Create New OIDC Client - POST /OIDCClients

Create a new OIDC client.

The ‘Manage Clients’ permission is required to execute this API.


  1. POST /OIDCClients and create a new OIDC client
  2. GET /OIDCClients/{id} and get details of an OIDC client





Media Type (header):

Authorization: Bearer <access token value>
Content-Type: application/json;v=1.0


createClientViewModel=[body]: Specifies the OIDC client details
updateAccessTokenClaimsOnRefresh=[boolean] - Whether the access token should be updated on a refresh token request (true/false)
accessTokenType=[integer] - Whether the access token is a reference token or a self-contained JWT token. Default=Jwt
includeJwtId=[boolean] - Whether JWT access tokens should have an embedded unique Id (true/false)
alwaysIncludeUserClaimsInIdToken=[boolean] - When requesting both an Id token and access token, should the user claims always be added to the Id token instead of requiring the client to use the userinfo endpoint (true/false). Default=false
clientId=[string] – Client Id
clientName=[string] – Client display name
allowOfflineAccess=[boolean] - Whether this client can request refresh tokens (true/false)
clientSecrets=[string] - Credentials to access the token endpoint
allowedGrantTypes=[string] - Grant types the client is allowed to use. Grant types are a way to specify how a client wants to interact with IdentityServer. Allowed values: "client_credentials","implicit","authorization_code","hybrid", “password”
allowedScopes=[boolean] - By default a client has no access to any resources. Specify the allowed resources by adding the corresponding scopes names
enabled=[string] – Whether the client is enabled (true/false). Default=true
requireClientSecret=[boolean] - Whether this client needs a secret to request tokens from the token endpoint (true/false). Default=true
redirectUris=[string] - Specifies the allowed URIs to return tokens or authorization codes to. This is a required field for “implict” and “authorization_code” grant types.
postLogoutRedirectUris=[string] - Allowed URIs to redirect to after logout
frontChannelLogoutUri=[string] - Logout URI at client for HTTP based front-channel logout
frontChannelLogoutSessionRequired=[string] - Whether the user’s session Id should be sent to the FrontChannelLogoutUri (true/false). Default=true
backChannelLogoutUri=[string] - Logout URI at client for HTTP based back-channel logout
backChannelLogoutSessionRequired=[string] - Whether the user’s session Id should be sent in the request to the BackChannelLogoutUri (true/false). Default=true
identityTokenLifetime=[integer] – Timeframe to identity token (in seconds). Default: 300 seconds/5 minutes
accessTokenLifetime=[integer] - Timeframe of access token (in seconds). Default: 3600 seconds/1 hour)
authorizationCodeLifetime=[integer] Timeframe of authorization code (in seconds). Default: 300 seconds/5 minutes)
absoluteRefreshTokenLifetime=[integer] - Maximum timeframe of a refresh token (in seconds). Default: 2592000 seconds/30 days
slidingRefreshTokenLifetime=[integer] - Sliding timeframe of a refresh token (in seconds). Default=1296000 seconds/15 days
refreshTokenUsage=[integer] – Refresh token usage: ReUse = 0, the refresh token handle will stay the same when refreshing tokens, OneTime = 1, the refresh token handle will be updated when refreshing tokens
refreshTokenExpiration=[integer] – Refresh token expiration: Absolute = 0, the refresh token will expire on a fixed point in time (specified by the AbsoluteRefreshTokenLifetime), Sliding = 1, when refreshing the token, the lifetime of the refresh token will be renewed(by the amount specified in SlidingRefreshTokenLifetime). The timeframe will not exceed AbsoluteRefreshTokenLifetime
allowedCorsOrigins=[string] - If specified, will be used by the default CORS policy service implementations (In-Memory and EF) to build a CORS policy for JavaScript clients. This is a required field for “implict” grant type
allowAccessTokensViaBrowser=[string] - Whether this client is allowed to receive access tokens via the browser. This is useful to harden flows that allow multiple response types (e.g. by disallowing a hybrid flow client that is supposed to use code id_token to add the token response type and thus leaking the token to the browser (true/false).
claims=[uniqueItems]: type=[string], value=[string] - Allows settings claims for the client (true/false ). This will be included in the access token.
clientClaimsPrefix=[string] - The prefix of client claim types.

In order to retrieve additional information about the available endpoint-scopes, refer to: ‘http://<server-name/ip>:<port>/cxrestapi/auth/identity/.well-known/openid-configuration’ or click on the discovery document link in your swagger instance.

Success Response:

Code: 201 Success (returns location of the created OIDC client in the response header)

Error Response:

Code: 400 Bad Request
Code: 401 Unauthorized
Code: 403 Forbidden

Sample Response:

no content


Returns the location of the created OIDC client in the response header. If the request fails, it returns an error response.

Send Documentation Feedback - If you have comments about this documentation, you can contact the documentation team by sending your feedback to usWe appreciate your feedback!