> ## Documentation Index
> Fetch the complete documentation index at: https://stytch.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Update OIDC Connection

> Update an existing OIDC Connection

export const action_0 = "update"

export const resource_0 = "stytch.sso"

<Note>
  **RBAC Enforced API**

  If a Member Session is passed in the Authorization headers, Stytch will enforce that the Member has permission to take the **{action_0} Action** on the **{resource_0} Resource** prior to honoring the request.

  To learn more, see the [RBAC guide](/multi-tenant-auth/enterprise-ready/rbac).
</Note>

When the value of issuer changes, Stytch will attempt to retrieve the [OpenID Provider Metadata](https://openid.net/specs/openid-connect-discovery-1%5F0.html#ProviderMetadata) document found at `${issuer}/.well-known/openid-configuration`. If the metadata document can be retrieved successfully, Stytch will use it to infer the values of `authorization_url, token_url, jwks_url, and userinfo_url`. The `client_id` and `client_secret` values cannot be inferred from the metadata document, and *must* be passed in explicitly.

If the metadata document cannot be retrieved, Stytch will still update the connection using values from the request body.

If the metadata document can be retrieved, and values are passed in the request body, the explicit values passed in from the request body will take precedence over the values inferred from the metadata document.

Note that a newly created connection will not become active until all of the following fields are provided:

* `issuer`
* `client_id`
* `client_secret`
* `authorization_url`
* `token_url`
* `userinfo_url`
* `jwks_url`


## OpenAPI

````yaml PUT /v1/b2b/sso/oidc/{organization_id}/connections/{connection_id}
openapi: 3.0.3
info:
  title: Stytch API
  description: The Stytch API provides endpoints for authentication and user management.
  version: 2.1.1
  contact:
    name: Stytch Support
    url: https://stytch.com/docs
    email: support@stytch.com
servers:
  - url: https://api.stytch.com
    description: Production server
  - url: https://test.stytch.com
    description: Test server
security:
  - basicAuth: []
paths:
  /v1/b2b/sso/oidc/{organization_id}/connections/{connection_id}:
    put:
      tags:
        - Sso
      summary: Updateconnection
      description: >-
        Updates an existing OIDC connection.


        When the value of `issuer` changes, Stytch will attempt to retrieve the
        [OpenID Provider
        Metadata](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata)
        document found at `$/.well-known/openid-configuration`.

        If the metadata document can be retrieved successfully, Stytch will use
        it to infer the values of `authorization_url`, `token_url`, `jwks_url`,
        and `userinfo_url`.

        The `client_id` and `client_secret` values cannot be inferred from the
        metadata document, and *must* be passed in explicitly.


        If the metadata document cannot be retrieved, Stytch will still update
        the connection using values from the request body.


        If the metadata document can be retrieved, and values are passed in the
        request body, the explicit values passed in from the request body will
        take precedence over the values inferred from the metadata document. 


        Note that a newly created connection will not become active until all of
        the following fields are provided:

        * `issuer`

        * `client_id`

        * `client_secret`

        * `authorization_url`

        * `token_url`

        * `userinfo_url`

        * `jwks_url`
      operationId: api_sso_v1_sso_oidc_UpdateConnection
      parameters:
        - name: organization_id
          in: path
          required: true
          schema:
            type: string
            description: >-
              Globally unique UUID that identifies a specific Organization. The
              `organization_id` is critical to perform operations on an
              Organization, so be sure to preserve this value. You may also use
              the organization_slug or organization_external_id here as a
              convenience.
          description: >-
            Globally unique UUID that identifies a specific Organization. The
            `organization_id` is critical to perform operations on an
            Organization, so be sure to preserve this value. You may also use
            the organization_slug or organization_external_id here as a
            convenience.
        - name: connection_id
          in: path
          required: true
          schema:
            type: string
            description: >-
              Globally unique UUID that identifies a specific SSO
              `connection_id` for a Member.
          description: >-
            Globally unique UUID that identifies a specific SSO `connection_id`
            for a Member.
        - name: X-Stytch-Member-Session
          in: header
          required: false
          description: >-
            A Stytch session that can be used to run the request with the given
            member's permissions.
          schema:
            type: string
        - name: X-Stytch-Member-SessionJWT
          in: header
          required: false
          description: >-
            A Stytch Session JSON Web Token (JWT) that can be used to run the
            request with the given member's permissions.
          schema:
            type: string
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/api_sso_v1_sso_oidc_UpdateConnectionRequest'
      responses:
        '200':
          description: Successful response
          content:
            application/json:
              schema:
                $ref: >-
                  #/components/schemas/api_sso_v1_sso_oidc_UpdateConnectionResponse
        '400':
          description: Bad request
        '401':
          description: Unauthorized
          content:
            application/json:
              example:
                status_code: 401
                request_id: request-id-test-b05c992f-ebdc-489d-a754-c7e70ba13141
                error_type: unauthorized_credentials
                error_message: Unauthorized credentials.
                error_url: https://stytch.com/docs/api/errors/401
        '429':
          description: Too Many Requests
          content:
            application/json:
              example:
                status_code: 429
                request_id: request-id-test-b05c992f-ebdc-489d-a754-c7e70ba13141
                error_type: too_many_requests
                error_message: Too many requests have been made.
                error_url: https://stytch.com/docs/api/errors/429
        '500':
          description: Internal server error
          content:
            application/json:
              example:
                status_code: 500
                request_id: request-id-test-b05c992f-ebdc-489d-a754-c7e70ba13141
                error_type: internal_server_error
                error_message: >-
                  Oops, something seems to have gone wrong, please reach out to
                  support@stytch.com to let us know what went wrong.
                error_url: https://stytch.com/docs/api/errors/500
      x-code-samples:
        - lang: csharp
          label: C#
          source: >-
            // PUT
            /v1/b2b/sso/oidc/{organization_id}/connections/{connection_id}

            const stytch = require('stytch');


            const client = new stytch.B2BClient({
              project_id: '${projectId}',
              secret: '${secret}',
            });


            const params = {
              organization_id: "organization-test-07971b06-ac8b-4cdb-9c15-63b17e653931",
              connection_id: "oidc-connection-test-b6c714c2-7413-4b92-a0f1-97aa1085aeff",
              client_id: "s6BhdRkqt3",
              client_secret: "SeiGwdj5lKkrEVgcEY3QNJXt6srxS3IK2Nwkar6mXD4=",
            };


            const options = {
              authorization: {
                session_token: '${sessionToken}',
              },
            };


            client.SSO.OIDC.UpdateConnection(params, options)
              .then(resp => { console.log(resp) })
              .catch(err => { console.log(err) });
        - lang: go
          label: Go
          source: "// PUT /v1/b2b/sso/oidc/{organization_id}/connections/{connection_id}\npackage main\n\nimport (\n\t\"context\"\n\t\"log\"\n\n\t\"github.com/stytchauth/stytch-go/v18/stytch/b2b/b2bstytchapi\"\n\t\"github.com/stytchauth/stytch-go/v18/stytch/b2b/sso/oidc\"\n\t\"github.com/stytchauth/stytch-go/v18/stytch/methodoptions\"\n)\n\nfunc main() {\n\tclient, err := b2bstytchapi.NewClient(\n\t\t\"${projectId}\",\n\t\t\"${secret}\",\n\t)\n\tif err != nil {\n\t\tlog.Fatalf(\"error instantiating client: %v\", err)\n\t}\n\n\tparams := &oidc.UpdateConnectionParams{\n\t\tOrganizationID: \"organization-test-07971b06-ac8b-4cdb-9c15-63b17e653931\",\n\t\tConnectionID:   \"oidc-connection-test-b6c714c2-7413-4b92-a0f1-97aa1085aeff\",\n\t\tClientID:       \"s6BhdRkqt3\",\n\t\tClientSecret:   \"SeiGwdj5lKkrEVgcEY3QNJXt6srxS3IK2Nwkar6mXD4=\",\n\t}\n\n\toptions := &oidc.UpdateConnectionParamsOptions{\n\t\tAuthorization: methodoptions.Authorization{\n\t\t\tSessionToken: \"${sessionToken}\",\n\t\t},\n\t}\n\n\tresp, err := client.SSO.OIDC.UpdateConnection(context.Background(), params, options)\n\tif err != nil {\n\t\tlog.Fatalf(\"error in method call: %v\", err)\n\t}\n\n\tlog.Println(resp)\n}\n"
        - lang: java
          label: Java
          source: >-
            // PUT
            /v1/b2b/sso/oidc/{organization_id}/connections/{connection_id}

            package com.example;


            import com.stytch.java.b2b.models.ssooidc.UpdateConnectionRequest;

            import
            com.stytch.java.b2b.models.ssooidc.UpdateConnectionRequestOptions;

            import com.stytch.java.b2b.StytchB2BClient;

            import com.stytch.java.common.methodoptions.Authorization;

            import com.stytch.java.common.StytchResult;


            public class Main {
                public static void main(String[] args) {
                    StytchB2BClient.configure("${projectId}", "${secret}");

                    UpdateConnectionRequest params = new UpdateConnectionRequest();
                    params.setOrganizationId("organization-test-07971b06-ac8b-4cdb-9c15-63b17e653931");
                    params.setConnectionId("oidc-connection-test-b6c714c2-7413-4b92-a0f1-97aa1085aeff");
                    params.setClientId("s6BhdRkqt3");
                    params.setClientSecret("SeiGwdj5lKkrEVgcEY3QNJXt6srxS3IK2Nwkar6mXD4=");

                    UpdateConnectionRequestOptions options = new UpdateConnectionRequestOptions();
                    Authorization authorization = new Authorization();
                    authorization.setSessionToken("${sessionToken}");
                    options.setAuthorization(authorization);

                    Object result = StytchB2BClient.getSSO().getOIDC().updateConnection(params, options);
                    if (result instanceof StytchResult.Success) {
                      System.out.println(((StytchResult.Success) result).getValue());
                    } else {
                      System.out.println(((StytchResult.Error) result).getException());
                    }
                }
            }
        - lang: kotlin
          label: Kotlin
          source: >
            // PUT
            /v1/b2b/sso/oidc/{organization_id}/connections/{connection_id}

            package com.example


            import com.stytch.java.b2b.StytchB2BClient

            import com.stytch.java.b2b.models.ssooidc.UpdateConnectionRequest

            import
            com.stytch.java.b2b.models.ssooidc.UpdateConnectionRequestOptions

            import com.stytch.java.common.methodoptions.Authorization


            fun main() {
                StytchB2BClient.configure(
                    projectId = "${projectId}",
                    secret = "${secret}",
                )

                when (
                    val result =
                        StytchB2BClient.sso.oidc.updateConnection(
                            UpdateConnectionRequest(
                                organizationId = "organization-test-07971b06-ac8b-4cdb-9c15-63b17e653931",
                                connectionId = "oidc-connection-test-b6c714c2-7413-4b92-a0f1-97aa1085aeff",
                                clientId = "s6BhdRkqt3",
                                clientSecret = "SeiGwdj5lKkrEVgcEY3QNJXt6srxS3IK2Nwkar6mXD4=",
                            ),
                            UpdateConnectionRequestOptions(
                                Authorization(
                                    sessionToken = "${sessionToken}",
                                ),
                            ),
                        )
                ) {
                    is StytchResult.Success -> println(result.value)
                    is StytchResult.Error -> println(result.exception)
                }
            }
        - lang: javascript
          label: Node.js
          source: >-
            // PUT
            /v1/b2b/sso/oidc/{organization_id}/connections/{connection_id}

            const stytch = require('stytch');


            const client = new stytch.B2BClient({
              project_id: '${projectId}',
              secret: '${secret}',
            });


            const params = {
              organization_id: "organization-test-07971b06-ac8b-4cdb-9c15-63b17e653931",
              connection_id: "oidc-connection-test-b6c714c2-7413-4b92-a0f1-97aa1085aeff",
              client_id: "s6BhdRkqt3",
              client_secret: "SeiGwdj5lKkrEVgcEY3QNJXt6srxS3IK2Nwkar6mXD4=",
            };


            const options = {
              authorization: {
                session_token: '${sessionToken}',
              },
            };


            client.sso.oidc.updateConnection(params, options)
              .then(resp => { console.log(resp) })
              .catch(err => { console.log(err) });
        - lang: php
          label: PHP
          source: |-
            $response = $client->sso->oidc->update_connection([
                'organization_id' => 'organization-test-07971b06-ac8b-4cdb-9c15-63b17e653931',
                'connection_id' => 'oidc-connection-test-b6c714c2-7413-4b92-a0f1-97aa1085aeff',
                'client_id' => 's6BhdRkqt3',
                'client_secret' => 'SeiGwdj5lKkrEVgcEY3QNJXt6srxS3IK2Nwkar6mXD4=',
            ], [
                    'authorization' => ['session_token' => '${sessionToken}'],

            ]);
        - lang: python
          label: Python
          source: >
            # PUT /v1/b2b/sso/oidc/{organization_id}/connections/{connection_id}

            from stytch import B2BClient

            from stytch.b2b.models.sso_oidc import
            UpdateConnectionRequestOptions

            from stytch.shared.method_options import Authorization


            client = B2BClient(
                project_id="${projectId}",
                secret="${secret}",
            )


            resp = client.sso.oidc.update_connection(
                organization_id="organization-test-07971b06-ac8b-4cdb-9c15-63b17e653931",
                connection_id="oidc-connection-test-b6c714c2-7413-4b92-a0f1-97aa1085aeff",
                client_id="s6BhdRkqt3",
                client_secret="SeiGwdj5lKkrEVgcEY3QNJXt6srxS3IK2Nwkar6mXD4=",
                method_options=UpdateConnectionRequestOptions(
                    authorization=Authorization(
                        session_token="${sessionToken}",
                    ),
                ),
            )


            print(resp)
        - lang: ruby
          label: Ruby
          source: |-
            # frozen_string_literal: true

            # PUT /v1/b2b/sso/oidc/{organization_id}/connections/{connection_id}
            require 'stytch'

            client = StytchB2B::Client.new(
              project_id: "${projectId}",
              secret: "${secret}"
            )

            resp = client.sso.oidc.update_connection(
              organization_id: "organization-test-07971b06-ac8b-4cdb-9c15-63b17e653931",
              connection_id: "oidc-connection-test-b6c714c2-7413-4b92-a0f1-97aa1085aeff",
              client_id: "s6BhdRkqt3",
              client_secret: "SeiGwdj5lKkrEVgcEY3QNJXt6srxS3IK2Nwkar6mXD4=",
              method_options: StytchB2B::SSO::OIDC::UpdateConnectionRequestOptions.new(
                authorization: Stytch::MethodOptions::Authorization.new(session_token: '${sessionToken}')
              )
            )

            puts resp
        - lang: rust
          label: Rust
          source: >-
            // PUT
            /v1/b2b/sso/oidc/{organization_id}/connections/{connection_id}

            use stytch::b2b::client::Client;

            use stytch::b2b::sso_oidc::UpdateConnectionRequest;


            fn main() {
                let client = Client::new("${projectId}", "${secret}").unwrap();
                let resp = client.sso.oidc.update_connection(
                    UpdateConnectionRequest{
                        organization_id: "organization-test-07971b06-ac8b-4cdb-9c15-63b17e653931",
                        connection_id: "oidc-connection-test-b6c714c2-7413-4b92-a0f1-97aa1085aeff",
                        client_id: Some(String::from("s6BhdRkqt3")),
                        client_secret: Some(String::from("SeiGwdj5lKkrEVgcEY3QNJXt6srxS3IK2Nwkar6mXD4=")),
                        ..Default::default()
                    }
                ).await;
                println!("The response is {:?}", resp);
            }
        - lang: bash
          label: cURL
          source: |-
            # PUT /v1/b2b/sso/oidc/{organization_id}/connections/{connection_id}
            curl --request PUT \
              --url https://test.stytch.com/v1/b2b/sso/oidc/organization-test-07971b06-ac8b-4cdb-9c15-63b17e653931/connections/oidc-connection-test-b6c714c2-7413-4b92-a0f1-97aa1085aeff \
              -u '${projectId}:${secret}' \
              -H 'Content-Type: application/json' \
              -H "X-Stytch-Member-Session: ${sessionToken}" \
              -d '{
                "client_id": "s6BhdRkqt3",
                "client_secret": "SeiGwdj5lKkrEVgcEY3QNJXt6srxS3IK2Nwkar6mXD4="
              }'
components:
  schemas:
    api_sso_v1_sso_oidc_UpdateConnectionRequest:
      type: object
      properties:
        display_name:
          type: string
          description: A human-readable display name for the connection.
        client_id:
          type: string
          description: >-
            The OAuth2.0 client ID used to authenticate login attempts. This
            will be provided by the IdP.
        client_secret:
          type: string
          description: >-
            The secret belonging to the OAuth2.0 client used to authenticate
            login attempts. This will be provided by the IdP.
        issuer:
          type: string
          description: >-
            A case-sensitive `https://` URL that uniquely identifies the IdP.
            This will be provided by the IdP.
        authorization_url:
          type: string
          description: >-
            The location of the URL that starts an OAuth login at the IdP. This
            will be provided by the IdP.
        token_url:
          type: string
          description: >-
            The location of the URL that issues OAuth2.0 access tokens and OIDC
            ID tokens. This will be provided by the IdP.
        userinfo_url:
          type: string
          description: >-
            The location of the IDP's [UserInfo
            Endpoint](https://openid.net/specs/openid-connect-core-1_0.html#UserInfo).
            This will be provided by the IdP.
        jwks_url:
          type: string
          description: >-
            The location of the IdP's JSON Web Key Set, used to verify
            credentials issued by the IdP. This will be provided by the IdP.
        identity_provider:
          $ref: >-
            #/components/schemas/api_sso_v1_sso_oidc_UpdateConnectionRequestIdentityProvider
          description: >-
            Name of the IdP. Enum with possible values: `classlink`, `cyberark`,
            `duo`, `google-workspace`, `jumpcloud`, `keycloak`, `miniorange`,
            `microsoft-entra`, `okta`, `onelogin`, `pingfederate`, `rippling`,
            `salesforce`, `shibboleth`, or `generic`.


            Specifying a known provider allows Stytch to handle any
            provider-specific logic.
        custom_scopes:
          type: string
          description: >-
            Include a space-separated list of custom scopes that you'd like to
            include. Note that this list must be URL encoded, e.g. the spaces
            must be expressed as %20.
        attribute_mapping:
          type: object
          additionalProperties: true
          description: >-
            An object that represents the attributes used to identify a Member.
            This object will map the IdP-defined User attributes to
            Stytch-specific values, which will appear on the member's Trusted
            Metadata.
      description: Request type
    api_sso_v1_sso_oidc_UpdateConnectionResponse:
      type: object
      properties:
        request_id:
          type: string
          description: >-
            Globally unique UUID that is returned with every API call. This
            value is important to log for debugging purposes; we may ask for
            this value to help identify a specific API call when helping you
            debug an issue.
        status_code:
          type: integer
          format: int32
          description: >-
            The HTTP status code of the response. Stytch follows standard HTTP
            response status code patterns, e.g. 2XX values equate to success,
            3XX values are redirects, 4XX are client errors, and 5XX are server
            errors.
        connection:
          $ref: '#/components/schemas/api_sso_v1_OIDCConnection'
          description: >-
            The [OIDC Connection
            Object](https://stytch.com/docs/b2b/api/oidc-connection-object).
        warning:
          type: string
          description: >-
            If it is not possible to resolve the well-known metadata document
            from the OIDC issuer, this field will explain what went wrong if the
            request is successful otherwise. In other words, even if the overall
            request succeeds, there could be relevant warnings related to the
            connection update.
      required:
        - request_id
        - status_code
    api_sso_v1_sso_oidc_UpdateConnectionRequestIdentityProvider:
      type: string
      enum:
        - classlink
        - cyberark
        - duo
        - generic
        - google-workspace
        - jumpcloud
        - keycloak
        - miniorange
        - microsoft-entra
        - okta
        - onelogin
        - pingfederate
        - rippling
        - salesforce
        - shibboleth
    api_sso_v1_OIDCConnection:
      type: object
      properties:
        organization_id:
          type: string
          description: >-
            Globally unique UUID that identifies a specific Organization. The
            `organization_id` is critical to perform operations on an
            Organization, so be sure to preserve this value. You may also use
            the organization_slug or organization_external_id here as a
            convenience.
        connection_id:
          type: string
          description: Globally unique UUID that identifies a specific OIDC Connection.
        status:
          type: string
          description: >-
            The status of the connection. The possible values are pending or
            active. See the [Update OIDC Connection
            endpoint](https://stytch.com/docs/b2b/api/update-oidc-connection)
            for more details.
        display_name:
          type: string
          description: A human-readable display name for the connection.
        redirect_url:
          type: string
          description: >-
            The callback URL for this OIDC connection. This value will be passed
            to the IdP to redirect the Member back to Stytch after a sign-in
            attempt.
        client_id:
          type: string
          description: >-
            The OAuth2.0 client ID used to authenticate login attempts. This
            will be provided by the IdP.
        client_secret:
          type: string
          description: >-
            The secret belonging to the OAuth2.0 client used to authenticate
            login attempts. This will be provided by the IdP.
        issuer:
          type: string
          description: >-
            A case-sensitive `https://` URL that uniquely identifies the IdP.
            This will be provided by the IdP.
        authorization_url:
          type: string
          description: >-
            The location of the URL that starts an OAuth login at the IdP. This
            will be provided by the IdP.
        token_url:
          type: string
          description: >-
            The location of the URL that issues OAuth2.0 access tokens and OIDC
            ID tokens. This will be provided by the IdP.
        userinfo_url:
          type: string
          description: >-
            The location of the IDP's [UserInfo
            Endpoint](https://openid.net/specs/openid-connect-core-1_0.html#UserInfo).
            This will be provided by the IdP.
        jwks_url:
          type: string
          description: >-
            The location of the IdP's JSON Web Key Set, used to verify
            credentials issued by the IdP. This will be provided by the IdP.
        identity_provider:
          type: string
          description: >-
            Name of the IdP. Enum with possible values: `classlink`, `cyberark`,
            `duo`, `google-workspace`, `jumpcloud`, `keycloak`, `miniorange`,
            `microsoft-entra`, `okta`, `onelogin`, `pingfederate`, `rippling`,
            `salesforce`, `shibboleth`, or `generic`.


            Specifying a known provider allows Stytch to handle any
            provider-specific logic.
        custom_scopes:
          type: string
          description: >-
            A space-separated list of custom scopes that will be requested on
            every SSOStart call. If set, this value will replace the default set
            of OIDC scopes requested: `openid email profile`. Additional scopes
            can be requested using the `custom_scopes` query parameter on
            individual SSOStart calls.
        attribute_mapping:
          type: object
          additionalProperties: true
          description: >-
            An object that represents the attributes used to identify a Member.
            This object will map the IdP-defined User attributes to
            Stytch-specific values, which will appear on the member's Trusted
            Metadata.
      required:
        - organization_id
        - connection_id
        - status
        - display_name
        - redirect_url
        - client_id
        - client_secret
        - issuer
        - authorization_url
        - token_url
        - userinfo_url
        - jwks_url
        - identity_provider
        - custom_scopes
  securitySchemes:
    basicAuth:
      type: http
      scheme: basic

````