--- title: External OAuth Servers description: The PingOne /environments/{{envID}}/externalOAuthServers endpoint provides operations to create, read, update, and delete external OAuth server resources in PingOne. component: pingone-api page_id: pingone-api:authorize:api-access-management/external-oauth-servers canonical_url: https://developer.pingidentity.com/pingone-api/authorize/api-access-management/external-oauth-servers.html section_ids: assigning-admin-roles-and-permissions-to-this-service: Assigning admin roles and permissions to this service external-oauth-server-data-model: External OAuth server data model external-oauth-limit-filter-data: Limiting and filtering data response-codes: Response codes --- # External OAuth Servers The PingOne `/environments/{{envID}}/externalOAuthServers` endpoint provides operations to create, read, update, and delete external OAuth server resources in PingOne. Refer to [Using an external authorization server in PingOne Authorize AAM](https://docs.pingidentity.com/pingone/authorization_using_pingone_authorize/p1_az_external_oauth_servers.html) in the PingOne Admin Guide for more information. | | | | - | ---------------------------------------------------------------------- | | | PingOne enforces a limit of 25 External OAuth Servers per environment. | ## Assigning admin roles and permissions to this service Admin role assignments determine access to PingOne APIs. When assigning admin roles to this service, refer to [PingOne Permissions by Service](../../platform/reference/roles-and-permissions-in-pingone/permissions-by-service.html) for the service-specific permissions. You can also choose to assign admin roles based on particular service resources. Refer to [PingOne Permissions by Resource](../../platform/reference/roles-and-permissions-in-pingone/permissions-by-resource.html) when assigning admin roles per service resources. Admin assignments to roles are set by: * [Automatic assignment for some roles](../../platform/roles/predefined-roles.html#automatic-role-assignment). * [Group Role Assignments](../../platform/group-role-assignments/group-role-assignments.html). * [User Role Assignments](../../platform/users/user-role-assignments.html). Refer to [Roles Management](../../platform/roles.html) for more information. ## External OAuth server data model | Property | Type | Required? | Mutable? | Description | | ------------------------------- | ---------------- | -------------------------- | --------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `description` | String | Optional | Mutable | A description of the External OAuth Server. Maximum length 1024. | | `id` | UUID | Required | Immutable | The ID of the External OAuth Server. | | `issuers` | Array of Strings | Optional | Mutable | Lists the expected issuer value(s) used by the External OAuth Server. The runtime will expect the value of a bearer token's iss claim to match one of these expected issuer values. Array size must be between 1-8. Array elements must be between 1-1024. | | `name` | String | Required | Mutable | The name of the External OAuth Server. Must be unique to the environment. Length must be between 1-256. | | `type` | String | Required | Mutable | The type of External OAuth Server. The only accepted value is `EXTERNAL`, which indicates that the External OAuth Server is not PingOne SSO. | | `validation` | Object | Required | Mutable | A container object for fields related to runtime validation of access tokens issued by the External OAuth Server. | | `validation.clockSkewTolerance` | Number | Optional | Mutable | Specifies an allowable clock skew tolerance in seconds. When validating certain time-based token claims (nbf, exp), the runtime will tolerate time differences as specified by the value. The value must be zero or a positive integer. The default value is 0. | | `validation.jwks` | String | Optional (see description) | Mutable | A JWKS document containing the External OAuth Server's public signing keys. Required if `type` is `JWKS`. Must be a valid JWKS per RFC 7517 and not exceed 16kB. | | `validation.jwksUrl` | String | Optional (see description) | Mutable | The URL of the External OAuth Server's JWKS endpoint. Required if `type` is `JWKS_URL`. Length must be between 1-1024. Must use the HTTPS protocol scheme and satisfy an SSRF risk check. | | `validation.type` | String | Required | Mutable | Indicates the validation strategy that will be used by the AAM runtime. Accepts only one of the following values: `JWKS_URL`, which indicates that the AAM runtime will retrieve JWK signing keys from a JWKS endpoint or `JWKS`, which indicates that the AAM runtime will use a set of JWK signing keys from a JWKS stored in the configuration. | ## Limiting and filtering data You can limit the number of results returned on the [Read All External OAuth Servers](external-oauth-servers/read-all-external-oauth-servers.html) request with the `limit` parameter. Refer to [Paging and ordering collections](../../platform/reference/paging-ordering-collections.html) for more information about use of the `limit` parameter, as well as other methods of controlling pagination. You can filter response data by applying a SCIM filtering expression to the [Read All External OAuth Servers](external-oauth-servers/read-all-external-oauth-servers.html) request. These SCIM operators can be applied to the following attributes: * `co` (contains) Supported attributes: `name` ## Response codes | Code | Message | | ---- | --------------------------------------------------------------------- | | 200 | Successful operation. | | 201 | Successfully created. | | 204 | Successfully removed. No content. | | 400 | The request could not be completed. | | 401 | You do not have access to this resource. | | 403 | You do not have permissions or are not licensed to make this request. | | 404 | The requested resource was not found. |