Contact UsGet started
© 2025 Direct Cursus Technology L.L.C.

Updating an OIDC application in Yandex Identity Hub

Written by
Updated at November 12, 2025

Note

This feature is at the Preview stage.

OIDC apps can be managed by users with the organization-manager.oauthApplications.admin role or higher.

Update the app's basic settings

To update the OIDC app's basic settings:

  1. Log in to Yandex Identity Hub.

  2. In the left-hand panel, select Apps and select the OIDC application.

  3. On the top right, click Edit and in the window that opens:

    1. Change the app's name in the Name field. The name must be unique within the organization and follow the naming requirements:

      • It must be from 1 to 63 characters long.
      • It may contain lowercase Latin letters, numbers, and hyphens.
      • It must start with a letter and cannot end with a hyphen.

    2. Change the app's description in the Description field.

    3. Add new labels by clicking Labels in the Add label field. Click to delete an existing label.

    4. Click Save.

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.

  1. See the description of the CLI command for updating an OIDC application:

    yc organization-manager idp application oauth application update --help

  2. Run this command:

    yc iam organization-manager idp application oauth application update \
  --id <app_ID> \
  --new-name <application_name> \
  --description <application_description> \
  --client-id <OAuth_client_ID> \
  --authorized-scopes <attribute>[,<attribute>] \
  --group-distribution-type all-groups \
  --labels <key>=<value>[,<key>=<value>]

    Where:

    • --id: OIDC app ID. This is a required parameter.

    • --name: New name for the OIDC app. The name must be unique within the organization and follow the naming requirements:

      • It must be from 1 to 63 characters long.
      • It may contain lowercase Latin letters, numbers, and hyphens.
      • It must start with a letter and cannot end with a hyphen.

    • --description: New description for the OIDC app.

    • --client-id: ID of the new OAuth client.

    • --authorized-scopes: New user attributes that will be available to the service provider. Specify one or more attributes, comma-separated, in <attribute1>,<attribute2> format. Possible attributes:

      • openid: User ID. Required attribute.

      • profile: Additional user details, such as first name, last name, and avatar.

      • email: User email address.

      • address: User home address.

      • phone: User phone number.

      • groups: User groups in the organization.

        Warning

        You need to specify the new user attributes in the service provider configuration first, using the --scopes parameters.

    • --group-distribution-type: If you provided the groups attribute when creating or updating the OAuth client, update the user groups you want to go to the service provider. The possible values are:

      • all-groups: Service provider will get all groups the user belongs to.

        The maximum number of groups to change hands is 1,000. If the user belongs to more groups than this, only the first thousand will go to the service provider.

      • assigned-groups: Of all the user's groups, the service provider will only get the ones explicitly specified.

      • none: Service provider will not get any of the groups the user belongs to.

    • labels: New list of labels. You can specify one or more labels separated by commas in <key1>=<value1>,<key2>=<value2> format.

    Result:

    id: ek0o663g4rs2********
name: oidc-app
organization_id: bpf2c65rqcl8********
group_claims_settings:
  group_distribution_type: NONE
client_grant:
  client_id: ajeqqip130i1********
  authorized_scopes:
    - openid
status: ACTIVE
created_at: "2025-10-21T10:51:28.790866Z"
updated_at: "2025-10-21T12:37:19.274522Z"

Update the service provider configuration

To update the service provider configuration in an OIDC app:

  1. Log in to Yandex Identity Hub.
  2. In the left-hand panel, select Apps and then, the OIDC app.

  3. On the top right, click Edit and in the window that opens:

    1. Specify the address you got from the service provider in the Redirect URI field.

      Click Add URI to specify multiple redirect URIs at once.

    2. In the Scopes field, select user attributes that will be available to the service provider.

      • openid (user ID): User ID. This is a required parameter.

      • email address: User email address.

      • profile (full name, first name, last name, avatar, etc.): Additional user details.

      • groups (user's groups in the organization): User groups in the organization whose member the user getting authenticated is. The possible values are:

        • All grous : Security provider will get all groups the user belongs to.

          The maximum number of sent groups: 1,000. If the user belongs to more groups, only the first thousand of them will be communicated to the service provider.

        • Assigned groups only: Of all groups the user belongs to, the service provider will only get the ones explicitly specified on the Users and groups tab of the OIDC app.

    3. Click Save.

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.

  1. See the description of the CLI command for setting up the OAuth client:

    yc iam oauth-client update --help

  2. Run this command:

    yc iam oauth-client update \
  --id <OAuth_client_ID> \
  --new-name <new_name_for_OAuth_client> \
  --redirect-uris <address>[,<address>] \
  --scopes <attribute>[,<attribute>]

    Where:

    • --id: OAuth client ID.

    • --new-name: New name for the OAuth client.

    • --scopes: New user attributes that will be available to the service provider. Specify one or more attributes, comma-separated, in <attribute1>,<attribute2> format. Possible attributes:

      • openid: User ID. Required attribute.

      • profile: Additional user details, such as first name, last name, and avatar.

      • email: User email address.

      • address: User home address.

      • phone: User phone number.

      • groups: User groups in the organization.

        Warning

        You also need to specify the new user attributes in the app's basic settings using the --authorized-scopes parameters.

    • --redirect-uris: Specify the new address or addresses you got from the service provider in <address1>,<address2> format.

    Result:

    id: ajejklv8g9kh********
name: my-oauth-client
redirect_uris:
  - https://example2.com
  - https://example2.ru
scopes:
  - openid
  - profile
folder_id: b1g500m2195v********
status: ACTIVE

  3. If you updated the user attributes that will be available to the service provider (--scopes), specify them.

Updating an app's secret

There is no way you can view or update an app’s secret. Instead, you can generate a new one:

  1. Log in to Yandex Identity Hub.
  2. In the left-hand panel, select Apps and then, the OIDC app.

  3. Under App secrets, click Add secret, and in the window that opens:

    1. Optionally, add a description for the new secret.
    2. Click Create.

    The window will display the generated application secret. Save this value.

    Warning

    If you refresh or close the application information page, you will not be able to view the secret again.

    If you closed or refreshed the page before saving the secret, click Add secret to create a new one.

    To delete a secret, in the list of secrets on the OIDC app page, click in the secret row and select Delete.

  4. Remember to provide the new secret in the settings on the service provider side. If you need help, refer to your service provider's documentation or support team.

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.

  1. See the description of the CLI command for creating a new OIDC app secret:

    yc iam oauth-client-secret create --help

  2. Run this command:

    yc iam oauth-client-secret create --oauth-client-id <OAuth_client_ID>

    Result:

    oauth_client_secret:
  id: aje0hjqp68u6********
  oauth_client_id: ajejklv8g9kh********
  masked_secret: yccs__9e1d5f6d5c****
  created_at: "2025-10-23T11:44:50.739768533Z"
secret_value: yccs__9e1d5f6d5c********

    Remember to provide the new secret in the settings on the service provider side. If you need help, refer to your service provider's documentation or support team.

Update the list of app users and groups

Update the list of your organization's users permitted to authenticate in an external app with an OIDC application:

  1. Log in to Yandex Identity Hub.

  2. In the left-hand panel, select Apps and then, the OIDC app.

  3. Navigate to the Users and groups tab.

  4. To add a user or user group to the app:

    1. Click Add users.
    2. In the window that opens, select the required user or user group.
    3. Click Add.

  5. To delete a user or user group from the app:

    1. In the list of users and groups, click and select Delete next to the user or user group.
    2. Confirm the deletion.

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.

  1. Get the user ID or user group ID.

  2. To add a user or user group to the app:

    1. See the description of the CLI command for adding users to an app:

      yc organization-manager idp application oauth application add-assignments --help

    2. Run this command:

      yc organization-manager idp application oauth application add-assignments \
  --id <app_ID> \
  --subject-id ek0omvvcb9vv********

      Where:

      • --id: App ID.
      • --subject-id: User or user group ID.

      Result:

      assignment_deltas:
  - action: ADD
    assignment:
      subject_id: ajetvnq2mil8********

  3. To delete a user or user group from the app:

    1. See the description of the CLI command for removing users from an app:

      yc organization-manager idp application oauth application remove-assignments --help

    2. Run this command:

      yc organization-manager idp application oauth application remove-assignments \
  --id <app_ID> \
  --subject-id <user_ID>

      Where:

      • --id: OIDC app ID.
      • --subject-id: User or user group ID.

      Result:

      assignment_deltas:
  - action: REMOVE
    assignment:
      subject_id: ajetvnq2mil8********

See also

Previous
Creating an app
Next
Setting up access for app users