Download OpenAPI specification:Download
Exchange ID tokens for STS access tokens according to managed trust relationships.
Exchange ID tokens for STS access tokens according to managed trust relationships.
Returns the OpenID Connect discovery document for this service.
| issuer required | string Issuer identifier URI. |
| jwksUri required | string URI of the JSON Web Key Set. |
| tokenEndpoint required | string URI of the token endpoint. |
| claimsSupported required | Array of strings List of claim names the provider supports. |
| responseTypesSupported required | Array of strings List of supported response types. |
| subjectTypesSupported required | Array of strings List of supported subject identifier types. |
| idTokenSigningAlgValuesSupported required | Array of strings List of JWS signing algorithms supported for the ID token. |
{- "claimsSupported": [
- "string"
], - "responseTypesSupported": [
- "string"
], - "subjectTypesSupported": [
- "string"
], - "idTokenSigningAlgValuesSupported": [
- "string"
]
}Lists the access policies granted to the subject identified by the given token within a project.
| projectId required | string (ProjectId) ^project:[0-9a-zA-Z](?![^:]*-$)(?![^:]*--)[0-... Globally unique identifier of a project. |
| subjectToken required | string An ID or access token indicating the subject to list granted access policies for |
| subjectTokenType required | string Value: "urn:ietf:params:oauth:token-type:id_token" Indicates whether the subject token is an ID token or access token |
| pageSize | integer (PageSize) >= 1 Default: 100 When paging through results, this is an integer indicating the maximum number of results to return. Note, it is possible for fewer results to be returned even when the end of the result set has not been reached. |
| pageToken | string (PageToken) ^.*$ When paging through results, the PageToken is an opaque indicator that identifies a page. |
required | Array of objects | ||
Array
| |||
| nextPageToken | string (NextPageToken) ^.*$ When paging through results, the NextPageToken indicates what page to read next. It is obtained from the previous call. | ||
{- "projectId": "project:abc-123",
- "subjectToken": "eyJhbGciOiJSUzI1NiJ9...",
- "subjectTokenType": "urn:ietf:params:oauth:token-type:id_token",
- "pageSize": 20,
- "pageToken": "eyJsYXN0S2V5IjoiYWJjMTIzIn0="
}{- "list": [
- {
- "accessPolicyId": "accesspolicy:my-policy"
}
], - "nextPageToken": "eyJsYXN0S2V5IjoiYWJjMTIzIn0="
}An OAuth 2.0 token endpoint supporting RFC 8693 token exchange, used to exchange an OIDC ID token issued by a trusted OIDC provider to a trusted client for an access token that can be used access other Equinix product APIs.
| grantType required | string Enum: "client_credentials" "urn:ietf:params:oauth:grant-type:token-exchange" The OAuth 2.0 grant type. |
| scope | string Requested scope for the access token. |
| subjectToken | string The ID token to exchange. |
| subjectTokenType | string Value: "urn:ietf:params:oauth:token-type:id_token" The type of the subject token. |
| accessToken required | string The issued access token. |
| issuedTokenType required | string Value: "urn:ietf:params:oauth:token-type:access_token" The type of the issued token. |
| tokenType required | string Enum: "Bearer" "DPoP" The token type, e.g. Bearer. |
| expiresIn required | integer Lifetime of the token in seconds. |
{- "accessToken": "eyJhbGciOiJFUzI1NiJ9...",
- "issuedTokenType": "urn:ietf:params:oauth:token-type:access_token",
- "tokenType": "Bearer",
- "expiresIn": 3600
}Allows a user to permanently remove the trust relationship for an OIDC provider in a root project. This operation
cannot be reversed. This operation causes the idpId of the OIDC provider to be permanently disabled for this root
project. Even if createOidcProvider is used to register the same OIDC provider again it will be assigned a unique
idpId within the root project. This operation applies for the project which owns the access policy being
used. Access control is fine-grained based on the project which contains the OIDC provider.
The auth token's access policy must allow action:use/deleteOidcProvider.
| projectId required | string (ProjectId) ^project:[0-9a-zA-Z](?![^:]*-$)(?![^:]*--)[0-... Example: project:abc-123 Globally unique identifier of a project. Callers may URL encode this value. |
| idpId required | string (IdentityProviderId) ^idp:[a-zA-Z](?![^:]*-$)(?![^:]*--)[a-zA-Z0-9... Example: idp:my-idp Uniquely identifies a trusted Identity Provider within a root project. Callers may URL encode this value. |
{- "error": {
- "errorCode": "not-found"
}
}Modify specific property values of an OIDCProvider, leaving the rest with their current values.
Optional properties (e.g. groupMembershipClaims) may be unset by assigning them the value {"$unset": true}. Access
control is fine-grained, based on the project containing the OIDC provider being updated.
The auth token's access policy must allow action:use/patchOidcProvider.
| projectId required | string (ProjectId) ^project:[0-9a-zA-Z](?![^:]*-$)(?![^:]*--)[0-... Example: project:abc-123 Globally unique identifier of a project. Callers may URL encode this value. |
| idpId required | string (IdentityProviderId) ^idp:[a-zA-Z](?![^:]*-$)(?![^:]*--)[a-zA-Z0-9... Example: idp:my-idp Uniquely identifies a trusted Identity Provider within a root project. Callers may URL encode this value. |
| name | string [ 2 .. 100 ] characters A human-friendly name for the identity provider. | ||
| trustedClientIds | Array of strings [ 0 .. 10 ] items [ items [ 2 .. 100 ] characters ] List of OAuth 2.0 client ids for this provider that are permitted to exchange ID tokens for access tokens. The value of the | ||
object or string Name of the claim in the ID tokens provided by this OIDC issuer whose value the STS should interpret as containing a user's group memberships, for authorization purposes. The value of the group membership claim in an ID token must be an array of strings, where each string is a unique, non-reassignable identifier for a group. When this property is not set, the STS does not interpret any claim from this provider as a group membership claim. | |||
One of
| |||
| lastRev required | string (LastResourceRev) ^.*$ An opaque string that represents the expected revision of a given resource. This is provided when a resource is updated so that if a concurrent update has occurred since the resource was read, then the collision will be detected. | ||
required | object TEMPORARY: In the future, the STS will retrieve the provider's JWKS via standard OIDC Discovery mechanisms, and this will not be an input parameter!. | ||
| |||
| idpId required | string (IdentityProviderId) ^idp:[a-zA-Z](?![^:]*-$)(?![^:]*--)[a-zA-Z0-9... Uniquely identifies a trusted Identity Provider within a root project. | ||
| updatedAt | string (UpdatedAt) ^.*$ A string timestamp indicating when the resource was last updated. Formatted like: "2025-02-12T17:24:19.033772087Z" | ||
| createdBy required | string (CreatedBy) ^.*$ A string indicating the principal who invoked an operation to create the resource. | ||
| issuerLocation required | string The OIDC issuer location URL. | ||
| name required | string [ 2 .. 100 ] characters A human-friendly name for the identity provider. | ||
| createdAt required | string (CreatedAt) ^.*$ A string timestamp indicating when the resource was created. Formatted like: "2025-02-12T17:24:19.033772087Z" | ||
| issuerUri required | string (IssuerUri) ^https://[a-zA-Z0-9-.]+(:[1-9][0-9]{0,4})?((?... The value of the | ||
| rev required | string (ResourceRev) ^.*$ An opaque string that represents the revision of a given resource. Each time the resource is updated, this value changes. | ||
| updatedBy | string (UpdatedBy) ^.*$ A string indicating the principal who last invoked an operation to update the resource. | ||
| status required | string (ProviderStatus) Enum: "ENABLED" "SUSPENDED"
| ||
| groupMembershipClaim | string [ 2 .. 100 ] characters Name of the claim in the ID tokens provided by this OIDC issuer whose value the STS should interpret as containing a user's group memberships, for authorization purposes. The value of the group membership claim in an ID token must be an array of strings, where each string is a unique, non-reassignable identifier for a group. When this property is not set, the STS does not interpret any claim from this provider as a group membership claim. | ||
| trustedClientIds required | Array of strings [ 0 .. 10 ] items [ items [ 2 .. 100 ] characters ] List of OAuth 2.0 client ids for this provider that are permitted to exchange ID tokens for access tokens. The value of the | ||
| jwksRetrievedAt required | string Timestamp string formatted like: "2025-02-13T17:10:00.864707507Z". | ||
{- "name": "My OIDC Provider",
- "trustedClientIds": [
- "my-oauth-client-id"
], - "groupMembershipClaim": "groups",
- "lastRev": "abc123"
}{- "jwks": {
- "keys": [
- { }
]
}, - "idpId": "idp:my-idp",
- "updatedAt": "2024-01-15T12:00:00Z",
- "createdBy": "principal:ABCD-EFG-12345:idp:example-user",
- "name": "My OIDC Provider",
- "createdAt": "2024-01-15T12:00:00Z",
- "rev": "abc123",
- "updatedBy": "principal:ABCD-EFG-12345:idp:example-user",
- "status": "ENABLED",
- "groupMembershipClaim": "groups",
- "trustedClientIds": [
- "my-oauth-client-id"
], - "jwksRetrievedAt": "2025-02-13T17:10:00.864707507Z"
}Allows a user to indicate that an OIDC provider is no longer trusted in a root project. This operation applies for
the project which owns the access policy being used. This operation can be reversed via resumeOidcProvider. This
operation provides a reversible way to turn off token exchange for identity tokens from an OIDC provider. Access
control is fine-grained based on the project which contains the OIDC provider.
The auth token's access policy must allow action:use/suspendOidcProvider.
| projectId required | string (ProjectId) ^project:[0-9a-zA-Z](?![^:]*-$)(?![^:]*--)[0-... Example: project:abc-123 Globally unique identifier of a project. Callers may URL encode this value. |
| idpId required | string (IdentityProviderId) ^idp:[a-zA-Z](?![^:]*-$)(?![^:]*--)[a-zA-Z0-9... Example: idp:my-idp Uniquely identifies a trusted Identity Provider within a root project. Callers may URL encode this value. |
{- "error": {
- "errorCode": "not-found"
}
}Allows a user to restore the trust relationship for an OIDC provider in a root project. This operation applies for the project which owns the access policy being used. Access control is fine-grained based on the project which contains the OIDC provider.
The auth token's access policy must allow action:use/resumeOidcProvider.
| projectId required | string (ProjectId) ^project:[0-9a-zA-Z](?![^:]*-$)(?![^:]*--)[0-... Example: project:abc-123 Globally unique identifier of a project. Callers may URL encode this value. |
| idpId required | string (IdentityProviderId) ^idp:[a-zA-Z](?![^:]*-$)(?![^:]*--)[a-zA-Z0-9... Example: idp:my-idp Uniquely identifies a trusted Identity Provider within a root project. Callers may URL encode this value. |
{- "error": {
- "errorCode": "not-found"
}
}Allows a user to page through all of the OIDC providers which are defined for a root project. The project is identified by the project id or ern provided. Access control is fine-grained, based on the project whose OIDC providers are being listed.
The auth token's access policy must allow action:use/pageOidcProviders.
| projectId required | string (ProjectId) ^project:[0-9a-zA-Z](?![^:]*-$)(?![^:]*--)[0-... Example: project:abc-123 Globally unique identifier of a project. Callers may URL encode this value. |
| includeSuspended | boolean Example: includeSuspended=false When true, include suspended OIDC providers in the results. |
| pageToken | string (PageToken) ^.*$ Example: pageToken=eyJsYXN0S2V5IjoiYWJjMTIzIn0= Opaque token identifying the page of results to retrieve. |
| pageSize | integer (PageSize) >= 1 Default: 100 Example: pageSize=20 Maximum number of results to return per page. |
required | Array of objects (OIDCProviderList) A list of OIDC providers. | ||||||||||||||||||||||||||||
Array
| |||||||||||||||||||||||||||||
| nextPageToken | string (NextPageToken) ^.*$ When paging through results, the NextPageToken indicates what page to read next. It is obtained from the previous call. | ||||||||||||||||||||||||||||
{- "list": [
- {
- "jwks": {
- "keys": [
- { }
]
}, - "idpId": "idp:my-idp",
- "updatedAt": "2024-01-15T12:00:00Z",
- "createdBy": "principal:ABCD-EFG-12345:idp:example-user",
- "name": "My OIDC Provider",
- "createdAt": "2024-01-15T12:00:00Z",
- "rev": "abc123",
- "updatedBy": "principal:ABCD-EFG-12345:idp:example-user",
- "status": "ENABLED",
- "groupMembershipClaim": "groups",
- "trustedClientIds": [
- "my-oauth-client-id"
], - "jwksRetrievedAt": "2025-02-13T17:10:00.864707507Z"
}
], - "nextPageToken": "eyJsYXN0S2V5IjoiYWJjMTIzIn0="
}Allows a user to register a new OIDC provider for a root project. The OIDC provider is registered in the project
which owns the access policy being used. The idpPrefix is used to create a unique idpId for this usage of the OIDC
provider within the root project. The idpPrefix cannot be the same as any existing, suspended or non-suspended, OIDC
provider records for this root project. This operation creates a trust relationship between the root project and the
OIDC provider such that identity tokens from the OIDC provider will be accessed for token exchange. Access control is
fine-grained, based on the project in which an OIDC provider is being created.
The auth token's access policy must allow action:use/createOidcProvider.
| projectId required | string (ProjectId) ^project:[0-9a-zA-Z](?![^:]*-$)(?![^:]*--)[0-... Example: project:abc-123 Globally unique identifier of a project. Callers may URL encode this value. |
| name required | string [ 2 .. 100 ] characters A human-friendly name for the identity provider. |
| trustedClientIds required | Array of strings [ 0 .. 10 ] items [ items [ 2 .. 100 ] characters ] List of OAuth 2.0 client ids for this provider that are permitted to exchange ID tokens for access tokens. The value of the |
| groupMembershipClaim | string [ 2 .. 100 ] characters Name of the claim in the ID tokens provided by this OIDC issuer whose value the STS should interpret as containing a user's group memberships, for authorization purposes. The value of the group membership claim in an ID token must be an array of strings, where each string is a unique, non-reassignable identifier for a group. When this property is not set, the STS does not interpret any claim from this provider as a group membership claim. |
| issuerLocation required | string The OIDC issuer location URL. |
| idpPrefix required | string^[a-zA-Z](?![^:]*-$)(?![^:]*--)[a-zA-Z0-9-]{0... |
required | object TEMPORARY: In the future, the STS will retrieve the provider's JWKS via standard OIDC Discovery mechanisms, and this will not be an input parameter!. | ||
| |||
| idpId required | string (IdentityProviderId) ^idp:[a-zA-Z](?![^:]*-$)(?![^:]*--)[a-zA-Z0-9... Uniquely identifies a trusted Identity Provider within a root project. | ||
| updatedAt | string (UpdatedAt) ^.*$ A string timestamp indicating when the resource was last updated. Formatted like: "2025-02-12T17:24:19.033772087Z" | ||
| createdBy required | string (CreatedBy) ^.*$ A string indicating the principal who invoked an operation to create the resource. | ||
| issuerLocation required | string The OIDC issuer location URL. | ||
| name required | string [ 2 .. 100 ] characters A human-friendly name for the identity provider. | ||
| createdAt required | string (CreatedAt) ^.*$ A string timestamp indicating when the resource was created. Formatted like: "2025-02-12T17:24:19.033772087Z" | ||
| issuerUri required | string (IssuerUri) ^https://[a-zA-Z0-9-.]+(:[1-9][0-9]{0,4})?((?... The value of the | ||
| rev required | string (ResourceRev) ^.*$ An opaque string that represents the revision of a given resource. Each time the resource is updated, this value changes. | ||
| updatedBy | string (UpdatedBy) ^.*$ A string indicating the principal who last invoked an operation to update the resource. | ||
| status required | string (ProviderStatus) Enum: "ENABLED" "SUSPENDED"
| ||
| groupMembershipClaim | string [ 2 .. 100 ] characters Name of the claim in the ID tokens provided by this OIDC issuer whose value the STS should interpret as containing a user's group memberships, for authorization purposes. The value of the group membership claim in an ID token must be an array of strings, where each string is a unique, non-reassignable identifier for a group. When this property is not set, the STS does not interpret any claim from this provider as a group membership claim. | ||
| trustedClientIds required | Array of strings [ 0 .. 10 ] items [ items [ 2 .. 100 ] characters ] List of OAuth 2.0 client ids for this provider that are permitted to exchange ID tokens for access tokens. The value of the | ||
| jwksRetrievedAt required | string Timestamp string formatted like: "2025-02-13T17:10:00.864707507Z". | ||
{- "name": "My OIDC Provider",
- "trustedClientIds": [
- "my-oauth-client-id"
], - "groupMembershipClaim": "groups",
- "idpPrefix": "my-idp"
}{- "jwks": {
- "keys": [
- { }
]
}, - "idpId": "idp:my-idp",
- "updatedAt": "2024-01-15T12:00:00Z",
- "createdBy": "principal:ABCD-EFG-12345:idp:example-user",
- "name": "My OIDC Provider",
- "createdAt": "2024-01-15T12:00:00Z",
- "rev": "abc123",
- "updatedBy": "principal:ABCD-EFG-12345:idp:example-user",
- "status": "ENABLED",
- "groupMembershipClaim": "groups",
- "trustedClientIds": [
- "my-oauth-client-id"
], - "jwksRetrievedAt": "2025-02-13T17:10:00.864707507Z"
}