POST OAuth/GetConfiguration

Returns the global OAuth configuration settings for remote access to Venafi Trust Protection Platform.

Authorization

  • Roles: Any
  • Token scope:  Admin

Headers

  • Content type: Content-Type:application/json.

  • Token: The bearer access token that you received. For example, Authorization:Bearer 4MyGeneratedBearerTknz==. For more information, see Passing a bearer token in your API calls.

Request body

None.

Response

Response description

Name

Description

HTTP 200

See OAuth result codes.

GetConfiguration returns the Configuration object:

Name

Description

Configuration

object

(Required) An object that contains configuration information for remote access. The following values can be passed in this object. All values are optional.

  • AuthorizeByIntegrated (boolean): Shows whether the authentication server accepts Windows Integrated Authentication.

  • AuthorizeByPassword (boolean): Shows whether the authentication server accepts username/password as authentication credentials.

  • AuthorizeByCertificate (boolean): Shows whether the authentication server accepts certificates as authentication credentials.

  • AuthorizeByJwt (boolean): Shows whether the authentication server accepts JWT authentication.

  • AuthorizeDevice (boolean): Shows whether the authentication server accepts device authentication requests.

  • CertificateConfiguration (object): If object is present, certificate authentication is enabled, which allows the caller to pass a client certificate for authorization. The following values are valid:

    • AuthorizedIssuerDns (array of strings): Policy Tree path to the authorized certificate authority object. When present, only certificates from this CA are valid for authentication.

    • SourceField (string): Specifies which field on the X.509 certificate to use for matching the user identity. There are three valid values: SAN:UPN, SAN:EMAIL, or CN.

  • DefaultAccessTokenValidity (integer): Shows the default number of seconds a token is valid. This can be overridden by an application.

  • DefaultGrantRefreshable (boolean): Shows if, by default, the grant can be refreshed programmatically.

  • DefaultGrantValidity (integer): Shows the default number of seconds a grant is valid. This can be overridden by an application.

  • DeviceConfiguration (object): Shows device authorization specific settings. The following values are valid:

    • VerificationUri (string): Shows the Uri to verify (confirm) a device authorization request.

    • VerificationUriCompleteFormat (string): Shows the Uri to verify (confirm) a device authorization request, with a {0} placeholder to hold the unique request ID.

  • OpenApiEnabled (boolean): Shows whether the OpenAPI documentation is accessible. If set to true, the documentation is available at https://tpp-server-url/vedsdk.

  • OpenApiUi (string): Shows the UI to use for OpenAPI documentation. Valid values are swagger or redoc.

  • SessionPoolAge (integer): Shows the maximum time an entry can be kept in the session pool, in seconds.

  • SessionPoolExpirationInterval (integer): Shows how often the session expiration process runs, in seconds.

  • SessionPoolSize (integer): Shows the WebSDK Session Pool (Cache) size, in number of entries.

  • SessionRightsRefreshInterval (integer): Shows the maximum number of seconds since the last request, after which the stored rights of a session are refreshed from the database

  • StatisticsApiTracking (boolean): Shows the if API usage is tracked via statistics.

  • StatisticsTrackingIncludesTime (boolean): Shows the if API usage statistics tracks API execution times.

  • StrictExpiration (boolean): Shows the session cache expiration strategy. If set to true, the grant will be validated on every API access.

  • RefreshEndpointEnabled (boolean): Shows whether the token refresh endpoint is enabled.

  • UnusedAccessTokenExpiration (integer): Shows the number of seconds an access token must be expired to consider the grant expired, even if the actual grant expiration is further out.

HTTP 400

For invalid requests, this call returns HTTP 400 Bad Request and the following data in the message body:

  • Error

    • invalid_request: The request is missing a required parameter or is otherwise malformed.

  • Error_description: If available, additional information about how to retry the request.

HTTP 401

For authentication errors, this call returns HTTP 401 Unauthorized and the following data in the message body:

  • Error

    • invalid_token: The access token is missing, or the provided token is expired, revoked, malformed, or invalid for other reasons.

    • insufficient_rights: The underlying user account does not have sufficient permissions for this request.

  • error_description: If available, additional information about how to retry the request.

HTTP 403

If the response is HTTP 403 Forbidden, the requester's token does not include the admin scope. Call POST Authorize/OAuth with the correct scope and restriction. Update the header with the new token and retry.

  • Error

    • insufficient_scope: The request requires a greater scope than provided by the access token.

  • error_description: If available, additional information about how to retry the request.

Example

Request

POST /vedsdk/oauth/GetConfiguration HTTP/1.1
Host: tpp-server-url
Content-Type: application/json
Accept: application/json
Authorization: Bearer 4MyGeneratedBearerTknz==

{

}

Response

{
  "Configuration": {
    "AuthorizeByCertificate": true,
    "AuthorizeByIntegrated": true,
    "AuthorizeByJwt": true,
    "AuthorizeByPassword": true,
    "AuthorizeDevice": true,
    "CertificateConfiguration": {
      "AuthorizedIssuerDns": [
        "\\VED\\Intermediate and Root Certificates\\DigiCert_Assured_ID_Root_CA_Root_2031"
      ],
      "SourceField": "CN"
    },
    "DefaultAccessTokenValidity": 7776000,
    "DefaultGrantRefreshable": true,
    "DefaultGrantValidity": 31536000,
    "DeviceConfiguration": {
      "VerificationUri": "/aperture/activate",
      "VerificationUriCompleteFormat": "/aperture/activate/{0}"
    },
    "OpenApiEnabled": true,
    "OpenApiUi": "redoc",
    "SessionPoolAge": 86400,
    "SessionPoolExpirationInterval": 300,
    "SessionPoolSize": 5000,
    "SessionRightsRefreshInterval": 60,
    "StatisticsApiTracking": true,
    "StatisticsTrackingIncludesTime": true,
    "StrictExpiration": true,
    "UnusedAccessTokenExpiration": 82800
  },
  "Result": 0,
  "Success": true
}