Migrate Generic OIDC Identity Provider

Migrate Generic OIDC Identity Provider

Path Parameters

id string required

Header Parameters

x-zitadel-orgid string

The default is always the organization of the requesting user. If you like to get/set a result of another organization include the header. Make sure the user has permission to access the requested data.

application/json

application/grpc

application/grpc-web+proto

Request Body required

azure object

name string

clientId string

client id generated by the Azure AD

clientSecret string

client secret generated by the Azure AD

tenant object

Defines what kind of accounts are allowed to authenticate (Personal, Organizational, All). If not provided the common tenant will be used (All accounts)

tenantType string

Possible values: [AZURE_AD_TENANT_TYPE_COMMON, AZURE_AD_TENANT_TYPE_ORGANISATIONS, AZURE_AD_TENANT_TYPE_CONSUMERS]

Default value: AZURE_AD_TENANT_TYPE_COMMON

tenantId string

emailVerified boolean

Azure AD doesn't send if the email has been verified. Enable this if the user email should always be added verified in ZITADEL (no verification emails will be sent)

scopes string[]

the scopes requested by ZITADEL during the request to Azure AD

providerOptions object

isLinkingAllowed boolean

Enable if users should be able to link an existing ZITADEL user with an external account.

isCreationAllowed boolean

Enable if users should be able to create a new account in ZITADEL when using an external account.

isAutoCreation boolean

Enable if a new account in ZITADEL should be created automatically when login with an external account.

isAutoUpdate boolean

Enable if a the ZITADEL account fields should be updated automatically on each login.

autoLinking string

Possible values: [AUTO_LINKING_OPTION_UNSPECIFIED, AUTO_LINKING_OPTION_USERNAME, AUTO_LINKING_OPTION_EMAIL]

Default value: AUTO_LINKING_OPTION_UNSPECIFIED

Enable if users should get prompted to link an existing ZITADEL user to an external account if the selected attribute matches.

google object

name Google will be used as default, if no name is provided

Google will be used as default, if no name is provided

clientId string

Client id generated by Google

clientSecret string

Client secret generated by Google

scopes string[]

The scopes requested by ZITADEL during the request to Google

providerOptions object

isLinkingAllowed boolean

Enable if users should be able to link an existing ZITADEL user with an external account.

isCreationAllowed boolean

Enable if users should be able to create a new account in ZITADEL when using an external account.

isAutoCreation boolean

Enable if a new account in ZITADEL should be created automatically when login with an external account.

isAutoUpdate boolean

Enable if a the ZITADEL account fields should be updated automatically on each login.

autoLinking string

Possible values: [AUTO_LINKING_OPTION_UNSPECIFIED, AUTO_LINKING_OPTION_USERNAME, AUTO_LINKING_OPTION_EMAIL]

Default value: AUTO_LINKING_OPTION_UNSPECIFIED

Enable if users should get prompted to link an existing ZITADEL user to an external account if the selected attribute matches.

Request Body required

azure object

name string

clientId string

client id generated by the Azure AD

clientSecret string

client secret generated by the Azure AD

tenant object

Defines what kind of accounts are allowed to authenticate (Personal, Organizational, All). If not provided the common tenant will be used (All accounts)

tenantType string

Possible values: [AZURE_AD_TENANT_TYPE_COMMON, AZURE_AD_TENANT_TYPE_ORGANISATIONS, AZURE_AD_TENANT_TYPE_CONSUMERS]

Default value: AZURE_AD_TENANT_TYPE_COMMON

tenantId string

emailVerified boolean

Azure AD doesn't send if the email has been verified. Enable this if the user email should always be added verified in ZITADEL (no verification emails will be sent)

scopes string[]

the scopes requested by ZITADEL during the request to Azure AD

providerOptions object

isLinkingAllowed boolean

Enable if users should be able to link an existing ZITADEL user with an external account.

isCreationAllowed boolean

Enable if users should be able to create a new account in ZITADEL when using an external account.

isAutoCreation boolean

Enable if a new account in ZITADEL should be created automatically when login with an external account.

isAutoUpdate boolean

Enable if a the ZITADEL account fields should be updated automatically on each login.

autoLinking string

Possible values: [AUTO_LINKING_OPTION_UNSPECIFIED, AUTO_LINKING_OPTION_USERNAME, AUTO_LINKING_OPTION_EMAIL]

Default value: AUTO_LINKING_OPTION_UNSPECIFIED

Enable if users should get prompted to link an existing ZITADEL user to an external account if the selected attribute matches.

google object

name Google will be used as default, if no name is provided

Google will be used as default, if no name is provided

clientId string

Client id generated by Google

clientSecret string

Client secret generated by Google

scopes string[]

The scopes requested by ZITADEL during the request to Google

providerOptions object

isLinkingAllowed boolean

Enable if users should be able to link an existing ZITADEL user with an external account.

isCreationAllowed boolean

Enable if users should be able to create a new account in ZITADEL when using an external account.

isAutoCreation boolean

Enable if a new account in ZITADEL should be created automatically when login with an external account.

isAutoUpdate boolean

Enable if a the ZITADEL account fields should be updated automatically on each login.

autoLinking string

Possible values: [AUTO_LINKING_OPTION_UNSPECIFIED, AUTO_LINKING_OPTION_USERNAME, AUTO_LINKING_OPTION_EMAIL]

Default value: AUTO_LINKING_OPTION_UNSPECIFIED

Enable if users should get prompted to link an existing ZITADEL user to an external account if the selected attribute matches.

Request Body required

azure object

name string

clientId string

client id generated by the Azure AD

clientSecret string

client secret generated by the Azure AD

tenant object

Defines what kind of accounts are allowed to authenticate (Personal, Organizational, All). If not provided the common tenant will be used (All accounts)

tenantType string

Possible values: [AZURE_AD_TENANT_TYPE_COMMON, AZURE_AD_TENANT_TYPE_ORGANISATIONS, AZURE_AD_TENANT_TYPE_CONSUMERS]

Default value: AZURE_AD_TENANT_TYPE_COMMON

tenantId string

emailVerified boolean

Azure AD doesn't send if the email has been verified. Enable this if the user email should always be added verified in ZITADEL (no verification emails will be sent)

scopes string[]

the scopes requested by ZITADEL during the request to Azure AD

providerOptions object

isLinkingAllowed boolean

Enable if users should be able to link an existing ZITADEL user with an external account.

isCreationAllowed boolean

Enable if users should be able to create a new account in ZITADEL when using an external account.

isAutoCreation boolean

Enable if a new account in ZITADEL should be created automatically when login with an external account.

isAutoUpdate boolean

Enable if a the ZITADEL account fields should be updated automatically on each login.

autoLinking string

Possible values: [AUTO_LINKING_OPTION_UNSPECIFIED, AUTO_LINKING_OPTION_USERNAME, AUTO_LINKING_OPTION_EMAIL]

Default value: AUTO_LINKING_OPTION_UNSPECIFIED

Enable if users should get prompted to link an existing ZITADEL user to an external account if the selected attribute matches.

google object

name Google will be used as default, if no name is provided

Google will be used as default, if no name is provided

clientId string

Client id generated by Google

clientSecret string

Client secret generated by Google

scopes string[]

The scopes requested by ZITADEL during the request to Google

providerOptions object

isLinkingAllowed boolean

Enable if users should be able to link an existing ZITADEL user with an external account.

isCreationAllowed boolean

Enable if users should be able to create a new account in ZITADEL when using an external account.

isAutoCreation boolean

Enable if a new account in ZITADEL should be created automatically when login with an external account.

isAutoUpdate boolean

Enable if a the ZITADEL account fields should be updated automatically on each login.

autoLinking string

Possible values: [AUTO_LINKING_OPTION_UNSPECIFIED, AUTO_LINKING_OPTION_USERNAME, AUTO_LINKING_OPTION_EMAIL]

Default value: AUTO_LINKING_OPTION_UNSPECIFIED

Enable if users should get prompted to link an existing ZITADEL user to an external account if the selected attribute matches.

Responses

• 200
• default

---

A successful response.

application/json

application/grpc

application/grpc-web+proto

Schema

Example (from schema)

---

Schema

details object
sequence uint64
on read: the sequence of the last event reduced by the projection
on manipulation: the timestamp of the event(s) added by the manipulation
creationDate date-time
on read: the timestamp of the first event of the object
on create: the timestamp of the event(s) added by the manipulation
changeDate date-time
on read: the timestamp of the last event reduced by the projection
on manipulation: the
resourceOwner resource_owner is the organization an object belongs to

{
  "details": {
    "sequence": "2",
    "creationDate": "2024-06-13T07:44:40.047Z",
    "changeDate": "2024-06-13T07:44:40.047Z",
    "resourceOwner": "69629023906488334"
  }
}

Schema

Example (from schema)

---

Schema

details object
sequence uint64
on read: the sequence of the last event reduced by the projection
on manipulation: the timestamp of the event(s) added by the manipulation
creationDate date-time
on read: the timestamp of the first event of the object
on create: the timestamp of the event(s) added by the manipulation
changeDate date-time
on read: the timestamp of the last event reduced by the projection
on manipulation: the
resourceOwner resource_owner is the organization an object belongs to

{
  "details": {
    "sequence": "2",
    "creationDate": "2024-06-13T07:44:40.047Z",
    "changeDate": "2024-06-13T07:44:40.047Z",
    "resourceOwner": "69629023906488334"
  }
}

Schema

Example (from schema)

---

Schema

details object
sequence uint64
on read: the sequence of the last event reduced by the projection
on manipulation: the timestamp of the event(s) added by the manipulation
creationDate date-time
on read: the timestamp of the first event of the object
on create: the timestamp of the event(s) added by the manipulation
changeDate date-time
on read: the timestamp of the last event reduced by the projection
on manipulation: the
resourceOwner resource_owner is the organization an object belongs to

{
  "details": {
    "sequence": "2",
    "creationDate": "2024-06-13T07:44:40.047Z",
    "changeDate": "2024-06-13T07:44:40.047Z",
    "resourceOwner": "69629023906488334"
  }
}

An unexpected error response.

application/json

application/grpc

application/grpc-web+proto

Schema

Example (from schema)

---

Schema

code int32
message string
details object[]
Array [
@type string
]

{
  "code": 0,
  "message": "string",
  "details": [
    {
      "@type": "string"
    }
  ]
}

Schema

Example (from schema)

---

Schema

code int32
message string
details object[]
Array [
@type string
]

{
  "code": 0,
  "message": "string",
  "details": [
    {
      "@type": "string"
    }
  ]
}

Schema

Example (from schema)

---

Schema

code int32
message string
details object[]
Array [
@type string
]

{
  "code": 0,
  "message": "string",
  "details": [
    {
      "@type": "string"
    }
  ]
}

POST /idps/generic_oidc/:id/_migrate

Authorization

name: OAuth2type: oauth2scopes: openid,urn:zitadel:iam:org:project:id:zitadel:audflows: {
  "authorizationCode": {
    "authorizationUrl": "$CUSTOM-DOMAIN/oauth/v2/authorize",
    "tokenUrl": "$CUSTOM-DOMAIN/oauth/v2/token",
    "scopes": {
      "openid": "openid",
      "urn:zitadel:iam:org:project:id:zitadel:aud": "urn:zitadel:iam:org:project:id:zitadel:aud"
    }
  }
}

Request

Base URL

https://$CUSTOM-DOMAIN/management/v1

Bearer Token

id — path required

x-zitadel-orgid — header

Content-Type

application/jsonapplication/grpcapplication/grpc-web+proto

Body required

{
  "azure": {
    "name": "Azure AD",
    "clientId": "client-id",
    "clientSecret": "secret",
    "tenant": {
      "tenantType": "AZURE_AD_TENANT_TYPE_COMMON",
      "tenantId": "string"
    },
    "emailVerified": true,
    "scopes": [
      "openid",
      "profile",
      "email",
      "User.Read"
    ],
    "providerOptions": {
      "isLinkingAllowed": true,
      "isCreationAllowed": true,
      "isAutoCreation": true,
      "isAutoUpdate": true,
      "autoLinking": "AUTO_LINKING_OPTION_UNSPECIFIED"
    }
  },
  "google": {
    "name": "Google",
    "clientId": "client-id",
    "clientSecret": "secret",
    "scopes": [
      "openid",
      "profile",
      "email"
    ],
    "providerOptions": {
      "isLinkingAllowed": true,
      "isCreationAllowed": true,
      "isAutoCreation": true,
      "isAutoUpdate": true,
      "autoLinking": "AUTO_LINKING_OPTION_UNSPECIFIED"
    }
  }
}

Accept

application/jsonapplication/grpcapplication/grpc-web+proto

curl / cURL

curl -L -X POST 'https://$CUSTOM-DOMAIN/management/v1/idps/generic_oidc/:id/_migrate' \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-H 'Authorization: Bearer <TOKEN>' \
--data-raw '{
  "azure": {
    "name": "Azure AD",
    "clientId": "client-id",
    "clientSecret": "secret",
    "tenant": {
      "tenantType": "AZURE_AD_TENANT_TYPE_COMMON",
      "tenantId": "string"
    },
    "emailVerified": true,
    "scopes": [
      "openid",
      "profile",
      "email",
      "User.Read"
    ],
    "providerOptions": {
      "isLinkingAllowed": true,
      "isCreationAllowed": true,
      "isAutoCreation": true,
      "isAutoUpdate": true,
      "autoLinking": "AUTO_LINKING_OPTION_UNSPECIFIED"
    }
  },
  "google": {
    "name": "Google",
    "clientId": "client-id",
    "clientSecret": "secret",
    "scopes": [
      "openid",
      "profile",
      "email"
    ],
    "providerOptions": {
      "isLinkingAllowed": true,
      "isCreationAllowed": true,
      "isAutoCreation": true,
      "isAutoUpdate": true,
      "autoLinking": "AUTO_LINKING_OPTION_UNSPECIFIED"
    }
  }
}'

python / requests

curl -L -X POST 'https://$CUSTOM-DOMAIN/management/v1/idps/generic_oidc/:id/_migrate' \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-H 'Authorization: Bearer <TOKEN>' \
--data-raw '{
  "azure": {
    "name": "Azure AD",
    "clientId": "client-id",
    "clientSecret": "secret",
    "tenant": {
      "tenantType": "AZURE_AD_TENANT_TYPE_COMMON",
      "tenantId": "string"
    },
    "emailVerified": true,
    "scopes": [
      "openid",
      "profile",
      "email",
      "User.Read"
    ],
    "providerOptions": {
      "isLinkingAllowed": true,
      "isCreationAllowed": true,
      "isAutoCreation": true,
      "isAutoUpdate": true,
      "autoLinking": "AUTO_LINKING_OPTION_UNSPECIFIED"
    }
  },
  "google": {
    "name": "Google",
    "clientId": "client-id",
    "clientSecret": "secret",
    "scopes": [
      "openid",
      "profile",
      "email"
    ],
    "providerOptions": {
      "isLinkingAllowed": true,
      "isCreationAllowed": true,
      "isAutoCreation": true,
      "isAutoUpdate": true,
      "autoLinking": "AUTO_LINKING_OPTION_UNSPECIFIED"
    }
  }
}'

go / native

curl -L -X POST 'https://$CUSTOM-DOMAIN/management/v1/idps/generic_oidc/:id/_migrate' \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-H 'Authorization: Bearer <TOKEN>' \
--data-raw '{
  "azure": {
    "name": "Azure AD",
    "clientId": "client-id",
    "clientSecret": "secret",
    "tenant": {
      "tenantType": "AZURE_AD_TENANT_TYPE_COMMON",
      "tenantId": "string"
    },
    "emailVerified": true,
    "scopes": [
      "openid",
      "profile",
      "email",
      "User.Read"
    ],
    "providerOptions": {
      "isLinkingAllowed": true,
      "isCreationAllowed": true,
      "isAutoCreation": true,
      "isAutoUpdate": true,
      "autoLinking": "AUTO_LINKING_OPTION_UNSPECIFIED"
    }
  },
  "google": {
    "name": "Google",
    "clientId": "client-id",
    "clientSecret": "secret",
    "scopes": [
      "openid",
      "profile",
      "email"
    ],
    "providerOptions": {
      "isLinkingAllowed": true,
      "isCreationAllowed": true,
      "isAutoCreation": true,
      "isAutoUpdate": true,
      "autoLinking": "AUTO_LINKING_OPTION_UNSPECIFIED"
    }
  }
}'

nodejs / axios

curl -L -X POST 'https://$CUSTOM-DOMAIN/management/v1/idps/generic_oidc/:id/_migrate' \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-H 'Authorization: Bearer <TOKEN>' \
--data-raw '{
  "azure": {
    "name": "Azure AD",
    "clientId": "client-id",
    "clientSecret": "secret",
    "tenant": {
      "tenantType": "AZURE_AD_TENANT_TYPE_COMMON",
      "tenantId": "string"
    },
    "emailVerified": true,
    "scopes": [
      "openid",
      "profile",
      "email",
      "User.Read"
    ],
    "providerOptions": {
      "isLinkingAllowed": true,
      "isCreationAllowed": true,
      "isAutoCreation": true,
      "isAutoUpdate": true,
      "autoLinking": "AUTO_LINKING_OPTION_UNSPECIFIED"
    }
  },
  "google": {
    "name": "Google",
    "clientId": "client-id",
    "clientSecret": "secret",
    "scopes": [
      "openid",
      "profile",
      "email"
    ],
    "providerOptions": {
      "isLinkingAllowed": true,
      "isCreationAllowed": true,
      "isAutoCreation": true,
      "isAutoUpdate": true,
      "autoLinking": "AUTO_LINKING_OPTION_UNSPECIFIED"
    }
  }
}'

ruby / Net::HTTP

curl -L -X POST 'https://$CUSTOM-DOMAIN/management/v1/idps/generic_oidc/:id/_migrate' \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-H 'Authorization: Bearer <TOKEN>' \
--data-raw '{
  "azure": {
    "name": "Azure AD",
    "clientId": "client-id",
    "clientSecret": "secret",
    "tenant": {
      "tenantType": "AZURE_AD_TENANT_TYPE_COMMON",
      "tenantId": "string"
    },
    "emailVerified": true,
    "scopes": [
      "openid",
      "profile",
      "email",
      "User.Read"
    ],
    "providerOptions": {
      "isLinkingAllowed": true,
      "isCreationAllowed": true,
      "isAutoCreation": true,
      "isAutoUpdate": true,
      "autoLinking": "AUTO_LINKING_OPTION_UNSPECIFIED"
    }
  },
  "google": {
    "name": "Google",
    "clientId": "client-id",
    "clientSecret": "secret",
    "scopes": [
      "openid",
      "profile",
      "email"
    ],
    "providerOptions": {
      "isLinkingAllowed": true,
      "isCreationAllowed": true,
      "isAutoCreation": true,
      "isAutoUpdate": true,
      "autoLinking": "AUTO_LINKING_OPTION_UNSPECIFIED"
    }
  }
}'

csharp / RestSharp

curl -L -X POST 'https://$CUSTOM-DOMAIN/management/v1/idps/generic_oidc/:id/_migrate' \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-H 'Authorization: Bearer <TOKEN>' \
--data-raw '{
  "azure": {
    "name": "Azure AD",
    "clientId": "client-id",
    "clientSecret": "secret",
    "tenant": {
      "tenantType": "AZURE_AD_TENANT_TYPE_COMMON",
      "tenantId": "string"
    },
    "emailVerified": true,
    "scopes": [
      "openid",
      "profile",
      "email",
      "User.Read"
    ],
    "providerOptions": {
      "isLinkingAllowed": true,
      "isCreationAllowed": true,
      "isAutoCreation": true,
      "isAutoUpdate": true,
      "autoLinking": "AUTO_LINKING_OPTION_UNSPECIFIED"
    }
  },
  "google": {
    "name": "Google",
    "clientId": "client-id",
    "clientSecret": "secret",
    "scopes": [
      "openid",
      "profile",
      "email"
    ],
    "providerOptions": {
      "isLinkingAllowed": true,
      "isCreationAllowed": true,
      "isAutoCreation": true,
      "isAutoUpdate": true,
      "autoLinking": "AUTO_LINKING_OPTION_UNSPECIFIED"
    }
  }
}'

php / cURL

curl -L -X POST 'https://$CUSTOM-DOMAIN/management/v1/idps/generic_oidc/:id/_migrate' \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-H 'Authorization: Bearer <TOKEN>' \
--data-raw '{
  "azure": {
    "name": "Azure AD",
    "clientId": "client-id",
    "clientSecret": "secret",
    "tenant": {
      "tenantType": "AZURE_AD_TENANT_TYPE_COMMON",
      "tenantId": "string"
    },
    "emailVerified": true,
    "scopes": [
      "openid",
      "profile",
      "email",
      "User.Read"
    ],
    "providerOptions": {
      "isLinkingAllowed": true,
      "isCreationAllowed": true,
      "isAutoCreation": true,
      "isAutoUpdate": true,
      "autoLinking": "AUTO_LINKING_OPTION_UNSPECIFIED"
    }
  },
  "google": {
    "name": "Google",
    "clientId": "client-id",
    "clientSecret": "secret",
    "scopes": [
      "openid",
      "profile",
      "email"
    ],
    "providerOptions": {
      "isLinkingAllowed": true,
      "isCreationAllowed": true,
      "isAutoCreation": true,
      "isAutoUpdate": true,
      "autoLinking": "AUTO_LINKING_OPTION_UNSPECIFIED"
    }
  }
}'

java / OkHttp

curl -L -X POST 'https://$CUSTOM-DOMAIN/management/v1/idps/generic_oidc/:id/_migrate' \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-H 'Authorization: Bearer <TOKEN>' \
--data-raw '{
  "azure": {
    "name": "Azure AD",
    "clientId": "client-id",
    "clientSecret": "secret",
    "tenant": {
      "tenantType": "AZURE_AD_TENANT_TYPE_COMMON",
      "tenantId": "string"
    },
    "emailVerified": true,
    "scopes": [
      "openid",
      "profile",
      "email",
      "User.Read"
    ],
    "providerOptions": {
      "isLinkingAllowed": true,
      "isCreationAllowed": true,
      "isAutoCreation": true,
      "isAutoUpdate": true,
      "autoLinking": "AUTO_LINKING_OPTION_UNSPECIFIED"
    }
  },
  "google": {
    "name": "Google",
    "clientId": "client-id",
    "clientSecret": "secret",
    "scopes": [
      "openid",
      "profile",
      "email"
    ],
    "providerOptions": {
      "isLinkingAllowed": true,
      "isCreationAllowed": true,
      "isAutoCreation": true,
      "isAutoUpdate": true,
      "autoLinking": "AUTO_LINKING_OPTION_UNSPECIFIED"
    }
  }
}'

powershell / RestMethod

curl -L -X POST 'https://$CUSTOM-DOMAIN/management/v1/idps/generic_oidc/:id/_migrate' \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-H 'Authorization: Bearer <TOKEN>' \
--data-raw '{
  "azure": {
    "name": "Azure AD",
    "clientId": "client-id",
    "clientSecret": "secret",
    "tenant": {
      "tenantType": "AZURE_AD_TENANT_TYPE_COMMON",
      "tenantId": "string"
    },
    "emailVerified": true,
    "scopes": [
      "openid",
      "profile",
      "email",
      "User.Read"
    ],
    "providerOptions": {
      "isLinkingAllowed": true,
      "isCreationAllowed": true,
      "isAutoCreation": true,
      "isAutoUpdate": true,
      "autoLinking": "AUTO_LINKING_OPTION_UNSPECIFIED"
    }
  },
  "google": {
    "name": "Google",
    "clientId": "client-id",
    "clientSecret": "secret",
    "scopes": [
      "openid",
      "profile",
      "email"
    ],
    "providerOptions": {
      "isLinkingAllowed": true,
      "isCreationAllowed": true,
      "isAutoCreation": true,
      "isAutoUpdate": true,
      "autoLinking": "AUTO_LINKING_OPTION_UNSPECIFIED"
    }
  }
}'