Exporting, Importing and Patching Cloudentity Tenant/Workspace Configuration
Export, import, and patch Cloudentity tenant/workspace configurations with the Configuration Promotion APIs.
By reading this article, you will gain insights into the Cloudentity export, import, and patch configuration APIs, and discover how these powerful tools can enhance your ability to effectively manage the configuration of your tenants and workspaces.
Alpha Feature
Test use only. Subject to potential functionality limitations, breaking changes, future updates, and removal without notice.
About Cloudentity Configuration APIs
Cloudentity provides APIs to export, import, and patch the configuration of individual workspaces or entire tenants.
The export/import/patch APIs are available for Cloudentity SaaS Platform as well as for customer deployed Cloudentity platform and can be used for purposes such as automating configuration management.
Manage Workspace Configuration APIs
The new Cloudentity configuration APIs provide four endpoints for managing workspace configuration.
Export workspace configuration to export a specific workspace from a specific tenant.
Import workspace configuration to import an entire workspace into a specific tenant.
Patch workspace configuration (rfc6902) to patch specific changes to a workspace in a specific tenant, using the standard described in RFC 6902.
The Patch JSON API is intended for easy configuration changes when there are a small number of known workspace modifications and the user applying the patch is familiar with them.
Patch workspace configuration (rfc7396) to patch a specific changes to a workspace in a specific tenant, using the standard described in RFC 7396.
The JSON Merge Patch API facilitates the automated promotion of larger configuration changes. It provides a straightforward and efficient way to apply extensive modifications, such as through scripts or automated methods. This API streamlines the process of implementing significant configuration updates, improving efficiency and accuracy.
Manage Tenant Configuration APIs
The new Cloudentity configuration APIs provide four new endpoints, mirroring the workspace configuration APIs, for tenants.
The Tenant Management APIs can be used by organizations that need to manage many workspaces in their tenants or have a lot of tenant-level configuration such as: Cloudentity Identity Pools, Custom MFA Settings, Custom Themes, etc.
Manage Customer Deployed Tenant Configuration Root APIs
The new Cloudentity configuration APIs provide four new endpoints, mirroring the Tenant Configuration APIs for the Root System Workspace.
These new Root System configuration APIs could be used in lieu of the functionality previously referred to as Global operations.
These endpoints are only available for customer deployed Cloudentity, as the Root System Workspace is not directly available to SaaS Customers. The additional functionality provided by these endpoints is not relevant for SaaS customers.
The Customer Deployed Tenant Configuration APIs can be used to manage configuration of any tenant within Cloudentity deployment.
Prerequisites
Familiarization with Cloudentity REST APIs and what is required to properly access them.
M2M Client Applications added in the System workspace of both tenants -- the one where the configuration is exported from, and the one where the import/patch takes place.
For promoting configuration changes, you need a tool that can compare two exported configurations and create a JSON Merge Patch document from them.
Note
If you wish to test the Configuration Promotion APIs, contact the Cloudentity Sales Team to enable the tree_dump_tenant
feature-flag for your tenants. If you are using a customer deployed Cloudentity platform, you can enable the feature flag in your platform configuration files.
Export Configuration APIs
The export endpoints are essential for managing the configuration of your tenant/workspace(s). These endpoints allow you to export the current configuration, and are integral in every configuration management scenario such as the initial configuration import, configuration patching, and configuration backup.
The most up-to-date example calls and output for the Export Endpoints can be found in the documentation for Cloudentity configuration API endpoints.
Tip
When exporting configuration with curl
, you can add the -o /full/path/to/export.json
parameter to output the results directly to a file.
Export Response Options
You can adjust the content received with the response upon calling the export endpoint, with the boolean parameter with_credentials
.
When
with_credentials
is set totrue
:The exported data will include all credentials present in the workspace. For example, things considered as credentials include: JSON Web Key Sets (JWKS), secrets, certificates, etc.
When
with_credentials
is set tofalse
:Credentials are exported as
null
or empty objectsNote
This does not apply to public keys, such as public JWKS exposed in DCR settings.
By default, with_credentials
= false
.
Limitations of Configuration Export APIs
Please consider the following limitations related to the new Export APIs:
It is entirely possible to export broken tenant/workspace Configuration, but you cannot import/patch broken configurations.
It is possible that some specific configuration related to the tenant/workspace will be exported. Typically, this data includes things like the
redirect_uris
in Client Applications.We strongly recommend replacing or removing those values before performing an import or patch operation. Even when utilizing the tenant configuration APIs, there should be very few (if any) instances of your exported tenant's name, but it is advisable to eliminate/replace them in the configuration to ensure smooth processing.
Cloudentity Identity Pools are not part of the Export workspace configuration.
If you have any Cloudentity Authentication Providers attached to your workspace you have to either use the tenant configuration APIs or use the Identity Pool APIs first, to export/import the necessary Identity Pool Configurations.
Import Configuration APIs
The configuration import endpoints make wholesale changes to the configuration of your tenant/workspace(s). If there are any conflicts during the import, the target's configuration is overridden with the values provided. The import endpoints are likely to be the least frequently used, as they are intended for one-time and niche operations, such as the initial configuration import and configuration restore.
The most up-to-date example calls and output for the Import Endpoints can be found in the documentation for Cloudentity Configuration Promotion API endpoints.
Insert Mode
The import endpoints support the mode
query parameter. This parameter is optional; it defines what happens in the case of import conflicts. For example, when importing a configuration between two tenants, and both have client applications with identical IDs.
Cloudentity can handle this conflict as follows:
mode
=ignore
: Ignore the incoming configuration from the source. Applies to the conflicting changes.mode
=fail
: Stop import processing and return an error.mode
=update
: Overwrite the target with the incoming configuration from the source. Applies to the conflicting changes.
By default, mode
= ignore
.
Limitations of Configuration Import APIs
Please consider the following limitations related to the Import APIs:
The configuration of the import target is overridden with the data provided to the import API. The import APIs serve the purpose of addressing potential gaps in the patch APIs, when there is a need to (re)set the configuration of an entire tenant/workspace. If you only require incremental changes, it is recommended to utilize the patch APIs instead.
Warning
Only use the import APIs when you want the target's entire configuration overridden. We highly suggest that you use the associated export API to create a backup of the import target before performing the import.
If the JSON provided for import is generated using the export APIs with
with_credentials
set tofalse
, the necessary credentials such as JWKS and client_secrets are regenerated during the import process. It's important to note that if you didn't create a backup export of the tenant/configuration, all those credentials are lost.
Patch Configuration APIs
The configuration patch endpoints are used to make iterative changes to the configuration of your tenant/workspace(s). These endpoints are a key component in enabling configuration promotion and automated configuration management.
The most up-to-date example calls and output for the Patch Endpoints can be found in the documentation for Cloudentity configuration API endpoints.
Tip
When patching configuration with curl
, you can use the -d @/full/path/to/patch.json
supply the JSON Merge Patch contents directly from a file.
Insert Mode
The patch endpoints support the mode
query parameter. This parameter is optional; it defines what happens in the case of import conflicts. For example, when patching a configuration between two tenants, and both have client applications with identical IDs.
Cloudentity can handle this conflict as follows:
mode
=ignore
: Ignore the incoming configuration from the source. Applies to the conflicting changes.mode
=fail
: Stop import processing and return an error.mode
=update
: Overwrite the target with the incoming configuration from the source. Applies to the conflicting changes.
By default, mode
= update
.
Limitations of Configuration Patch APIs
Please consider the following limitations related to the new Patch APIs:
It is entirely possible to export broken tenant/workspace Configuration. Patching a tenant/workspace from that configuration will have mixed results.
For example: when attempting to add a Cloudentity Authentication Provider to a workspace in a tenant where the associated Identity Pool does not exist, the patch will return a
204
even though the IDP doesn't get created.Not all the error cases and associated message details have been fully defined. They are still a work-in-progress.
Manual updates to the target tenant/workspace may cause conflicts, resulting in unexpected results from the Patch APIs.
Certain configurations do not cause the Patch APIs to return an Error, but they do require additional consideration, to ensure the results are expected/desired:
If you have any Cloudentity Authentication Providers attached to your workspace you have to either use the tenant configuration APIs or use the Identity Pool APIs first, to export/import the necessary Identity Pool Configurations prior to your workspace patch.
If you have any Custom Themes bound to your exported workspace, you have to either use the tenant configuration APIs or ensure that the Custom Theme exists in your target tenant, before calling the workspace patch API.
The JSON Patch supplied to the Patch APIs must conform to (preferably) RFC 7396 or RFC 6902.
For easier and more smooth patching capabilities, Cloudentity recommends the RFC 7396 specification.
This JSON Patch should be generated by a JSON Patch Tool. Refer to the JSON Patch Tool information and example provided by Cloudentity.
RFC6902 or RFC7396 -- What to Choose
Cloudentity provides organizations with freedom to choose what APIs are the most suitable for their needs:
For easier and more smooth patching capabilities, Cloudentity recommends the RFC 7396 JSON Merge Patch API.
JSON Patch - RFC6902
The Patch JSON API is intended for easy configuration changes when there are a small number of known workspace/tenant modifications and the user applying the patch is familiar with them.
The Patch JSON API accepts a JSON Array which objects represent a single operation applied to the target JSON (workspace configuration). Evaluation continues until all operations are successfully applied or until an error condition is encountered.
Example target configuration:
{ "clients":{ "sample-client-id":{ "client_name":"sample-application", "response_types": [ "code", "token" ] } } }
Example operation:
[ { "op": "replace", "path": "/clients/sample-client-id/client_name", "value": "demo-application" }, { "op": "add", "path": "/clients/sample-client-id/response_types", "value": "id_token" } ]
Example result:
{ "clients":{ "sample-client-id":{ "client_name":"demo-application", "response_types": [ "code", "token", "id_token" ] } } }
The above operation results in replacing the current value of the client name parameter within the configuration of the client with the sample-client-id
identifier. It also adds the id_token
as the client application's response type.
JSON Merge Patch API - RFC7396
The JSON Merge Patch API facilitates the automated promotion of larger configuration changes. It provides a straightforward and efficient way to apply extensive modifications, such as through scripts or automated methods. This API streamlines the process of implementing significant configuration updates, improving efficiency and accuracy.
The JSON Merge Patch API accepts a JSON that describes changes to be made to a target workspace/tenant configuration using a syntax that closely mimics the configuration being modified.
Example original configuration:
{ "clients":{ "sample-client-id":{ "client_name":"sample-application", "response_types": [ "token" ], "scopes": [ "email", "profile", "openid", "offline_access" ] }, "demo-client-id":{ "client_name":"demo-application" } } }
Example JSON Merge Patch:
{ "clients":{ "sample-client-id":{ "response_types": [ "code", "token", "id_token" ], "scopes": [ "email", "profile", ] }, "demo-client-id": null } }
Example result:
{ "clients":{ "sample-client-id":{ "client_name":"sample-application", "response_types": [ "code", "token", "id_token" ], "scopes": [ "email", "profile", ] } } }
You can see that the JSON Merge Patch API leaves the client name untouched, adds additional response types, and removes some of the scopes assigned to the client application. The demo application from the original configuration is removed completely from the ulting configuration.