--- title: /realm-config/agents/OAuth2Client description: Invoke this Advanced Identity Cloud-specific endpoint to create, list, and delete OAuth 2.0 clients. component: pingoneaic-api page_id: pingoneaic-api:am-oauth2:rest-api-oauth2-client-admin-endpoint canonical_url: https://developer.pingidentity.com/pingoneaic-api/am-oauth2/rest-api-oauth2-client-admin-endpoint.html keywords: ["OAuth 2.0", "API Explorer", "Administration", "Endpoints", "Clients"] section_ids: create-oauth2-client: Create an OAuth 2.0 client update-oauth2-clients: Update an OAuth 2.0 client query-oauth2-clients: Query OAuth 2.0 clients delete-an-oauth-2-0-client: Delete an OAuth 2.0 client --- # /realm-config/agents/OAuth2Client Invoke this Advanced Identity Cloud-specific endpoint to create, list, and delete OAuth 2.0 clients. ## Create an OAuth 2.0 client This example registers a basic OAuth 2.0 client named `myClient` in the `alpha` realm. Append the name of the client to the URL: ```bash $ curl \ --request PUT \ --header "Accept-API-Version: resource=1.0" \ --header "Content-Type: application/json" \ --header "Accept: application/json" \ --header "Authorization: Bearer " \ --data '{ "coreOAuth2ClientConfig":{ "agentgroup":"", "status":{ "inherited":true, "value":"string" }, "userpassword":"mySecret", "clientType":{ "inherited":false, "value":"Confidential" }, "redirectionUris":{ "inherited":false, "value":[ "https://www.example.com:443/callback" ] }, "scopes":{ "inherited":false, "value":[ "write", "read" ] }, "defaultScopes":{ "inherited":true, "value":[ "write" ] }, "clientName":{ "inherited":true, "value":[ "My Test Client" ] } }, "advancedOAuth2ClientConfig":{ "name":{ "inherited":false, "value":[ null ] }, "grantTypes":{ "inherited":true, "value":[ "authorization_code", "client_credentials" ] }, "tokenEndpointAuthMethod":{ "inherited":true, "value":"client_secret_basic" } } }' \ "https:///am/json/realms/root/realms/alpha/realm-config/agents/OAuth2Client/myClient" ``` > **Collapse: Display output** > > ```bash > { > "_id": "myClient", > "_rev": "720283894", > "overrideOAuth2ClientConfig": { > "issueRefreshToken": true, > "validateScopePluginType": "PROVIDER", > "tokenEncryptionEnabled": false, > "evaluateScopePluginType": "PROVIDER", > "oidcMayActScript": "[Empty]", > "oidcClaimsScript": "[Empty]", > "scopesPolicySet": "oauth2Scopes", > "accessTokenModificationPluginType": "PROVIDER", > "authorizeEndpointDataProviderClass": "org.forgerock.oauth2.core.plugins.registry.DefaultEndpointDataProvider", > "oidcClaimsPluginType": "PROVIDER", > "providerOverridesEnabled": false, > "authorizeEndpointDataProviderScript": "[Empty]", > "statelessTokensEnabled": false, > "authorizeEndpointDataProviderPluginType": "PROVIDER", > "remoteConsentServiceId": null, > "enableRemoteConsent": false, > "validateScopeClass": "org.forgerock.oauth2.core.plugins.registry.DefaultScopeValidator", > "usePolicyEngineForScope": false, > "evaluateScopeClass": "org.forgerock.oauth2.core.plugins.registry.DefaultScopeEvaluator", > "overrideableOIDCClaims": [], > "accessTokenMayActScript": "[Empty]", > "evaluateScopeScript": "[Empty]", > "clientsCanSkipConsent": false, > "accessTokenModificationScript": "[Empty]", > "issueRefreshTokenOnRefreshedToken": true, > "validateScopeScript": "[Empty]" > }, > "advancedOAuth2ClientConfig": { > "logoUri": { > "inherited": false, > "value": [] > }, > "subjectType": { > "inherited": false, > "value": "public" > }, > "clientUri": { > "inherited": false, > "value": [] > }, > "tokenExchangeAuthLevel": { > "inherited": false, > "value": 0 > }, > "responseTypes": { > "inherited": false, > "value": [ > "code", > "token", > "id_token", > "code token", > "token id_token", > "code id_token", > "code token id_token", > "device_code", > "device_code id_token" > ] > }, > "mixUpMitigation": { > "inherited": false, > "value": false > }, > "customProperties": { > "inherited": false, > "value": [] > }, > "javascriptOrigins": { > "inherited": false, > "value": [] > }, > "policyUri": { > "inherited": false, > "value": [] > }, > "softwareVersion": { > "inherited": false > }, > "tosURI": { > "inherited": false, > "value": [] > }, > "sectorIdentifierUri": { > "inherited": false > }, > "tokenEndpointAuthMethod": { > "inherited": false, > "value": "client_secret_basic" > }, > "refreshTokenGracePeriod": { > "inherited": false, > "value": 0 > }, > "isConsentImplied": { > "inherited": false, > "value": false > }, > "softwareIdentity": { > "inherited": false > }, > "grantTypes": { > "inherited": false, > "value": [ > "authorization_code" > ] > }, > "require_pushed_authorization_requests": { > "inherited": false, > "value": false > }, > "descriptions": { > "inherited": false, > "value": [] > }, > "requestUris": { > "inherited": false, > "value": [] > }, > "name": { > "inherited": false, > "value": [ > "null" > ] > }, > "contacts": { > "inherited": false, > "value": [] > }, > "updateAccessToken": { > "inherited": false > } > }, > "signEncOAuth2ClientConfig": { > "tokenEndpointAuthSigningAlgorithm": { > "inherited": false, > "value": "RS256" > }, > "idTokenEncryptionEnabled": { > "inherited": false, > "value": false > }, > "tokenIntrospectionEncryptedResponseEncryptionAlgorithm": { > "inherited": false, > "value": "A128CBC-HS256" > }, > "requestParameterSignedAlg": { > "inherited": false > }, > "authorizationResponseSigningAlgorithm": { > "inherited": false, > "value": "RS256" > }, > "clientJwtPublicKey": { > "inherited": false > }, > "idTokenPublicEncryptionKey": { > "inherited": false > }, > "mTLSSubjectDN": { > "inherited": false > }, > "jwkStoreCacheMissCacheTime": { > "inherited": false, > "value": 60000 > }, > "jwkSet": { > "inherited": false > }, > "idTokenEncryptionMethod": { > "inherited": false, > "value": "A128CBC-HS256" > }, > "jwksUri": { > "inherited": false > }, > "tokenIntrospectionEncryptedResponseAlg": { > "inherited": false, > "value": "RSA-OAEP-256" > }, > "authorizationResponseEncryptionMethod": { > "inherited": false > }, > "userinfoResponseFormat": { > "inherited": false, > "value": "JSON" > }, > "mTLSCertificateBoundAccessTokens": { > "inherited": false, > "value": false > }, > "publicKeyLocation": { > "inherited": false, > "value": "jwks_uri" > }, > "tokenIntrospectionResponseFormat": { > "inherited": false, > "value": "JSON" > }, > "requestParameterEncryptedEncryptionAlgorithm": { > "inherited": false, > "value": "A128CBC-HS256" > }, > "userinfoSignedResponseAlg": { > "inherited": false > }, > "idTokenEncryptionAlgorithm": { > "inherited": false, > "value": "RSA-OAEP-256" > }, > "requestParameterEncryptedAlg": { > "inherited": false > }, > "authorizationResponseEncryptionAlgorithm": { > "inherited": false > }, > "mTLSTrustedCert": { > "inherited": false > }, > "jwksCacheTimeout": { > "inherited": false, > "value": 3600000 > }, > "userinfoEncryptedResponseAlg": { > "inherited": false > }, > "idTokenSignedResponseAlg": { > "inherited": false, > "value": "RS256" > }, > "tokenIntrospectionSignedResponseAlg": { > "inherited": false, > "value": "RS256" > }, > "userinfoEncryptedResponseEncryptionAlgorithm": { > "inherited": false, > "value": "A128CBC-HS256" > } > }, > "coreOpenIDClientConfig": { > "claims": { > "inherited": false, > "value": [] > }, > "backchannel_logout_uri": { > "inherited": false > }, > "defaultAcrValues": { > "inherited": false, > "value": [] > }, > "jwtTokenLifetime": { > "inherited": false, > "value": 0 > }, > "defaultMaxAgeEnabled": { > "inherited": false, > "value": false > }, > "clientSessionUri": { > "inherited": false > }, > "defaultMaxAge": { > "inherited": false, > "value": 600 > }, > "postLogoutRedirectUri": { > "inherited": false, > "value": [] > }, > "backchannel_logout_session_required": { > "inherited": false, > "value": false > } > }, > "coreOAuth2ClientConfig": { > "userpassword": null, > "status": { > "inherited": false, > "value": "Active" > }, > "clientName": { > "inherited": false, > "value": [] > }, > "clientType": { > "inherited": false, > "value": "Confidential" > }, > "loopbackInterfaceRedirection": { > "inherited": false, > "value": false > }, > "defaultScopes": { > "inherited": false, > "value": [] > }, > "refreshTokenLifetime": { > "inherited": false, > "value": 0 > }, > "scopes": { > "inherited": false, > "value": [ > "write", > "read" > ] > }, > "accessTokenLifetime": { > "inherited": false, > "value": 0 > }, > "redirectionUris": { > "inherited": false, > "value": [ > "https://www.example.com:443/callback" > ] > }, > "authorizationCodeLifetime": { > "inherited": false, > "value": 0 > } > }, > "coreUmaClientConfig": { > "claimsRedirectionUris": { > "inherited": false, > "value": [] > } > }, > "_type": { > "_id": "OAuth2Client", > "name": "OAuth2 Clients", > "collection": true > } > } > ``` ## Update an OAuth 2.0 client To update an existing OAuth 2.0 client, use a similar PUT request to the create request. Make sure you include *all* the attributes to be retained in the client configuration. If you omit an attribute in the JSON payload, the request effectively deletes that attribute from the client. This doesn't apply to the client secret attribute. ## Query OAuth 2.0 clients This example lists the OAuth 2.0 clients in the `alpha` realm. ```bash $ curl \ --request GET \ --header "Accept-API-Version: resource=1.0" \ --header "Authorization: Bearer " \ "https:///am/json/realms/root/realms/alpha/realm-config/agents/OAuth2Client?_queryFilter=true" ``` > **Collapse: Display output** > > ```bash > { > "result": [ > { > "_id": "myClient", > "_rev": "-1788958356", > "overrideOAuth2ClientConfig": { > "issueRefreshToken": true, > "validateScopePluginType": "PROVIDER", > "tokenEncryptionEnabled": false, > "evaluateScopePluginType": "PROVIDER", > "oidcMayActScript": "[Empty]", > "oidcClaimsScript": "[Empty]", > "accessTokenModificationPluginType": "PROVIDER", > "authorizeEndpointDataProviderClass": "org.forgerock.oauth2.core.plugins.registry.DefaultEndpointDataProvider", > "oidcClaimsPluginType": "PROVIDER", > "providerOverridesEnabled": false, > "authorizeEndpointDataProviderScript": "[Empty]", > "statelessTokensEnabled": false, > "authorizeEndpointDataProviderPluginType": "PROVIDER", > "remoteConsentServiceId": null, > "enableRemoteConsent": false, > "validateScopeClass": "org.forgerock.oauth2.core.plugins.registry.DefaultScopeValidator", > "usePolicyEngineForScope": false, > "evaluateScopeClass": "org.forgerock.oauth2.core.plugins.registry.DefaultScopeEvaluator", > "overrideableOIDCClaims": [], > "accessTokenMayActScript": "[Empty]", > "evaluateScopeScript": "[Empty]", > "clientsCanSkipConsent": false, > "accessTokenModificationScript": "[Empty]", > "issueRefreshTokenOnRefreshedToken": true, > "validateScopeScript": "[Empty]" > }, > "advancedOAuth2ClientConfig": { > "logoUri": [], > "subjectType": "public", > "clientUri": [], > "tokenExchangeAuthLevel": 0, > "responseTypes": [ > "code", > "token", > "id_token", > "code token", > "token id_token", > "code id_token", > "code token id_token", > "device_code", > "device_code id_token" > ], > "mixUpMitigation": false, > "customProperties": [], > "javascriptOrigins": [], > "policyUri": [], > "softwareVersion": null, > "sectorIdentifierUri": null, > "tosURI": [], > "tokenEndpointAuthMethod": "client_secret_basic", > "isConsentImplied": false, > "refreshTokenGracePeriod": 0, > "softwareIdentity": null, > "grantTypes": [ > "authorization_code" > ], > "require_pushed_authorization_requests": false, > "descriptions": [], > "requestUris": [], > "name": [], > "contacts": [], > "updateAccessToken": null > }, > "signEncOAuth2ClientConfig": { > "tokenEndpointAuthSigningAlgorithm": "RS256", > "idTokenEncryptionEnabled": false, > "tokenIntrospectionEncryptedResponseEncryptionAlgorithm": "A128CBC-HS256", > "requestParameterSignedAlg": null, > "authorizationResponseSigningAlgorithm": "RS256", > "clientJwtPublicKey": null, > "idTokenPublicEncryptionKey": null, > "mTLSSubjectDN": null, > "jwkStoreCacheMissCacheTime": 60000, > "jwkSet": null, > "idTokenEncryptionMethod": "A128CBC-HS256", > "jwksUri": null, > "tokenIntrospectionEncryptedResponseAlg": "RSA-OAEP-256", > "authorizationResponseEncryptionMethod": null, > "userinfoResponseFormat": "JSON", > "mTLSCertificateBoundAccessTokens": false, > "publicKeyLocation": "jwks_uri", > "tokenIntrospectionResponseFormat": "JSON", > "requestParameterEncryptedEncryptionAlgorithm": "A128CBC-HS256", > "userinfoSignedResponseAlg": null, > "idTokenEncryptionAlgorithm": "RSA-OAEP-256", > "requestParameterEncryptedAlg": null, > "authorizationResponseEncryptionAlgorithm": null, > "mTLSTrustedCert": null, > "jwksCacheTimeout": 3600000, > "userinfoEncryptedResponseAlg": null, > "idTokenSignedResponseAlg": "RS256", > "userinfoEncryptedResponseEncryptionAlgorithm": "A128CBC-HS256", > "tokenIntrospectionSignedResponseAlg": "RS256" > }, > "coreOpenIDClientConfig": { > "claims": [], > "backchannel_logout_uri": null, > "defaultAcrValues": [], > "jwtTokenLifetime": 0, > "defaultMaxAgeEnabled": false, > "clientSessionUri": null, > "defaultMaxAge": 600, > "postLogoutRedirectUri": [], > "backchannel_logout_session_required": false > }, > "coreOAuth2ClientConfig": { > "status": "Active", > "clientName": [], > "clientType": "Confidential", > "loopbackInterfaceRedirection": false, > "defaultScopes": [], > "agentgroup": null, > "refreshTokenLifetime": 0, > "scopes": [], > "accessTokenLifetime": 0, > "redirectionUris": [], > "authorizationCodeLifetime": 0 > }, > "coreUmaClientConfig": { > "claimsRedirectionUris": [] > }, > "_type": { > "_id": "OAuth2Client", > "name": "OAuth2 Clients", > "collection": true > } > } > ], > "resultCount": 1, > "pagedResultsCookie": null, > "totalPagedResultsPolicy": "EXACT", > "totalPagedResults": 1, > "remainingPagedResults": -1 > } > ``` ## Delete an OAuth 2.0 client This example deletes an OAuth 2.0 client named `myClient` in the `alpha` realm. Append the name of the client to the URL: ```bash $ curl \ --request DELETE \ --header "Accept-API-Version: resource=1.0" \ --header "Authorization: Bearer " \ "https:///am/json/realms/root/realms/alpha/realm-config/agents/OAuth2Client/myClient" { "_id": "myClient", "_rev": "-614477476", ... } ```