OAuth2 Endpoints

The OAuth2 endpoints manage OAuth2 client registration, retrieval, secret management, and deletion. These endpoints require ADMIN role or the oauth2:clients:* permissions. Served by OAuth2ClientController at /api/v1/oauth2/clients.

Endpoints

POST /api/v1/oauth2/clients

Registers a new OAuth2 client application. The client secret is returned only once at creation time for confidential clients.

{
  "clientName": "BI Dashboard App",
  "clientType": "CONFIDENTIAL",
  "grantTypes": ["authorization_code", "refresh_token"],
  "redirectUris": ["https://bi.example.com/callback"],
  "scopes": ["openid", "profile", "data:read"],
  "tokenValiditySeconds": 3600,
  "refreshTokenValiditySeconds": 86400
}

OAuth2ClientResponse Structure

{
  "id": 1,
  "clientId": "matih-bi-dashboard-abc123",
  "clientSecret": "only-shown-once-at-creation",
  "clientName": "BI Dashboard App",
  "clientType": "CONFIDENTIAL",
  "grantTypes": ["authorization_code", "refresh_token"],
  "redirectUris": ["https://bi.example.com/callback"],
  "scopes": ["openid", "profile", "data:read"],
  "tokenValiditySeconds": 3600,
  "refreshTokenValiditySeconds": 86400,
  "active": true,
  "createdAt": "2026-02-01T10:00:00Z",
  "createdBy": "admin@example.com"
}

POST /api/v1/oauth2/clients/:clientId/regenerate-secret

Regenerates the client secret for a confidential client. The old secret is immediately invalidated. Public clients cannot have secrets regenerated.

DELETE /api/v1/oauth2/clients/:clientId

Deactivates the client and revokes all associated tokens. The client record is retained for audit purposes but marked as inactive.