Skip to main content
PUT
/
v1
/
b2b
/
sso
/
oidc
/
{organization_id}
/
connections
/
{connection_id}
C#
// PUT /v1/b2b/sso/oidc/{organization_id}/connections/{connection_id}
const stytch = require('stytch');

const client = new stytch.B2BClient({
  project_id: '${projectId}',
  secret: '${secret}',
});

const params = {
  organization_id: "${organizationId}",
  connection_id: "${oidcConnectionId}",
  client_id: "${exampleClientID}",
  client_secret: "${token}",
};

const options = {
  authorization: {
    session_token: '${sessionToken}',
  },
};

client.SSO.OIDC.UpdateConnection(params, options)
  .then(resp => { console.log(resp) })
  .catch(err => { console.log(err) });
{
  "request_id": "<string>",
  "status_code": 123,
  "connection": {
    "organization_id": "<string>",
    "connection_id": "<string>",
    "status": "<string>",
    "display_name": "<string>",
    "redirect_url": "<string>",
    "client_id": "<string>",
    "client_secret": "<string>",
    "issuer": "<string>",
    "authorization_url": "<string>",
    "token_url": "<string>",
    "userinfo_url": "<string>",
    "jwks_url": "<string>",
    "identity_provider": "<string>",
    "custom_scopes": "<string>",
    "attribute_mapping": {}
  },
  "warning": "<string>"
}
RBAC Enforced APIIf a Member Session is passed in the Authorization headers, Stytch will enforce that the Member has permission to take the Action on the Resource prior to honoring the request.To learn more, see the RBAC guide.
When the value of issuer changes, Stytch will attempt to retrieve the OpenID Provider Metadata document found at ${issuer}/.well-known/openid-configuration. If the metadata document can be retrieved successfully, Stytch will use it to infer the values of authorization_url, token_url, jwks_url, and userinfo_url. The client_id and client_secret values cannot be inferred from the metadata document, and must be passed in explicitly. If the metadata document cannot be retrieved, Stytch will still update the connection using values from the request body. If the metadata document can be retrieved, and values are passed in the request body, the explicit values passed in from the request body will take precedence over the values inferred from the metadata document. Note that a newly created connection will not become active until all of the following fields are provided:
  • issuer
  • client_id
  • client_secret
  • authorization_url
  • token_url
  • userinfo_url
  • jwks_url

Authorizations

Authorization
string
header
required

Basic authentication header of the form Basic <encoded-value>, where <encoded-value> is the base64-encoded string username:password.

Headers

X-Stytch-Member-Session
string

A Stytch session that can be used to run the request with the given member's permissions.

X-Stytch-Member-SessionJWT
string

A Stytch Session JSON Web Token (JWT) that can be used to run the request with the given member's permissions.

Path Parameters

organization_id
string
required

Globally unique UUID that identifies a specific Organization. The organization_id is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience.

connection_id
string
required

Globally unique UUID that identifies a specific SSO connection_id for a Member.

Body

application/json

Request type

display_name
string

A human-readable display name for the connection.

client_id
string

The OAuth2.0 client ID used to authenticate login attempts. This will be provided by the IdP.

client_secret
string

The secret belonging to the OAuth2.0 client used to authenticate login attempts. This will be provided by the IdP.

issuer
string

A case-sensitive https:// URL that uniquely identifies the IdP. This will be provided by the IdP.

authorization_url
string

The location of the URL that starts an OAuth login at the IdP. This will be provided by the IdP.

token_url
string

The location of the URL that issues OAuth2.0 access tokens and OIDC ID tokens. This will be provided by the IdP.

userinfo_url
string

The location of the IDP's UserInfo Endpoint. This will be provided by the IdP.

jwks_url
string

The location of the IdP's JSON Web Key Set, used to verify credentials issued by the IdP. This will be provided by the IdP.

identity_provider
enum<string>

Name of the IdP. Enum with possible values: classlink, cyberark, duo, google-workspace, jumpcloud, keycloak, miniorange, microsoft-entra, okta, onelogin, pingfederate, rippling, salesforce, shibboleth, or generic.

Specifying a known provider allows Stytch to handle any provider-specific logic.

Available options:
classlink,
cyberark,
duo,
generic,
google-workspace,
jumpcloud,
keycloak,
miniorange,
microsoft-entra,
okta,
onelogin,
pingfederate,
rippling,
salesforce,
shibboleth
custom_scopes
string

Include a space-separated list of custom scopes that you'd like to include. Note that this list must be URL encoded, e.g. the spaces must be expressed as %20.

attribute_mapping
object

An object that represents the attributes used to identify a Member. This object will map the IdP-defined User attributes to Stytch-specific values, which will appear on the member's Trusted Metadata.

Response

Successful response

request_id
string
required

Globally unique UUID that is returned with every API call. This value is important to log for debugging purposes; we may ask for this value to help identify a specific API call when helping you debug an issue.

status_code
integer<int32>
required

The HTTP status code of the response. Stytch follows standard HTTP response status code patterns, e.g. 2XX values equate to success, 3XX values are redirects, 4XX are client errors, and 5XX are server errors.

connection
object
warning
string

If it is not possible to resolve the well-known metadata document from the OIDC issuer, this field will explain what went wrong if the request is successful otherwise. In other words, even if the overall request succeeds, there could be relevant warnings related to the connection update.