OIDC Authentication Policy - Apinizer Dokümantasyonu

General Information

Policy Type

policy-oidc

Endpoints

List Policies

GET /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/

Add Policy

POST /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/

Update Policy

PUT /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/

Delete Policy

DELETE /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/

List Policies

Endpoint

GET /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/

Request

Headers

Header	Value
Authorization	Bearer `{token}`

Path Parameters

Parameter	Type	Required	Description
projectName	string	Yes	Project name
apiProxyName	string	Yes	API Proxy name

Response

Success Response (200 OK)

{
  "success": true,
  "resultList": [
    {
      "apiProxy": {
        "name": "MyAPI",
        "requestPolicyList": [
          {
            "type": "policy-oidc",
            "name": "oidc-auth-policy",
            "description": "OIDC authentication with Google",
            "active": true,
            "issuer": "https://accounts.google.com",
            "authorizationEndpoint": "https://accounts.google.com/o/oauth2/v2/auth",
            "tokenEndpoint": "https://oauth2.googleapis.com/token",
            "flowType": "AUTHORIZATION_CODE",
            "clientId": "your-client-id",
            "scopes": ["openid", "profile", "email"]
          }
        ],
        "responsePolicyList": [],
        "errorPolicyList": []
      }
    }
  ],
  "resultCount": 1
}

Note: In list operations, clientSecret is cleared for security.

cURL Example

curl -X GET \
  "https://demo.apinizer.com/apiops/projects/MyProject/apiProxies/MyAPI/policies/" \
  -H "Authorization: Bearer YOUR_TOKEN"

Add Policy

Endpoint

POST /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/

Request

Headers

Header	Value
Authorization	Bearer `{token}`
Content-Type	application/json

Path Parameters

Parameter	Type	Required	Description
projectName	string	Yes	Project name
apiProxyName	string	Yes	API Proxy name
policyName	string	Yes	Policy name

Request Body

Full JSON Body Example - Authorization Code Flow with PKCE

{
  "operationMetadata": {
    "targetScope": "ALL",
    "targetPipeline": "REQUEST",
    "deploy": true,
    "deployTargetEnvironmentNameList": ["production"],
    "order": 1
  },
  "policy": {
    "type": "policy-oidc",
    "description": "OIDC authentication with Google",
    "active": true,
    "issuer": "https://accounts.google.com",
    "authorizationEndpoint": "https://accounts.google.com/o/oauth2/v2/auth",
    "tokenEndpoint": "https://oauth2.googleapis.com/token",
    "userInfoEndpoint": "https://openidconnect.googleapis.com/v1/userinfo",
    "jwksEndpoint": "https://www.googleapis.com/oauth2/v3/certs",
    "clientId": "your-client-id.apps.googleusercontent.com",
    "clientSecret": "your-client-secret",
    "redirectUri": "https://api.example.com/oidc/callback",
    "flowType": "AUTHORIZATION_CODE",
    "enablePKCE": true,
    "scopes": ["openid", "profile", "email"],
    "additionalAuthParams": {},
    "authenticationMode": "EXTERNAL_ONLY",
    "requireBothInHybrid": false,
    "validateIdToken": true,
    "validateAccessToken": false,
    "validateJwtLocally": true,
    "validateJwtSignature": true,
    "expectedJwtAuthSigningAlgs": ["RS256", "RS384", "RS512"],
    "callUserInfoEndpoint": true,
    "tokenCacheTimeoutSeconds": 3600,
    "jwkCacheTimeoutSeconds": 3600,
    "usernameClaimPath": "sub",
    "emailClaimPath": "email",
    "displayNameClaimPath": "name",
    "roleMappings": [],
    "sessionCookieName": "OIDC_SESSION",
    "sessionTimeoutMinutes": 60,
    "enableStateValidation": true,
    "enableNonceValidation": true,
    "validateIssuer": true,
    "expectedIssuer": "https://accounts.google.com",
    "validateAudience": false,
    "expectedAudience": [],
    "sessionCookieSecure": true,
    "allowInsecureConnections": false,
    "connectionTimeoutSeconds": 30,
    "readTimeoutSeconds": 30,
    "maxClockSkewSeconds": 300,
    "errorRedirectUrl": null,
    "errorMessageTemplate": null,
    "includeErrorDetails": false,
    "customHeaders": {},
    "userAgent": "Apinizer-OIDC-Client/1.0",
    "enableDebugLogging": false,
    "customClaimMappings": {},
    "disableUserinfoHeader": false,
    "userinfoHeaderName": "UserInfo"
  }
}

Request Body Fields

operationMetadata

Field	Type	Required	Default	Description
targetScope	string	Yes	-	Policy scope: `ALL` or `ENDPOINT`
targetEndpoint	string	No*	-	Endpoint path (required if targetScope=ENDPOINT)
targetEndpointHTTPMethod	string	No*	-	HTTP method (required if targetScope=ENDPOINT)
targetPipeline	string	Yes	-	Pipeline: `REQUEST`, `RESPONSE`, or `ERROR`
deploy	boolean	No	true	Whether to deploy after adding policy
deployTargetEnvironmentNameList	array	No	[]	List of environment names to deploy to
order	integer	No	null	Policy execution order (starts from 1)

Enum: targetScope

ALL - Policy applies to all endpoints
ENDPOINT - Policy applies only to specified endpoint

Enum: targetPipeline

REQUEST - Executes in request pipeline (authenticates request)
RESPONSE - Executes in response pipeline
ERROR - Executes in error pipeline

Enum: targetEndpointHTTPMethod

GET, POST, PUT, DELETE, PATCH, OPTIONS, HEAD

policy

Field	Type	Required	Default	Description
type	string	Yes	-	Policy type: `policy-oidc`
description	string	No	-	Policy description
active	boolean	No	true	Whether policy is active
issuer	string	Yes	-	OIDC Issuer URL (e.g., https://accounts.google.com)
authorizationEndpoint	string	Yes	-	Authorization endpoint URL
tokenEndpoint	string	Yes	-	Token endpoint URL
userInfoEndpoint	string	No	null	UserInfo endpoint URL (optional)
jwksEndpoint	string	No*	null	JWKS endpoint URL (required if validateJwtSignature=true)
clientId	string	Yes	-	OIDC Client ID
clientSecret	string	No	null	OIDC Client Secret (encrypted)
redirectUri	string	Yes	-	Redirect URI (callback URL)
flowType	string	No	AUTHORIZATION_CODE	OIDC Flow Type
enablePKCE	boolean	No	true	Enable PKCE (Proof Key for Code Exchange)
scopes	array	Yes	[“openid”, “profile”, “email”]	OIDC/OAuth 2.0 scopes (must include “openid” for OIDC)
additionalAuthParams	object	No	Additional authorization parameters
authenticationMode	string	No	EXTERNAL_ONLY	Authentication mode
requireBothInHybrid	boolean	No	false	Require both external and internal authentication in hybrid mode
validateIdToken	boolean	No	true	Validate ID Token signature and claims
validateAccessToken	boolean	No	false	Validate Access Token
validateJwtLocally	boolean	No	true	Validate JWT token locally (exp, iss, aud checks)
validateJwtSignature	boolean	No	false	Validate JWT signature using JWKS endpoint
expectedJwtAuthSigningAlgs	array	No	[“RS256”, “RS384”, “RS512”, “ES256”, “ES384”, “ES512”, “PS256”, “PS384”, “PS512”, “EdDSA”]	Expected JWT signing algorithms
callUserInfoEndpoint	boolean	No	true	Call UserInfo endpoint to get user information
tokenCacheTimeoutSeconds	integer	No	3600	Token cache timeout in seconds
jwkCacheTimeoutSeconds	integer	No	3600	JWK cache timeout in seconds
usernameClaimPath	string	No	”sub”	Claim path for username
emailClaimPath	string	No	”email”	Claim path for email
displayNameClaimPath	string	No	”name”	Claim path for display name
roleMappings	array	No	[]	Role mappings for authorization
sessionCookieName	string	No	”OIDC_SESSION”	Session cookie name
sessionTimeoutMinutes	integer	No	60	Session timeout in minutes
enableStateValidation	boolean	No	true	Enable state validation for CSRF protection
enableNonceValidation	boolean	No	true	Enable nonce validation for replay attack protection
introspectionEndpoint	string	No	null	Introspection endpoint URL (optional)
validateIssuer	boolean	No	true	Validate issuer claim in JWT
expectedIssuer	string	No	null	Expected issuer value
validateAudience	boolean	No	false	Validate audience claim in JWT
expectedAudience	array	No	[]	Expected audience values
sessionCookieSecure	boolean	No	true	Session cookie secure flag (HTTPS only)
allowInsecureConnections	boolean	No	false	Allow insecure HTTPS connections
connectionTimeoutSeconds	integer	No	30	Connection timeout in seconds
readTimeoutSeconds	integer	No	30	Read timeout in seconds
maxClockSkewSeconds	integer	No	300	Maximum clock skew in seconds for token validation
errorRedirectUrl	string	No	null	Error redirect URL
errorMessageTemplate	string	No	null	Error message template
includeErrorDetails	boolean	No	false	Include error details in response
customHeaders	object	No	Custom HTTP headers to include in OIDC requests
userAgent	string	No	”Apinizer-OIDC-Client/1.0”	User agent string for OIDC requests
enableDebugLogging	boolean	No	false	Enable debug logging
customClaimMappings	object	No	Custom claim mappings
disableUserinfoHeader	boolean	No	false	Disable userinfo header in response
userinfoHeaderName	string	No	”UserInfo”	Userinfo header name

EnumOIDCFlowType

AUTHORIZATION_CODE - Authorization Code Flow (recommended, most secure)
IMPLICIT - Implicit Flow (less secure, deprecated)
HYBRID - Hybrid Flow (combines authorization code and implicit)
OAUTH2_AUTHORIZATION_CODE - OAuth 2.0 Authorization Code Flow (without OIDC)

EnumOIDCAuthenticationMode

EXTERNAL_ONLY - External OIDC Provider Only
INTERNAL_ONLY - Internal Apinizer Credentials Only
HYBRID - Hybrid - External OIDC + Internal Credentials

JWT Signing Algorithms

RS256, RS384, RS512 - RSA with SHA-256/384/512
ES256, ES384, ES512 - ECDSA with SHA-256/384/512
PS256, PS384, PS512 - RSASSA-PSS with SHA-256/384/512
EdDSA - Edwards-curve Digital Signature Algorithm

Note

issuer, authorizationEndpoint, tokenEndpoint, clientId, and redirectUri are required.
scopes must contain at least “openid” for OIDC flows.
If validateJwtSignature: true, jwksEndpoint is required.
If validateAudience: true, expectedAudience must contain at least one value.

roleMappings

Each role mapping is an object with the following fields:

Field	Type	Required	Default	Description
claimPath	string	Yes	-	JSONPath or claim name to extract role information (e.g., “roles”, “groups”, “$.realm_access.roles”)
claimValue	string	No	null	Expected value in the claim (if null, any non-empty value matches)
roleName	string	Yes	-	Apinizer role name to assign when claim matches
required	boolean	No	false	Whether this is a required role mapping

Claim Path Examples

"roles" - Simple claim name
"groups" - Groups claim
"$.realm_access.roles" - JSONPath for nested claim
"$.resource_access.myapp.roles" - JSONPath for resource-specific roles

Response

Success Response (200 OK)

{
  "success": true,
  "deploymentResult": {
    "success": true,
    "deploymentResults": [
      {
        "environmentName": "production",
        "success": true,
        "message": "Deployment successful"
      }
    ]
  }
}

cURL Example

curl -X POST \
  "https://demo.apinizer.com/apiops/projects/MyProject/apiProxies/MyAPI/policies/oidc-auth-policy/" \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "operationMetadata": {
      "targetScope": "ALL",
      "targetPipeline": "REQUEST",
      "deploy": true,
      "deployTargetEnvironmentNameList": ["production"],
      "order": 1
    },
    "policy": {
      "type": "policy-oidc",
      "description": "OIDC authentication",
      "active": true,
      "issuer": "https://accounts.google.com",
      "authorizationEndpoint": "https://accounts.google.com/o/oauth2/v2/auth",
      "tokenEndpoint": "https://oauth2.googleapis.com/token",
      "clientId": "your-client-id",
      "clientSecret": "your-client-secret",
      "redirectUri": "https://api.example.com/oidc/callback",
      "flowType": "AUTHORIZATION_CODE",
      "enablePKCE": true,
      "scopes": ["openid", "profile", "email"]
    }
  }'

Update Policy

Endpoint

PUT /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/

Request

Headers

Header	Value
Authorization	Bearer `{token}`
Content-Type	application/json

Path Parameters

Parameter	Type	Required	Description
projectName	string	Yes	Project name
apiProxyName	string	Yes	API Proxy name
policyName	string	Yes	Policy name

Request Body

Full JSON Body Example

{
  "operationMetadata": {
    "targetScope": "ALL",
    "targetPipeline": "REQUEST",
    "deploy": true,
    "deployTargetEnvironmentNameList": ["tester"],
    "order": 1
  },
  "policy": {
    "type": "policy-oidc",
    "description": "Updated: OIDC authentication with enhanced security",
    "active": true,
    "issuer": "https://accounts.google.com",
    "authorizationEndpoint": "https://accounts.google.com/o/oauth2/v2/auth",
    "tokenEndpoint": "https://oauth2.googleapis.com/token",
    "userInfoEndpoint": "https://openidconnect.googleapis.com/v1/userinfo",
    "jwksEndpoint": "https://www.googleapis.com/oauth2/v3/certs",
    "clientId": "your-client-id.apps.googleusercontent.com",
    "clientSecret": "your-updated-client-secret",
    "redirectUri": "https://api.example.com/oidc/callback",
    "flowType": "AUTHORIZATION_CODE",
    "enablePKCE": true,
    "scopes": ["openid", "profile", "email", "groups"],
    "additionalAuthParams": {
      "prompt": "consent",
      "access_type": "offline"
    },
    "authenticationMode": "EXTERNAL_ONLY",
    "requireBothInHybrid": false,
    "validateIdToken": true,
    "validateAccessToken": true,
    "validateJwtLocally": true,
    "validateJwtSignature": true,
    "expectedJwtAuthSigningAlgs": ["RS256", "RS384", "RS512", "ES256"],
    "callUserInfoEndpoint": true,
    "tokenCacheTimeoutSeconds": 7200,
    "jwkCacheTimeoutSeconds": 7200,
    "usernameClaimPath": "sub",
    "emailClaimPath": "email",
    "displayNameClaimPath": "name",
    "roleMappings": [
      {
        "claimPath": "groups",
        "claimValue": "admins",
        "role": "admin"
      },
      {
        "claimPath": "groups",
        "claimValue": "users",
        "role": "user"
      }
    ],
    "sessionCookieName": "OIDC_SESSION",
    "sessionTimeoutMinutes": 120,
    "enableStateValidation": true,
    "enableNonceValidation": true,
    "validateIssuer": true,
    "expectedIssuer": "https://accounts.google.com",
    "validateAudience": true,
    "expectedAudience": ["your-client-id.apps.googleusercontent.com"],
    "sessionCookieSecure": true,
    "allowInsecureConnections": false,
    "connectionTimeoutSeconds": 60,
    "readTimeoutSeconds": 60,
    "maxClockSkewSeconds": 180,
    "errorRedirectUrl": "https://api.example.com/error",
    "errorMessageTemplate": "Authentication failed: {error}",
    "includeErrorDetails": true,
    "customHeaders": {
      "X-Custom-Header": "custom-value"
    },
    "userAgent": "Apinizer-OIDC-Client/2.0",
    "enableDebugLogging": true,
    "customClaimMappings": {
      "department": "user.department",
      "employee_id": "user.employeeId"
    },
    "disableUserinfoHeader": false,
    "userinfoHeaderName": "X-UserInfo"
  }
}

Note: Request body structure is the same as Add Policy. All fields should be provided for update.

Response

Success Response (200 OK)

{
  "success": true,
  "deploymentResult": {
    "success": true,
    "deploymentResults": [
      {
        "environmentName": "production",
        "success": true,
        "message": "Deployment successful"
      }
    ]
  }
}

Delete Policy

Endpoint

DELETE /apiops/projects/{projectName}/apiProxies/{apiProxyName}/policies/{policyName}/

Request

Headers

Header	Value
Authorization	Bearer `{token}`
Content-Type	application/json

Path Parameters

Parameter	Type	Required	Description
projectName	string	Yes	Project name
apiProxyName	string	Yes	API Proxy name
policyName	string	Yes	Policy name

Request Body

Full JSON Body Example

{
  "operationMetadata": {
    "targetScope": "ALL",
    "targetPipeline": "REQUEST",
    "deploy": false
  }
}

Response

Success Response (200 OK)

{
  "success": true,
  "deploymentResult": {
    "success": true,
    "deploymentResults": []
  }
}

Notes and Warnings

Flow Types:
- AUTHORIZATION_CODE - Recommended, most secure flow
- IMPLICIT - Less secure, deprecated
- HYBRID - Combines authorization code and implicit
- OAUTH2_AUTHORIZATION_CODE - OAuth 2.0 without OIDC
PKCE: Enable PKCE for enhanced security (recommended for all flows)
Scopes: Must include “openid” for OIDC flows. Common scopes: “openid”, “profile”, “email”, “offline_access”
Token Validation:
- validateIdToken: Validates ID token signature and claims
- validateJwtSignature: Validates JWT signature using JWKS endpoint (requires jwksEndpoint)
- validateJwtLocally: Validates expiration, issuer, audience locally
Issuer and Audience:
- validateIssuer: Validates issuer claim matches expected issuer
- validateAudience: Validates audience claim matches expected audience (requires expectedAudience)
Session Management:
- Session data is encrypted and stored in cache
- Session encryption key/IV are auto-generated from policy ID
- Session cookie is secure by default (HTTPS only)
Role Mapping: Map OIDC claims to Apinizer roles using roleMappings
UserInfo Endpoint: Call UserInfo endpoint to get additional user information
Cache: Token and JWK caches improve performance (configurable timeouts)
Security:
- Use HTTPS for all OIDC endpoints
- Enable state and nonce validation for CSRF/replay protection
- Validate JWT signatures for token integrity
Performance: Token and JWK caching reduces provider calls
Pipeline:
- REQUEST pipeline authenticates request using OIDC flow
- Authentication failure redirects to authorization endpoint or returns error
Error Handling: Configure error redirect URL and message template for user-friendly error handling
Deployment: Policy changes require deployment to take effect. Set deploy: true or deploy manually.

List Policies - List all policies
Add Policy - General policy addition guide
Update Policy - General policy update guide
Delete Policy - General policy deletion guide
OAuth2 Authentication Policy - OAuth 2.0 Authentication
JWT Authentication Policy - JWT Token Authentication

Home

​General Information

​Policy Type

​Endpoints

​List Policies

​Add Policy

​Update Policy

​Delete Policy

​List Policies

​Endpoint

​Request

​Headers

​Path Parameters

​Response

​Success Response (200 OK)

​cURL Example

​Add Policy

​Endpoint

​Request

​Headers

​Path Parameters

​Request Body

Full JSON Body Example - Authorization Code Flow with PKCE

​Request Body Fields

operationMetadata

policy

​EnumOIDCFlowType

​EnumOIDCAuthenticationMode

​JWT Signing Algorithms

​Note

roleMappings

​Claim Path Examples

​Response

​Success Response (200 OK)

​cURL Example

​Update Policy

​Endpoint

​Request

​Headers

​Path Parameters

​Request Body

Full JSON Body Example

​Response

​Success Response (200 OK)

​Delete Policy

​Endpoint

​Request

​Headers

​Path Parameters

​Request Body

Full JSON Body Example

​Response

​Success Response (200 OK)

​Notes and Warnings

​Related Documentation

General Information

Policy Type

Endpoints

List Policies

Add Policy

Update Policy

Delete Policy

List Policies

Endpoint

Request

Headers

Path Parameters

Response

Success Response (200 OK)

cURL Example

Add Policy

Endpoint

Request

Headers

Path Parameters

Request Body

Request Body Fields

EnumOIDCFlowType

EnumOIDCAuthenticationMode

JWT Signing Algorithms

Note

Claim Path Examples

Response

Success Response (200 OK)

cURL Example

Update Policy

Endpoint

Request

Headers

Path Parameters

Request Body

Response

Success Response (200 OK)

Delete Policy

Endpoint

Request

Headers

Path Parameters

Request Body

Response

Success Response (200 OK)

Notes and Warnings

Related Documentation