b391a1c5c6344a","link":"https://api.eu.yaas.io/hybris/identity/v1/providers/594b8c8176b391a1c5c6344a"}

    Custom Identity Provider - simplified integration model

    The YaaS OAuth2 service recognizes and handles ID tokens issued by custom identity providers. This allows for a simpler integration model that does not require registering a client for the OAuth2 service in your custom identity provider.

    In the simple integration model you must:

    1. Register the custom identity provider in YaaS.
    2. Create a client for your application in the custom identity provider.
    3. Create a client for your application in YaaS.

    When you use this integration model, the client registered for your application in the custom identity provider requests an ID token directly from the custom identity provider.

    The client registered for your application in YaaS exchanges this ID token for an access token by calling the YaaS OAuth2 service.

    Register the custom identity provider in YaaS

    In the simplified integration model, you don't need to provide the same amount of detail in your custom identity provider registration request.

    Two main elements of the registration request in the simplified model are:

    • displayName - the display name of your custom identity provider
    • openidConfiguration:
      • issuer - the issuer of the ID tokens in your custom identity provider
      • jwks_uri - the JSON Web Key set URI or jwks - array of JSON Web Key objects

    Although you can choose between using the jwks_uri or jwks elements, the use of jwks_uri is highly recommended. Using this option ensures that the JSON Web Key is correct and up-to-date at all times, which helps to improve the security of the implementation.

    The request must also include an access token with the hybris.org_manage scope that is issued for the organization for which you want to register a new custom identity provider.

    
curl -X POST "http://api.eu.yaas.io/hybris/identity/v1/providers" \
-H 'Authorization: Bearer ACCESS_TOKEN_HERE \
-H 'Content-Type: application/json' \
-d '{"displayName":"My IDprovider", \
     "openidConfiguration":{"issuer":"https://someorg.io","jwks_uri":"https://someorg.io/jwks"} \
    }'

    Additional requirements for clients

    The clients that you register for your custom identity provider must handle these error types:

    • invalid_request - the YaaS OAuth2 service returns this error when: you call the OAuth2 service using the custom identity provider configured using the simple integration model, and the call doesn't include the id_token_hint parameter with a valid ID token issued for the custom identity provider
    • login_required - when the request includes an invalid or expired ID token

    To ensure proper operation, remember to configure your client to include the ID token issued by the custom identity provider in requests for access tokens sent to the YaaS OAuth2 service. Make sure the ID tokens are passed in the id_token_hint parameter.

    Scopes management

    When you use a custom identity provider, you can decide where you manage the scopes assigned to the user. You can choose between managing the scopes in your custom identity provider and managing the scopes in the Builder.

    • If you choose the Builder to manage the scopes assigned to the user, you can define and manage the scopes in the administration section of your project's settings.

    • If you choose your custom identity provider to manage the scopes, the identity provider must pass the scopes assigned to the user as claims in ID tokens it issues.

      • Choose either of the described approaches by using the scopesGrant parameter. You can set this parameter when you create a new custom identity provider, or update the configuration of an already existing one.

      The scopesGrant parameter has two properties:

      • scopesSource
      • claimName

      The scopesSource property allows you to choose where you manage the scopes assinged to the users.
      • Set the value of the property to claim to manage the scopes in your custom identity provider.
      • Set the value of the property to yaas to manage the scopes in the Builder.
      • If you don't set the value of this property, the Identity service automatically sets it to the default value, which is yaas.

      When you set the scopesSource to claim, define the name of the claim in which the OAuth2 service looks for scopes assigned to the user by defining the claimName property.
      • If you don't set the value of this property, the service sets the claimName to the default value, which is scope.
      • This property works only when you set the scopesSource to claim.

      Learn more about scopes in YaaS by reading this section in the Dev Portal Overview.

      Use the custom identity provider

      After you successfully register your custom identity provider in the Identity service, you can use it with the Implicit Grant and the Authorization Code Grant authorization flows available in YaaS.

      For more information about the authorization flows available in YaaS, see the Grants section of the OAuth2 service documentation.

      To use your custom identity provider, provide the ID you received in the code 201 successful response from the Identity service as the value of the hybris_id_provider parameter in the request to the OAuth2 service.

      This example shows an Authorization Code Grant flow access token request that uses a custom identity provider registered using the full integration model:

      curl -i -X GET 'https://api.eu.yaas.io/hybris/oauth2/v1/authorize?response_type=code&client_id=CLIENT_ID&scope=SCOPE_NAME&state=STATE&hybris_id_provider=724987custom_idp_id09u'

      • Send feedback

        If you find any information that is unclear or incorrect, please let us know so that we can improve the Dev Portal content.

      • Get Help

        Use our private help channel. Receive updates over email and contact our specialists directly.

      • hybris Experts

        If you need more information about this topic, visit hybris Experts to post your own question and interact with our community and experts.