Contact UsTry it for free
© 2026 Direct Cursus Technology L.L.C.

Updating an OIDC application in Yandex Identity Hub

Written by
Updated at March 5, 2026

OIDC apps can be managed by users with the organization-manager.oauthApplications.admin role or higher.

Update the app's basic settings

To update the OIDC app's basic settings:

  1. Log in to Yandex Identity Hub.

  2. In the left-hand panel, select Apps and select the OIDC application.

  3. On the top right, click Edit and in the window that opens:

    1. Change the app's name in the Name field. The name must be unique within the organization and follow the naming requirements:

      • It must be from 1 to 63 characters long.
      • It may contain lowercase Latin letters, numbers, and hyphens.
      • It must start with a letter and cannot end with a hyphen.

    2. Change the app's description in the Description field.

    3. Add new labels by clicking Labels in the Add label field. Click to delete an existing label.

    4. Click Save.

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id options.

  1. See the description of the CLI command for updating an OIDC application:

    yc organization-manager idp application oauth application update --help

  2. Run this command:

    yc iam organization-manager idp application oauth application update \
  --id <app_ID> \
  --new-name <application_name> \
  --description <application_description> \
  --client-id <OAuth_client_ID> \
  --authorized-scopes <attribute>[,<attribute>] \
  --group-distribution-type all-groups \
  --labels <key>=<value>[,<key>=<value>]

    Where:

    • --id: OIDC app ID. This is a required setting.

    • --name: New name for the OIDC app. The name must be unique within the organization and follow the naming requirements:

      • It must be from 1 to 63 characters long.
      • It may contain lowercase Latin letters, numbers, and hyphens.
      • It must start with a letter and cannot end with a hyphen.

    • --description: New description for the OIDC app.

    • --client-id: ID of the new OAuth client.

    • --authorized-scopes: New user attributes that will be available to the service provider. Specify one or more attributes, comma-separated, in <attribute1>,<attribute2> format. Possible attributes:

      • openid: User ID. Required attribute.

      • profile: Additional user details, such as first name, last name, and avatar.

      • email: User email address.

      • address: User home address.

      • phone: User phone number.

      • groups: User groups in the organization.

        Warning

        You need to specify the new user attributes in the service provider configuration first, using the --scopes parameters.

    • --group-distribution-type: If you specified the groups attribute when creating or updating the OAuth client, update the user groups you want to send to your service provider. The possible values are:

      • all-groups: Service provider will get all groups the user belongs to.

        The maximum number of groups to change hands is 1,000. If the user belongs to more groups than this, only the first thousand will go to the service provider.

      • assigned-groups: Of all the user's groups, the service provider will only get the ones explicitly specified.

      • none: Service provider will not get any of the groups the user belongs to.

    • --labels: New list of labels. You can specify one or more labels separated by commas in <key1>=<value1>,<key2>=<value2> format.

    Result:

    id: ek0o663g4rs2********
name: oidc-app
organization_id: bpf2c65rqcl8********
group_claims_settings:
  group_distribution_type: NONE
client_grant:
  client_id: ajeqqip130i1********
  authorized_scopes:
    - openid
status: ACTIVE
created_at: "2025-10-21T10:51:28.790866Z"
updated_at: "2025-10-21T12:37:19.274522Z"

With Terraform, you can quickly create a cloud infrastructure in Yandex Cloud and manage it using configuration files. These files store the infrastructure description written in HashiCorp Configuration Language (HCL). If you change the configuration files, Terraform automatically detects which part of your configuration is already deployed, and what should be added or removed.

Terraform is distributed under the Business Source License. The Yandex Cloud provider for Terraform is distributed under the MPL-2.0 license.

For more information about the provider resources, see the relevant documentation on the Terraform website or its mirror.

If you do not have Terraform yet, install it and configure the Yandex Cloud provider.

  1. In the Terraform configuration file, edit the OIDC application settings:
resource "yandex_organizationmanager_idp_application_oauth_application" "example_oidc_app" {
  application_id   = "<app_ID>"
  organization_id = "<organization_ID>"
  name            = "<new_application_name>"
  description     = "<new_application_description>"
  
  client_grant = {
    client_id         = "<OAuth_client_ID>"
    authorized_scopes = ["<attribute_1>", "<attribute_2>"]
  }
  
  group_claims_settings = {
    group_distribution_type = "ALL_GROUPS"
  }
  
  labels = {
    "<key_1>" = "<value_1>"
    "<key_2>" = "<value_2>"
  }
}

Where:

  • application_id: OIDC app ID. This is a required parameter.

  • organization_id: ID of the organization the OIDC application belongs to. This is a required parameter.

  • name: New name for the OIDC app. The name must be unique within the organization and follow the naming requirements:

    • It must be from 1 to 63 characters long.
    • It may contain lowercase Latin letters, numbers, and hyphens.
    • It must start with a letter and cannot end with a hyphen.

  • description: New description for the OIDC app. This is an optional parameter.

  • client_grant: OAuth client connection settings:

    • client_id: OAuth client ID. This is a required parameter.
    • authorized_scopes: New user attributes that will be available to the service provider. Specify one or more attributes in square brackets. Possible attributes:
      • openid: User ID. Required attribute.
      • profile: Additional user details, such as first name, last name, and avatar.
      • email: User email address.
      • address: User home address.
      • phone: User phone number.
      • groups: User groups in the organization.

  • group_claims_settings: Settings for sending user group claims to the service provider:

    • group_distribution_type: If you provided the groups attribute when creating the OAuth client, specify which user groups you want to go to the service provider. The possible values are:
      • ALL_GROUPS: Service provider will get all groups the user belongs to.
      • ASSIGNED_GROUPS: Of all the user's groups, the service provider will only get the ones explicitly specified.
      • NONE: Service provider will not get any of the groups the user belongs to.

  • labels: List of labels. This is an optional parameter.

For more information about yandex_organizationmanager_idp_application_oauth_application properties, see this provider guide.

  1. Apply the changes:

  1. In the terminal, go to the directory where you edited the configuration file.

  2. Make sure the configuration file is correct using this command:

    terraform validate

    If the configuration is correct, you will get this message:

    Success! The configuration is valid.

  3. Run this command:

    terraform plan

    You will see a detailed list of resources. No changes will be made at this step. If the configuration contains any errors, Terraform will show them.

  4. Apply the changes:

    terraform apply

  5. Type yes and press Enter to confirm the changes.

You can check the updates of resources and their settings either in the Cloud Center interface or using this CLI command:

yc organization-manager idp application oauth application get <app_ID>

Use the Application.Update REST API method for the Application resource or the ApplicationService/Update gRPC API call.

Update the service provider configuration

To update the service provider configuration in an OIDC app:

  1. Log in to Yandex Identity Hub.
  2. In the left-hand panel, select Apps and then, the OIDC app.

  3. On the top right, click Edit and in the window that opens:

    1. Specify the address you got from the service provider in the Redirect URI field.

      Click Add URI to specify multiple redirect URIs at once.

    2. In the Scopes field, select user attributes that will be available to the service provider.

      • openid (user ID): User ID. This is a required parameter.

      • email address: User email address.

      • profile (full name, first name, last name, avatar, etc.): Additional user details.

      • groups (user's groups in the organization): User groups in the organization whose member the user getting authenticated is. The possible values are:

        • All grous : Security provider will get all groups the user belongs to.

          The maximum number of sent groups: 1,000. If the user belongs to more groups, only the first thousand of them will be communicated to the service provider.

        • Assigned groups only: Of all groups the user belongs to, the service provider will only get the ones explicitly specified on the Users and groups tab of the OIDC app.

    3. Click Save.

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id options.

  1. See the description of the CLI command for setting up the OAuth client:

    yc iam oauth-client update --help

  2. Run this command:

    yc iam oauth-client update \
  --id <OAuth_client_ID> \
  --new-name <new_name_for_OAuth_client> \
  --redirect-uris <address>[,<address>] \
  --scopes <attribute>[,<attribute>]

    Where:

    • --id: OAuth client ID.

    • --new-name: New name for the OAuth client.

    • --scopes: New user attributes that will be available to the service provider. Specify one or more attributes, comma-separated, in <attribute1>,<attribute2> format. Possible attributes:

      • openid: User ID. Required attribute.

      • profile: Additional user details, such as first name, last name, and avatar.

      • email: User email address.

      • address: User home address.

      • phone: User phone number.

      • groups: User groups in the organization.

        Warning

        You also need to specify the new user attributes in the app's basic settings using the --authorized-scopes parameters.

    • --redirect-uris: Specify the new address or addresses you got from the service provider in <address1>,<address2> format.

    Result:

    id: ajejklv8g9kh********
name: my-oauth-client
redirect_uris:
  - https://example2.com
  - https://example2.ru
scopes:
  - openid
  - profile
folder_id: b1g500m2195v********
status: ACTIVE

With Terraform, you can quickly create a cloud infrastructure in Yandex Cloud and manage it using configuration files. These files store the infrastructure description written in HashiCorp Configuration Language (HCL). If you change the configuration files, Terraform automatically detects which part of your configuration is already deployed, and what should be added or removed.

Terraform is distributed under the Business Source License. The Yandex Cloud provider for Terraform is distributed under the MPL-2.0 license.

For more information about the provider resources, see the relevant documentation on the Terraform website or its mirror.

If you do not have Terraform yet, install it and configure the Yandex Cloud provider.

  1. In the Terraform configuration file, edit the OIDC client settings:
resource "yandex_iam_oauth_client" "example_oauth_client" {
  oauth_client_id = "<OAuth_client_ID>"
  name           = "<new_name_for_OAuth_client>"
  redirect_uris  = ["<address_1>", "<address_2>"]
  scopes         = ["<attribute_1>", "<attribute_2>"]
}

Where:

  • oauth_client_id: OAuth client ID. This is a required parameter.
  • name: New name for the OAuth client. This is an optional parameter.
  • redirect_uris: New list of redirect URIs. Specify one or more URIs in square brackets. This is an optional parameter.
  • scopes: New user attributes that will be available to the service provider. Specify one or more attributes in square brackets. Possible attributes:
    • openid: User ID. Required attribute.
    • profile: Additional user details, such as first name, last name, and avatar.
    • email: User email address.
    • address: User home address.
    • phone: User phone number.
    • groups: User groups in the organization.

For more information about yandex_iam_oauth_client properties, see this provider guide.

  1. Apply the changes:

  1. In the terminal, go to the directory where you edited the configuration file.

  2. Make sure the configuration file is correct using this command:

    terraform validate

    If the configuration is correct, you will get this message:

    Success! The configuration is valid.

  3. Run this command:

    terraform plan

    You will see a detailed list of resources. No changes will be made at this step. If the configuration contains any errors, Terraform will show them.

  4. Apply the changes:

    terraform apply

  5. Type yes and press Enter to confirm the changes.

You can check the updates of resources and their settings either in the Cloud Center interface or using this CLI command:

yc iam oauth-client get <OAuth_client_ID>

Use the OAuthClient.Update REST API method for the OAuthClient resource or the OAuthClientService/Update gRPC API call.

Updating an app's secret

There is no way you can view or update an app’s secret. Instead, you can generate a new one:

  1. Log in to Yandex Identity Hub.
  2. In the left-hand panel, select Apps and then, the OIDC app.

  3. Under App secrets, click Add secret, and in the window that opens:

    1. Optionally, add a description for the new secret.
    2. Click Create.

    The window will display the generated application secret. Save this value.

    Warning

    If you refresh or close the application information page, you will not be able to view the secret again.

    If you closed or refreshed the page before saving the secret, click Add secret to create a new one.

    To delete a secret, in the list of secrets on the OIDC app page, click in the secret row and select Delete.

  4. Remember to provide the new secret in the settings on the service provider side. If you need help, refer to your service provider's documentation or support team.

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id options.

  1. See the description of the CLI command for creating a new OIDC app secret:

    yc iam oauth-client-secret create --help

  2. Run this command:

    yc iam oauth-client-secret create --oauth-client-id <OAuth_client_ID>

    Result:

    oauth_client_secret:
  id: aje0hjqp68u6********
  oauth_client_id: ajejklv8g9kh********
  masked_secret: yccs__9e1d5f6d5c****
  created_at: "2025-10-23T11:44:50.739768533Z"
secret_value: yccs__9e1d5f6d5c********

    Remember to provide the new secret in the settings on the service provider side. If you need help, refer to your service provider's documentation or support team.

With Terraform, you can quickly create a cloud infrastructure in Yandex Cloud and manage it using configuration files. These files store the infrastructure description written in HashiCorp Configuration Language (HCL). If you change the configuration files, Terraform automatically detects which part of your configuration is already deployed, and what should be added or removed.

Terraform is distributed under the Business Source License. The Yandex Cloud provider for Terraform is distributed under the MPL-2.0 license.

For more information about the provider resources, see the relevant documentation on the Terraform website or its mirror.

If you do not have Terraform yet, install it and configure the Yandex Cloud provider.

  1. In the Terraform configuration file, create a new secret for the OAuth client:
resource "yandex_iam_oauth_client_secret" "example_oauth_client_secret" {
  oauth_client_id = "<OAuth_client_ID>"
}

Where:

  • oauth_client_id: ID of the OAuth client for which you are creating a new secret. This is a required parameter.

For more information about yandex_iam_oauth_client_secret properties, see this provider guide.

  1. Apply the changes:

  1. In the terminal, go to the directory where you edited the configuration file.

  2. Make sure the configuration file is correct using this command:

    terraform validate

    If the configuration is correct, you will get this message:

    Success! The configuration is valid.

  3. Run this command:

    terraform plan

    You will see a detailed list of resources. No changes will be made at this step. If the configuration contains any errors, Terraform will show them.

  4. Apply the changes:

    terraform apply

  5. Type yes and press Enter to confirm the changes.

You can check the updates of resources and their settings either in the Cloud Center interface or using this CLI command:

yc iam oauth-client-secret list --oauth-client-id <OAuth_client_ID>

Use the OAuthClientSecret.Create REST API method for the OAuthClientSecret resource or the OAuthClientSecretService/Create gRPC API call.

Update the list of app users and groups

Update the list of your organization's users permitted to authenticate in an external app with an OIDC application:

  1. Log in to Yandex Identity Hub.

  2. In the left-hand panel, select Apps and then, the OIDC app.

  3. Navigate to the Users and groups tab.

  4. To add a user or user group to the app:

    1. Click Add users.
    2. In the window that opens, select the required user or user group.
    3. Click Add.

  5. To delete a user or user group from the app:

    1. In the list of users and groups, click and select Delete next to the user or user group.
    2. Confirm the deletion.

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id options.

  1. Get the user ID or user group ID.

  2. To add a user or user group to the app:

    1. See the description of the CLI command for adding users to an app:

      yc organization-manager idp application oauth application add-assignments --help

    2. Run this command:

      yc organization-manager idp application oauth application add-assignments \
  --id <app_ID> \
  --subject-id ek0omvvcb9vv********

      Where:

      • --id: App ID.
      • --subject-id: User or user group ID.

      Result:

      assignment_deltas:
  - action: ADD
    assignment:
      subject_id: ajetvnq2mil8********

  3. To delete a user or user group from the app:

    1. See the description of the CLI command for removing users from an app:

      yc organization-manager idp application oauth application remove-assignments --help

    2. Run this command:

      yc organization-manager idp application oauth application remove-assignments \
  --id <app_ID> \
  --subject-id <user_ID>

      Where:

      • --id: OIDC app ID.
      • --subject-id: User or user group ID.

      Result:

      assignment_deltas:
  - action: REMOVE
    assignment:
      subject_id: ajetvnq2mil8********

With Terraform, you can quickly create a cloud infrastructure in Yandex Cloud and manage it using configuration files. These files store the infrastructure description written in HashiCorp Configuration Language (HCL). If you change the configuration files, Terraform automatically detects which part of your configuration is already deployed, and what should be added or removed.

Terraform is distributed under the Business Source License. The Yandex Cloud provider for Terraform is distributed under the MPL-2.0 license.

For more information about the provider resources, see the relevant documentation on the Terraform website or its mirror.

If you do not have Terraform yet, install it and configure the Yandex Cloud provider.

  1. Describe the parameters for assigning users and groups to your application in a configuration file:

    resource "yandex_organizationmanager_idp_application_oauth_application_assignment" "example_assignment" {
  application_id = "<app_ID>"
  subject_id     = "<user_or_group_ID>"
}

    Where:

    • application_id: OIDC app ID.
    • subject_id: User or user group ID.

    For more information about yandex_organizationmanager_idp_application_oauth_application_assignment properties, see this provider guide.

  2. Create the resources:

    1. In the terminal, go to the directory where you edited the configuration file.

    2. Make sure the configuration file is correct using this command:

      terraform validate

      If the configuration is correct, you will get this message:

      Success! The configuration is valid.

    3. Run this command:

      terraform plan

      You will see a detailed list of resources. No changes will be made at this step. If the configuration contains any errors, Terraform will show them.

    4. Apply the changes:

      terraform apply

    5. Type yes and press Enter to confirm the changes.

    Terraform will create all the required resources. You can check the new resources and their settings in the Cloud Center UI or using this CLI command:

    yc organization-manager idp application oauth application list-assignments <app_ID>

Use the Application.UpdateAssignments REST API method for the Application resource or the ApplicationService/UpdateAssignments gRPC API call.

See also

Previous
Creating an app
Next
Setting up access for app users