Boundary controller HTTP API

Auth Method Service

List Auth MethodsGET/v1/auth-methods

Lists all auth methods.

Query Parameters

scope_id string

The scope ID in which to list auth methods.

recursive boolean

Whether to recursively list auth methods in the provided scope's child scopes.

filter string

You can specify that the filter should only return items that match. Refer to filter expressions for more information.

list_token string

An opaque token that Boundary uses to continue an existing iteration or request updated items. If you do not specify a token, pagination starts from the beginning. To learn more about list pagination in Boundary, refer to list pagination.

page_size integer

The maximum size of a page in this iteration. If you do not set a page size, Boundary uses the configured default page size. If the page_size is greater than the default page size configured, Boundary truncates the page size to this number.

Successful Response

items object[]

AuthMethod contains all fields related to an auth method resource

id string

The ID of the auth method.

scope_id string

The ID of the Scope of which this auth method is a part.

scope object

Scope information for this Auth method.

id string

The ID of the scope.

type string

The type of the scope.

name string

The name of the scope, if any.

description string

The description of the scope, if any.

parent_scope_id string

The ID of the parent scope, if any. This field is empty if it is the "global" scope.

name string

Optional name for identification purposes.

description string

Optional user-set description for identification purposes.

created_time string

The time this resource was created.

updated_time string

The time this resource was last updated.

version integer

Version is used in mutation requests, after the initial creation, to ensure this resource has not changed. The mutation will fail if the version does not match the latest known good version. Version is not required when you create an auth method.

type string

The auth method type.

attributes object

The attributes that are applicable for the specific auth method type. The schema of this field depends on the type of the auth method that you create want to create. For password auth methods, the parameters are:

{
  "min_login_name_length": "min_login_name_length",
  "min_password_length": "min_password_length"
}

For OIDC auth methods, the parameters are:

{
  "issuer": "issuer",
  "client_id": "client_id",
  "client_secret": "client_secret",
  "max_age": 3600,
  "signing_algorithms": [],
  "api_url_prefix": "api_url_prefix",
  "idp_ca_certs": [],
  "allowed_audiences": [],
  "claims_scopes": [],
  "account_claim_maps": [],
  "disable_discovered_config_validation": false,
  "prompts": []
}

For LDAP auth methods, the parameters are:

{
  "start_tls": false,
  "insecure_tls": false,
  "discover_dn": false,
  "anon_group_search": false,
  "upn_domain": "upn_domain",
  "urls": [],
  "user_dn": "user_dn",
  "user_attr": "user_attr",
  "user_filter": "user_filter",
  "enable_groups": false,
  "group_dn": "group_dn",
  "group_attr": "group_attr",
  "group_filter": "group_filter",
  "certificates": [],
  "client_certificate": "client_certificate",
  "client_certificate_key": "client_certificate_key",
  "bind_dn": "bind_dn",
  "bind_password": "bind_password",
  "use_token_groups": false,
  "account_attribute_maps": [],
  "maximum_page_size": 1000,
  "dereference_aliases": "never"
}

is_primary boolean

Whether this auth method is the primary auth method for it's scope. To change this value update the primary_auth_method_id field on the scope.

authorized_actions string[]

authorized_collection_actions object

The authorized actions for the scope's collections.

response_type string

The type of response, either "delta" or "complete". Delta signifies that this is part of a paginated result or an update to a previously completed pagination. Complete signifies that it is the last page.

list_token string

An opaque token used to continue an existing pagination or request updated items. Use this token in the next list request to request the next page.

sort_by string

The name of the field which the items are sorted by.

sort_dir string

The direction of the sort, either "asc" or "desc".

removed_ids string[]

est_item_count integer

An estimate at the total items available. This may change during pagination.

Create Auth MethodPOST/v1/auth-methods

Creates a single auth method.

Body Parameters

scope_id string

The ID of the Scope of which this auth method is a part.

name string

Optional name for identification purposes.

description string

Optional user-set description for identification purposes.

version integer

type string

The auth method type.

attributes object

{
  "min_login_name_length": "min_login_name_length",
  "min_password_length": "min_password_length"
}

For OIDC auth methods, the parameters are:

{
  "issuer": "issuer",
  "client_id": "client_id",
  "client_secret": "client_secret",
  "max_age": 3600,
  "signing_algorithms": [],
  "api_url_prefix": "api_url_prefix",
  "idp_ca_certs": [],
  "allowed_audiences": [],
  "claims_scopes": [],
  "account_claim_maps": [],
  "disable_discovered_config_validation": false,
  "prompts": []
}

For LDAP auth methods, the parameters are:

{
  "start_tls": false,
  "insecure_tls": false,
  "discover_dn": false,
  "anon_group_search": false,
  "upn_domain": "upn_domain",
  "urls": [],
  "user_dn": "user_dn",
  "user_attr": "user_attr",
  "user_filter": "user_filter",
  "enable_groups": false,
  "group_dn": "group_dn",
  "group_attr": "group_attr",
  "group_filter": "group_filter",
  "certificates": [],
  "client_certificate": "client_certificate",
  "client_certificate_key": "client_certificate_key",
  "bind_dn": "bind_dn",
  "bind_password": "bind_password",
  "use_token_groups": false,
  "account_attribute_maps": [],
  "maximum_page_size": 1000,
  "dereference_aliases": "never"
}

Successful Response

id string

The ID of the auth method.

scope_id string

The ID of the Scope of which this auth method is a part.

scope object

Scope information for this Auth method.

id string

The ID of the scope.

type string

The type of the scope.

name string

The name of the scope, if any.

description string

The description of the scope, if any.

parent_scope_id string

The ID of the parent scope, if any. This field is empty if it is the "global" scope.

name string

Optional name for identification purposes.

description string

Optional user-set description for identification purposes.

created_time string

The time this resource was created.

updated_time string

The time this resource was last updated.

version integer

type string

The auth method type.

attributes object

{
  "min_login_name_length": "min_login_name_length",
  "min_password_length": "min_password_length"
}

For OIDC auth methods, the parameters are:

{
  "issuer": "issuer",
  "client_id": "client_id",
  "client_secret": "client_secret",
  "max_age": 3600,
  "signing_algorithms": [],
  "api_url_prefix": "api_url_prefix",
  "idp_ca_certs": [],
  "allowed_audiences": [],
  "claims_scopes": [],
  "account_claim_maps": [],
  "disable_discovered_config_validation": false,
  "prompts": []
}

For LDAP auth methods, the parameters are:

{
  "start_tls": false,
  "insecure_tls": false,
  "discover_dn": false,
  "anon_group_search": false,
  "upn_domain": "upn_domain",
  "urls": [],
  "user_dn": "user_dn",
  "user_attr": "user_attr",
  "user_filter": "user_filter",
  "enable_groups": false,
  "group_dn": "group_dn",
  "group_attr": "group_attr",
  "group_filter": "group_filter",
  "certificates": [],
  "client_certificate": "client_certificate",
  "client_certificate_key": "client_certificate_key",
  "bind_dn": "bind_dn",
  "bind_password": "bind_password",
  "use_token_groups": false,
  "account_attribute_maps": [],
  "maximum_page_size": 1000,
  "dereference_aliases": "never"
}

is_primary boolean

Whether this auth method is the primary auth method for it's scope. To change this value update the primary_auth_method_id field on the scope.

authorized_actions string[]

authorized_collection_actions object

The authorized actions for the scope's collections.

AuthenticatePOST/v1/auth-methods/{auth_method_id}:authenticate

Authenticate a user to an scope and retrieve an authentication token.

Path Parameters

auth_method_id string

The ID of the auth method in the system that should be used for authentication.

Body Parameters

token_type string

This can be "cookie" or "token". If not provided, "token" will be used. "cookie" activates a split-cookie method where the token is split partially between http-only and regular cookies in order to keep it safe from rogue JS in the browser. Deprecated, use "type" instead.

type string

attributes object

The attributes that are used to authenticate to the auth method. The schema of this field depends on the type of the auth method. For password auth methods, the parameters are:

{
  "login_name": "login_name",
  "password": "password"
}

For LDAP auth methods, the parameters are:

{
  "login_name": "login_name",
  "password": "password"
}

For OIDC auth methods, the parameters are:

{
  "roundtrip_payload": {}
}

OIDC authentication requires multiple calls to this endpoint. After the initial call and successful authentication, the OIDC provider must redirect the user to the callback command:

{
  "code": "code",
  "state": "state",
  "error": "error",
  "error_description": "error_description",
  "error_uri": "error_uri"
}

Once this has succeded, the issued auth token can be retrieved by using the token command:

{
  "token_id": "token_id_from_initial_response"
}

command string

The command to perform. One of "login", "callback", or "token".

Successful Response

type string

The type of the token returned. Either "cookie" or "token".

attributes object

The response attributes that are used to authenticate to the auth method. The schema of this field depends on the type of the auth method. For password, OIDC and LDAP auth methods, the response is an auth token:

{
  "id": "token_id",
  "scope_id": "scope_id",
  "token": "token_string",
  "user_id": "user_id",
  "auth_method_id": "auth_method_id",
  "account_id": "account_id",
  "created_time": "token_created_time",
  "updated_time": "token_updated_time",
  "approximate_last_used_time": "token_approximate_last_used_time",
  "expiration_time": "token_expiration_time"
}

For OIDC auth methods, the initial parameters are:

{
  "auth_url": "OIDC_auth_url",
  "token_id": "OIDC_token_id"
}

The auth_url is the URL that authenticating user should open in the browser to authenticate with the OIDC provider. The token_id should be used in subsequent calls to the authenticate endpoint to retrieve the auth token.

command string

The command that was performed.

Get Auth MethodGET/v1/auth-methods/{id}

Gets a single auth method.

Path Parameters

id string

ID of the auth method being requested.

Successful Response

id string

The ID of the auth method.

scope_id string

The ID of the Scope of which this auth method is a part.

scope object

Scope information for this Auth method.

id string

The ID of the scope.

type string

The type of the scope.

name string

The name of the scope, if any.

description string

The description of the scope, if any.

parent_scope_id string

The ID of the parent scope, if any. This field is empty if it is the "global" scope.

name string

Optional name for identification purposes.

description string

Optional user-set description for identification purposes.

created_time string

The time this resource was created.

updated_time string

The time this resource was last updated.

version integer

type string

The auth method type.

attributes object

{
  "min_login_name_length": "min_login_name_length",
  "min_password_length": "min_password_length"
}

For OIDC auth methods, the parameters are:

{
  "issuer": "issuer",
  "client_id": "client_id",
  "client_secret": "client_secret",
  "max_age": 3600,
  "signing_algorithms": [],
  "api_url_prefix": "api_url_prefix",
  "idp_ca_certs": [],
  "allowed_audiences": [],
  "claims_scopes": [],
  "account_claim_maps": [],
  "disable_discovered_config_validation": false,
  "prompts": []
}

For LDAP auth methods, the parameters are:

{
  "start_tls": false,
  "insecure_tls": false,
  "discover_dn": false,
  "anon_group_search": false,
  "upn_domain": "upn_domain",
  "urls": [],
  "user_dn": "user_dn",
  "user_attr": "user_attr",
  "user_filter": "user_filter",
  "enable_groups": false,
  "group_dn": "group_dn",
  "group_attr": "group_attr",
  "group_filter": "group_filter",
  "certificates": [],
  "client_certificate": "client_certificate",
  "client_certificate_key": "client_certificate_key",
  "bind_dn": "bind_dn",
  "bind_password": "bind_password",
  "use_token_groups": false,
  "account_attribute_maps": [],
  "maximum_page_size": 1000,
  "dereference_aliases": "never"
}

is_primary boolean

Whether this auth method is the primary auth method for it's scope. To change this value update the primary_auth_method_id field on the scope.

authorized_actions string[]

authorized_collection_actions object

The authorized actions for the scope's collections.

Delete Auth MethodDELETE/v1/auth-methods/{id}

Deletes an AuthMethod

Path Parameters

id string

The ID of the auth method to delete.

Update Auth MethodPATCH/v1/auth-methods/{id}

Updates an auth method.

Path Parameters

id string

The ID of the auth method that should be updated

Body Parameters

scope_id string

The ID of the Scope of which this auth method is a part.

name string

Optional name for identification purposes.

description string

Optional user-set description for identification purposes.

version integer

type string

The auth method type.

attributes object

{
  "min_login_name_length": "min_login_name_length",
  "min_password_length": "min_password_length"
}

For OIDC auth methods, the parameters are:

{
  "issuer": "issuer",
  "client_id": "client_id",
  "client_secret": "client_secret",
  "max_age": 3600,
  "signing_algorithms": [],
  "api_url_prefix": "api_url_prefix",
  "idp_ca_certs": [],
  "allowed_audiences": [],
  "claims_scopes": [],
  "account_claim_maps": [],
  "disable_discovered_config_validation": false,
  "prompts": []
}

For LDAP auth methods, the parameters are:

{
  "start_tls": false,
  "insecure_tls": false,
  "discover_dn": false,
  "anon_group_search": false,
  "upn_domain": "upn_domain",
  "urls": [],
  "user_dn": "user_dn",
  "user_attr": "user_attr",
  "user_filter": "user_filter",
  "enable_groups": false,
  "group_dn": "group_dn",
  "group_attr": "group_attr",
  "group_filter": "group_filter",
  "certificates": [],
  "client_certificate": "client_certificate",
  "client_certificate_key": "client_certificate_key",
  "bind_dn": "bind_dn",
  "bind_password": "bind_password",
  "use_token_groups": false,
  "account_attribute_maps": [],
  "maximum_page_size": 1000,
  "dereference_aliases": "never"
}

Successful Response

id string

The ID of the auth method.

scope_id string

The ID of the Scope of which this auth method is a part.

scope object

Scope information for this Auth method.

id string

The ID of the scope.

type string

The type of the scope.

name string

The name of the scope, if any.

description string

The description of the scope, if any.

parent_scope_id string

The ID of the parent scope, if any. This field is empty if it is the "global" scope.

name string

Optional name for identification purposes.

description string

Optional user-set description for identification purposes.

created_time string

The time this resource was created.

updated_time string

The time this resource was last updated.

version integer

type string

The auth method type.

attributes object

{
  "min_login_name_length": "min_login_name_length",
  "min_password_length": "min_password_length"
}

For OIDC auth methods, the parameters are:

{
  "issuer": "issuer",
  "client_id": "client_id",
  "client_secret": "client_secret",
  "max_age": 3600,
  "signing_algorithms": [],
  "api_url_prefix": "api_url_prefix",
  "idp_ca_certs": [],
  "allowed_audiences": [],
  "claims_scopes": [],
  "account_claim_maps": [],
  "disable_discovered_config_validation": false,
  "prompts": []
}

For LDAP auth methods, the parameters are:

{
  "start_tls": false,
  "insecure_tls": false,
  "discover_dn": false,
  "anon_group_search": false,
  "upn_domain": "upn_domain",
  "urls": [],
  "user_dn": "user_dn",
  "user_attr": "user_attr",
  "user_filter": "user_filter",
  "enable_groups": false,
  "group_dn": "group_dn",
  "group_attr": "group_attr",
  "group_filter": "group_filter",
  "certificates": [],
  "client_certificate": "client_certificate",
  "client_certificate_key": "client_certificate_key",
  "bind_dn": "bind_dn",
  "bind_password": "bind_password",
  "use_token_groups": false,
  "account_attribute_maps": [],
  "maximum_page_size": 1000,
  "dereference_aliases": "never"
}

is_primary boolean

Whether this auth method is the primary auth method for it's scope. To change this value update the primary_auth_method_id field on the scope.

authorized_actions string[]

authorized_collection_actions object

The authorized actions for the scope's collections.

Change StatePOST/v1/auth-methods/{id}:change-state

Changes the state of an OIDC AuthMethod

Path Parameters

id string

Body Parameters

version integer

Version is used to ensure this resource has not changed. The mutation will fail if the version does not match the latest known good version.

attributes object

The attributes that are applicable for the specific auth method type. The schema of this field depends on the type of the auth method. The only supported auth method type is OIDC. For OIDC auth methods, the parameters are:

{
  "state": "active-public",
  "disable_discovered_config_validation": false
}

Successful Response

id string

The ID of the auth method.

scope_id string

The ID of the Scope of which this auth method is a part.

scope object

Scope information for this Auth method.

id string

The ID of the scope.

type string

The type of the scope.

name string

The name of the scope, if any.

description string

The description of the scope, if any.

parent_scope_id string

The ID of the parent scope, if any. This field is empty if it is the "global" scope.

name string

Optional name for identification purposes.

description string

Optional user-set description for identification purposes.

created_time string

The time this resource was created.

updated_time string

The time this resource was last updated.

version integer

type string

The auth method type.

attributes object

{
  "min_login_name_length": "min_login_name_length",
  "min_password_length": "min_password_length"
}

For OIDC auth methods, the parameters are:

{
  "issuer": "issuer",
  "client_id": "client_id",
  "client_secret": "client_secret",
  "max_age": 3600,
  "signing_algorithms": [],
  "api_url_prefix": "api_url_prefix",
  "idp_ca_certs": [],
  "allowed_audiences": [],
  "claims_scopes": [],
  "account_claim_maps": [],
  "disable_discovered_config_validation": false,
  "prompts": []
}

For LDAP auth methods, the parameters are:

{
  "start_tls": false,
  "insecure_tls": false,
  "discover_dn": false,
  "anon_group_search": false,
  "upn_domain": "upn_domain",
  "urls": [],
  "user_dn": "user_dn",
  "user_attr": "user_attr",
  "user_filter": "user_filter",
  "enable_groups": false,
  "group_dn": "group_dn",
  "group_attr": "group_attr",
  "group_filter": "group_filter",
  "certificates": [],
  "client_certificate": "client_certificate",
  "client_certificate_key": "client_certificate_key",
  "bind_dn": "bind_dn",
  "bind_password": "bind_password",
  "use_token_groups": false,
  "account_attribute_maps": [],
  "maximum_page_size": 1000,
  "dereference_aliases": "never"
}

is_primary boolean

Whether this auth method is the primary auth method for it's scope. To change this value update the primary_auth_method_id field on the scope.

authorized_actions string[]

authorized_collection_actions object

The authorized actions for the scope's collections.