Skip to content
getgeolens.com
GeoLens DocsEarly release

Update Oauth Provider

PUT
/settings/oauth-providers/{provider_id}
 
curl --request PUT \
  --url https://example.com/api/settings/oauth-providers/2489E9AD-2EE2-8E00-8EC9-32D5F69181C0 \
  --header 'Authorization: Bearer <token>' \
  --header 'Content-Type: application/json' \
  --data '{ "slug": "example", "display_name": "example", "provider_type": "google", "client_id": "example", "client_secret": "example", "discovery_url": "example", "authorize_url": "example", "token_url": "example", "userinfo_url": "example", "idp_entity_id": "example", "idp_sso_url": "example", "idp_certificate": "example", "sp_entity_id": "example", "scopes": "example", "default_role": "example", "group_claim": "example", "group_role_mapping": {}, "enabled": true }'

Update an existing OAuth or SAML provider (admin only).

Audit-log payload contains details.changes with per-field {"old": ..., "new": ...} diffs. Secret fields (idp_certificate, client_secret_encrypted, client_secret) are redacted as {"old": "<redacted>", "new": "<redacted>"} (Pitfall 9 / SAML-12 / T-217-03-AUDIT-LEAK HIGH severity).

Authorizations

Section titled “Authorizations ”

Parameters

Section titled “ Parameters ”

Path Parameters

Section titled “Path Parameters ”
provider_id
required
Provider Id
string format: uuid

Request Body required

Section titled “Request Body required ”
Media type application/json
OAuthProviderUpdate

Schema for updating an existing OAuth provider. All fields optional.

object
slug
Any of:
string
>= 1 characters <= 50 characters /^[a-z0-9-]+$/
display_name
Any of:
string
>= 1 characters <= 100 characters
provider_type
Any of:
string
Allowed values: google microsoft oidc saml
client_id
Any of:
string
>= 1 characters <= 500 characters
client_secret
Any of:
string
>= 1 characters <= 1000 characters
discovery_url
Any of:
string
<= 512 characters
authorize_url
Any of:
string
<= 512 characters
token_url
Any of:
string
<= 512 characters
userinfo_url
Any of:
string
<= 512 characters
idp_entity_id
Any of:
string
<= 512 characters
idp_sso_url
Any of:
string
<= 512 characters
idp_certificate
Any of:
string
sp_entity_id
Any of:
string
<= 512 characters
scopes
Any of:
string
<= 500 characters
default_role
Any of:
string
<= 50 characters
group_claim
Any of:
string
<= 100 characters
group_role_mapping
Any of:
object
key
additional properties
any
enabled
Any of:
boolean

Responses

Section titled “ Responses ”

200

Section titled “200 ”

Successful Response

Media type application/json
OAuthProviderResponse

Response schema for OAuth/SAML provider.

Write-only credentials are never exposed:

  • client_secret_encrypted (OAuth client secret) — excluded.
  • idp_certificate (SAML IdP signing cert, Fernet-encrypted at rest) — excluded.

The 3 non-secret SAML fields (idp_entity_id, idp_sso_url, sp_entity_id) ARE exposed so the admin UI can display them.

Pitfall 11 interaction: those 3 fields are declared with deferred=True on the OAuth ORM model so community DBs (which lack the columns) do not crash on SELECT. Pydantic’s from_attributes=True would normally trigger an implicit deferred load on attribute access, which fails under FastAPI’s async context with MissingGreenlet. The model_validator(mode="before") below reads the SAML fields directly from obj.__dict__ so unloaded attributes default to None instead of triggering IO. SAML admin endpoints that need the values must use undefer_group("saml") at query time.

object
id
required
Id

Unique provider identifier.

string format: uuid
slug
required
Slug

URL-safe identifier used in the callback URL.

string
display_name
required
Display Name

Label shown on the login page button.

string
provider_type
required
Provider Type

Provider type: ‘google’, ‘microsoft’, ‘oidc’, or ‘saml’.

string
client_id
Any of:
string
discovery_url
Any of:
string
authorize_url
Any of:
string
token_url
Any of:
string
userinfo_url
Any of:
string
idp_entity_id
Any of:
string
idp_sso_url
Any of:
string
sp_entity_id
Any of:
string
scopes
required
Scopes

Space-separated OAuth scopes.

string
default_role
required
Default Role

Default role assigned to new users.

string
group_claim
Any of:
string
group_role_mapping
Any of:
object
key
additional properties
any
enabled
required
Enabled

Whether the provider button appears on the login page.

boolean
created_at
required
Created At

Timestamp the provider was created.

string format: date-time
updated_at
required
Updated At

Timestamp the provider was last updated.

string format: date-time
Example generated
{
  "id": "2489E9AD-2EE2-8E00-8EC9-32D5F69181C0",
  "slug": "example",
  "display_name": "example",
  "provider_type": "example",
  "client_id": "example",
  "discovery_url": "example",
  "authorize_url": "example",
  "token_url": "example",
  "userinfo_url": "example",
  "idp_entity_id": "example",
  "idp_sso_url": "example",
  "sp_entity_id": "example",
  "scopes": "example",
  "default_role": "example",
  "group_claim": "example",
  "group_role_mapping": {},
  "enabled": true,
  "created_at": "2026-04-15T12:00:00Z",
  "updated_at": "2026-04-15T12:00:00Z"
}

400

Section titled “400 ”

Bad request — invalid query parameters or payload

401

Section titled “401 ”

Unauthorized — missing or invalid credentials

403

Section titled “403 ”

Forbidden — caller lacks access to this resource

404

Section titled “404 ”

Not found

422

Section titled “422 ”

Validation error

500

Section titled “500 ”

Internal server error