Contact UsTry it for free
© 2026 Direct Cursus Technology L.L.C.

Deactivating and deleting an OIDC application in Yandex Identity Hub

Written by
Updated at March 5, 2026

OIDC apps can be managed by users with the organization-manager.oauthApplications.admin role or higher.

Deactivate the application

If you need to temporarily disable authentication in an external app using the OpenID Connect (OIDC) single sign-on for your organization’s users, deactivate the relevant OIDC application in Identity Hub:

  1. Log in to Yandex Identity Hub.
  2. In the left-hand panel, select Apps.
  3. Next to the OIDC application you want to deactivate, click and select Deactivate.
  4. In the window that opens, confirm the operation.

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id options.

  1. See the description of the CLI command for deactivating an OIDC app:

    yc organization-manager idp application oauth application suspend --help

  2. Run this command:

    yc organization-manager idp application oauth application suspend <app_ID>

    Result:

    id: ek0o663g4rs2********
name: test-oidc-app
organization_id: bpf2c65rqcl8********
group_claims_settings:
  group_distribution_type: NONE
client_grant:
  client_id: ajeqqip130i1********
  authorized_scopes:
    - openid
status: SUSPENDED
created_at: "2025-10-21T10:51:28.790866Z"
updated_at: "2025-10-21T11:28:09.167252Z"

Use the Application.Suspend REST API method for the Application resource or the ApplicationService/Suspend gRPC API call.

This will deactivate the OIDC application and switch its status to Suspended, and the users will no longer be able to use it for authentication in the relevant external app.

Activate the application

If you need to restore the ability of your organization’s users to authenticate in an external app using the OIDC single sign-on, activate the OIDC application in Identity Hub:

  1. Log in to Yandex Identity Hub.
  2. In the left-hand panel, select Apps.
  3. Next to the OIDC application you want to activate, click and select Activate.
  4. In the window that opens, confirm the operation.

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id options.

  1. See the description of the CLI command for activating an OIDC app:

    yc organization-manager idp application oauth application reactivate --help

  2. Run this command:

    yc organization-manager idp application oauth application reactivate <app_ID>

    Result:

    id: ek0o663g4rs2********
name: test-oidc-app
organization_id: bpf2c65rqcl8********
group_claims_settings:
  group_distribution_type: NONE
client_grant:
  client_id: ajeqqip130i1********
  authorized_scopes:
    - openid
status: ACTIVE
created_at: "2025-10-21T10:51:28.790866Z"
updated_at: "2025-10-21T11:28:09.167252Z"

Use the Application.Reactivate REST API method for the Application resource or the ApplicationService/Reactivate gRPC API call.

This will activate the OIDC application, switch its status to Active, and enable the users added to the application to use it for authentication in the external app again.

Delete the application

To delete an OIDC application:

  1. Log in to Yandex Identity Hub.
  2. In the left-hand panel, select Apps.
  3. Next to the OIDC application you want to delete, click and select Delete.
  4. In the window that opens, confirm the operation.

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id options.

  1. See the description of the CLI command for deleting an OIDC app:

    yc organization-manager idp application oauth application delete --help

  2. Run this command:

    yc organization-manager idp application oauth application delete <app_ID>

With Terraform, you can quickly create a cloud infrastructure in Yandex Cloud and manage it using configuration files. These files store the infrastructure description written in HashiCorp Configuration Language (HCL). If you change the configuration files, Terraform automatically detects which part of your configuration is already deployed, and what should be added or removed.

Terraform is distributed under the Business Source License. The Yandex Cloud provider for Terraform is distributed under the MPL-2.0 license.

For more information about the provider resources, see the relevant documentation on the Terraform website or its mirror.

If you do not have Terraform yet, install it and configure the Yandex Cloud provider.

  1. To delete the OIDC app, delete the relevant resource from the Terraform configuration file:

    Example of an OIDC application description in the Terraform configuration:

    resource "yandex_organizationmanager_idp_application_oauth_application" "example_oidc_app" {
  organization_id = "<organization_ID>"
  name            = "<application_name>"
  description     = "<application_description>"

  client_grant = {
    client_id         = "<OAuth_client_ID>"
    authorized_scopes = ["<attribute_1>", "<attribute_2>"]
  }

  group_claims_settings = {
    group_distribution_type = "ALL_GROUPS"
  }

  labels = {
    "<key_1>" = "<value_1>"
    "<key_2>" = "<value_2>"
  }
}

    Where:

    • organization_id: ID of the organization the OIDC app belongs to.
    • name: OIDC app name.
    • description: OIDC app description.
    • client_grant: OAuth client connection settings:
      • client_id: OAuth client ID.
      • authorized_scopes: User attributes available to the service provider.
    • group_claims_settings: Settings for sending user groups to the service provider:
      • group_distribution_type: Group distribution type.
    • labels: List of labels.

    For more information about yandex_organizationmanager_idp_application_oauth_application properties, see this provider guide.

  2. Apply the changes:

    1. In the terminal, go to the directory where you edited the configuration file.

    2. Make sure the configuration file is correct using this command:

      terraform validate

      If the configuration is correct, you will get this message:

      Success! The configuration is valid.

    3. Run this command:

      terraform plan

      You will see a detailed list of resources. No changes will be made at this step. If the configuration contains any errors, Terraform will show them.

    4. Apply the changes:

      terraform apply

    5. Type yes and press Enter to confirm the changes.

    Terraform will delete the OIDC app resource. You can check the resource deletion in the Cloud Center UI or using this CLI command:

    yc organization-manager idp application oauth application list --organization-id <organization_ID>

Use the Application.Delete REST API method for the Application resource or the ApplicationService/Delete gRPC API call.

This will delete the OIDC application, and the users will no longer be able to use it for authentication in the external app.

See also

Previous
Getting app information
Next
Adding an SSH key