Exchange OIDCToken

posthttps://app.fossa.com/api/oidc/token-exchange

Exchange an OIDC token for a FOSSA API token. This endpoint is unauthenticated (no FOSSA API token is required); the caller presents an OIDC token issued by a trusted provider. Validation or lookup failures (invalid token, unknown provider, or no matching trust relationship) are reported as a `400`.

Request body (required) · application/json

providerIdintegerrequired

The ID of the OIDC Provider that issued the token

usernamestringrequired

The username of the user that we want to log in as

tokenstringrequired

The JWT that was issued by the OIDC Provider

expiresIninteger

The desired validity duration of the generated FOSSA token, in seconds. Min 15 minutes (900s), Max 12 hours (43200s), Default 1 hour (3600s).

isPushOnlyboolean

Whether the FOSSA token should be push-only. Defaults to true.

Responses

200Successfully exchanged OIDC token for FOSSA token
userIdintegerrequired

The ID of the user that the token is for

providerIdintegerrequired

The ID of the OIDC Provider

issuerstringrequired

The issuer of the token

subjectstringrequired

The subject of the token

credentialobjectrequired

The FOSSA credential information

tokenstringrequired

The FOSSA token that can be used to authenticate with the FOSSA API

isPushOnlybooleanrequired

Whether the FOSSA token is push-only

expirationstring <date-time>required

When the FOSSA token expires

400Bad Request
uuidstring

Unique identifier associated with the error

codeinteger

fossa specific error code

messagestring

message associated with this error

namestring

name of the error

httpStatusCodeinteger

http status code number

500Server Error
uuidstring

Unique identifier associated with the error

codeinteger

fossa specific error code

messagestring

message associated with this error

namestring

name of the error

httpStatusCodeinteger

http status code number

Try this endpoint

Build a request and run it against app.fossa.com.

Bearer

Stored in this browser for 24 hours. Try It uses a docs proxy for CORS and does not store tokens server-side.

POST https://app.fossa.com/api/oidc/token-exchange
curl --request POST \  --url 'https://app.fossa.com/api/oidc/token-exchange' \  --header 'accept: application/json' \  --header 'content-type: application/json' \  --data '{  "providerId": 123,  "username": "john.doe",  "token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9..."}'

Real request. Mutating methods can change data.

Click Try It to run a request and see the response here.
application/json