Application activity domain.

• A: AGRICULTURE, FORESTRY AND FISHING
• B: MINING AND QUARRYING
• C: MANUFACTURING
• D: ELECTRICITY, GAS, STEAM AND AIR CONDITIONING SUPPLY
• E: WATER SUPPLY; SEWERAGE, WASTE MANAGEMENT AND REMEDIATION ACTIVITIES
• F: CONSTRUCTION
• G: WHOLESALE AND RETAIL TRADE; REPAIR OF MOTOR VEHICLES AND MOTORCYCLES
• H: TRANSPORTATION AND STORAGE
• I: ACCOMMODATION AND FOOD SERVICE ACTIVITIES
• J: INFORMATION AND COMMUNICATION
• K: FINANCIAL AND INSURANCE ACTIVITIES
• L: REAL ESTATE ACTIVITIES
• M: PROFESSIONAL, SCIENTIFIC AND TECHNICAL ACTIVITIES
• N: ADMINISTRATIVE AND SUPPORT SERVICE ACTIVITIES
• O: PUBLIC ADMINISTRATION AND DEFENCE; COMPULSORY SOCIAL SECURITY
• P: EDUCATION
• Q: HUMAN HEALTH AND SOCIAL WORK ACTIVITIES
• R: ARTS, ENTERTAINMENT AND RECREATION
• S: OTHER SERVICE ACTIVITIES
• T: ACTIVITIES OF HOUSEHOLDS AS EMPLOYERS; UNDIFFERENTIATED GOODS- AND SERVICES-PRODUCING ACTIVITIES OF HOUSEHOLDS FOR OWN USE
• U: ACTIVITIES OF EXTRATERRITORIAL ORGANISATIONS AND BODIES

Indicates if application could send sms. Only superadmin and app_superadmin can set this field.

app_superadmin is allowed to set application appSecret, otherwise it is automatically generated

Comment regarding the application (free data).
Can only be set by users with superadmin/app_superadmin roles.

Application status (free data).
Can only be set by users with superadmin/app_superadmin roles.

URL which can be used by the application (especially Desktop applications) as callback URL for backchannel authentication mechanism (currently implemented only for Single Sign On (OIDC, SAML)). Used when useBackchannelAuthenticationRedirectUrl is enabled by the application in the SSO loginUrl (SSO flow run inside user's browser and redirection to the Desktop application with the Rainbow JWT token once user is successfully authenticated).
If this setting is not set, ssoAuthenticationRedirectUrl setting is used instead.
See GET /api/rainbow/authentication/v1.0/oidc-client/login for more information regarding the Single Sign On method using OIDC.

application description

If set to true, the consent screen will not be presented to the users during the OAuth 2.0 authentication for this application.

This setting is disabled by default (i.e. the consent screen IS displayed). It should be enabled only for specific trusted applications developed by ALE (Teams connector, Desk Booking, ...).
Can only be set by users with superadmin/app_superadmin roles.

If set to true, allow to generate several OAuth 2.0 refresh_token per user for this application.
When this setting is enabled, each time a user authenticate using OAuth 2.0 authorization code grant, a new refresh_token is generated and previous refresh_tokens this user could have obtained from login using the same application on other device are preserved (enable a kind of multiple OAuth sessions per user).
If this setting is disabled, each time a user authenticate using OAuth 2.0 authorization code grant, a new refresh_token is generated and if a refresh_token existed from a previous login of this user for this application, this refresh_token and all access_tokens obtained using it are revoked to keep only the new access_token / refresh_token generated during this new login.
This setting is enabled by default.

If set to true, allow the application to use OAuth 2.0 implicit grant.
This setting is disabled by default, as implicit flow is less secure than authorize code grant.

If set to true, enable the OAuth 2.0 refresh_token rotation for this application.
When refresh_token rotation is enabled, each time the application uses a refresh_token to retrieve a new access_token, a new refresh_token is also returned and the previous refresh_token is revoked.
refresh_token rotation reduces the threat if the refresh_token would be compromised, as it will be revoked the next time the application refreshed its access_token.
This setting is enabled by default, as refresh_token rotation is more secure. It is not recommended to disable this setting.

superadmin/app_superadmin is allowed to set application kpi

Application title

URI(s) used by the application as callback URL for OAuth 2.0.
Mandatory parameter to use OAuth 2.0 login method. To ensure the authentication security, Rainbow only sends OAuth authentication tokens to URLs that are set in oauthRedirectUris.
Max 20 URIs.

Origin

Owner unique identifier (like 578bb08dc0d8c107725ef8c4).
Can only be set by users with superadmin/app_superadmin roles.
ownerId must correspond to a user with the role app_admin.
When an app_admin user (without the roles superadmin/app_superadmin) creates an application, ownerId is automatically set to his user id.

URL of the application's website explaining the application's privacy policy for the end user.
This URL will be displayed as a link in the OAuth 2.0 consent form presented to the user (the page allowing the user to allow the application to access his data).
This parameter is optional, if not provided no link will be displayed in the consent form.

URL which can be used by the application as callback URL for authentication using Single Sign On (OIDC, SAML).
If this setting is not set, by default the SSO authentication methods redirect the obtained JWT on the URL https://web.openrainbow.com/#/?tkn=
See GET /api/rainbow/authentication/v1.0/oidc-client/login for more information regarding the Single Sign On method using OIDC.

URL of the application's website explaining the application's terms of services for the end user.
This URL will be displayed as a link in the OAuth 2.0 consent form presented to the user (the page allowing the user to allow the application to access his data).
This parameter is optional, if not provided no link will be displayed in the consent form.

Application activity domain.

• A: AGRICULTURE, FORESTRY AND FISHING
• B: MINING AND QUARRYING
• C: MANUFACTURING
• D: ELECTRICITY, GAS, STEAM AND AIR CONDITIONING SUPPLY
• E: WATER SUPPLY; SEWERAGE, WASTE MANAGEMENT AND REMEDIATION ACTIVITIES
• F: CONSTRUCTION
• G: WHOLESALE AND RETAIL TRADE; REPAIR OF MOTOR VEHICLES AND MOTORCYCLES
• H: TRANSPORTATION AND STORAGE
• I: ACCOMMODATION AND FOOD SERVICE ACTIVITIES
• J: INFORMATION AND COMMUNICATION
• K: FINANCIAL AND INSURANCE ACTIVITIES
• L: REAL ESTATE ACTIVITIES
• M: PROFESSIONAL, SCIENTIFIC AND TECHNICAL ACTIVITIES
• N: ADMINISTRATIVE AND SUPPORT SERVICE ACTIVITIES
• O: PUBLIC ADMINISTRATION AND DEFENCE; COMPULSORY SOCIAL SECURITY
• P: EDUCATION
• Q: HUMAN HEALTH AND SOCIAL WORK ACTIVITIES
• R: ARTS, ENTERTAINMENT AND RECREATION
• S: OTHER SERVICE ACTIVITIES
• T: ACTIVITIES OF HOUSEHOLDS AS EMPLOYERS; UNDIFFERENTIATED GOODS- AND SERVICES-PRODUCING ACTIVITIES OF HOUSEHOLDS FOR OWN USE
• U: ACTIVITIES OF EXTRATERRITORIAL ORGANISATIONS AND BODIES

Indicates if application could send sms. Only superadmin and app_superadmin can set this field.

Comment regarding the application (free data).
Can only be set by users with superadmin/app_superadmin roles.

Application status (free data).
Can only be set by users with superadmin/app_superadmin roles.

URL which can be used by the application (especially Desktop applications) as callback URL for backchannel authentication mechanism (currently implemented only for Single Sign On (OIDC, SAML)). Used when useBackchannelAuthenticationRedirectUrl is enabled by the application in the SSO loginUrl (SSO flow run inside user's browser and redirection to the Desktop application with the Rainbow JWT token once user is successfully authenticated).
If this setting is not set, ssoAuthenticationRedirectUrl setting is used instead.
See GET /api/rainbow/authentication/v1.0/oidc-client/login for more information regarding the Single Sign On method using OIDC.

Reason of deployment
Can only be updated by users with role superadmin or app_superadmin.
The update of deployReason is only allowed if the application env is deployed.

application description

If set to true, the consent screen will not be presented to the users during the OAuth 2.0 authentication for this application.

This setting is disabled by default (i.e. the consent screen IS displayed). It should be enabled only for specific trusted applications developed by ALE (Teams connector, Desk Booking, ...).
Can only be set by users with superadmin/app_superadmin roles.

If set to true, allow to generate several OAuth 2.0 refresh_token per user for this application.
When this setting is enabled, each time a user authenticate using OAuth 2.0 authorization code grant, a new refresh_token is generated and previous refresh_tokens this user could have obtained from login using the same application on other device are preserved (enable a kind of multiple OAuth sessions per user).
If this setting is disabled, each time a user authenticate using OAuth 2.0 authorization code grant, a new refresh_token is generated and if a refresh_token existed from a previous login of this user for this application, this refresh_token and all access_tokens obtained using it are revoked to keep only the new access_token / refresh_token generated during this new login.
This setting is enabled by default.

If set to true, allow the application to use OAuth 2.0 implicit grant.
This setting is disabled by default, as implicit flow is less secure than authorize code grant.

If set to true, enable the OAuth 2.0 refresh_token rotation for this application.
When refresh_token rotation is enabled, each time the application uses a refresh_token to retrieve a new access_token, a new refresh_token is also returned and the previous refresh_token is revoked.
refresh_token rotation reduces the threat if the refresh_token would be compromised, as it will be revoked the next time the application refreshed its access_token.
This setting is enabled by default, as refresh_token rotation is more secure. It is not recommended to disable this setting.

superadmin/app_superadmin is allowed to set application kpi

Application title

URI(s) used by the application as callback URL for OAuth 2.0.
Mandatory parameter to use OAuth 2.0 login method. To ensure the authentication security, Rainbow only sends OAuth authentication tokens to URLs that are set in oauthRedirectUris.
Max 20 URIs.

Origin

Change application's owner unique identifier (like 578bb08dc0d8c107725ef8c4).
The new requested ownerId must be a user with role the app_admin.
superadmin or app_superadmin can set any new ownerId, otherwise the previous ownerId and the new ownerId must be in the same company than the logged in user (if the logged in user is not the ownerId of the application, ownerId is the only field he can update - all the other fields are ignored).
The ownerId can not be changed if the application has the kpi payasyougo.

URL of the application's website explaining the application's privacy policy for the end user.
This URL will be displayed as a link in the OAuth 2.0 consent form presented to the user (the page allowing the user to allow the application to access his data).
This parameter is optional, if not provided no link will be displayed in the consent form.

If set to true, refresh appSecret by setting a new random value

URL which can be used by the application as callback URL for authentication using Single Sign On (OIDC, SAML).
If this setting is not set, by default the SSO authentication methods redirect the obtained JWT on the URL https://web.openrainbow.com/#/?tkn=
See GET /api/rainbow/authentication/v1.0/oidc-client/login for more information regarding the Single Sign On method using OIDC.

URL of the application's website explaining the application's terms of services for the end user.
This URL will be displayed as a link in the OAuth 2.0 consent form presented to the user (the page allowing the user to allow the application to access his data).
This parameter is optional, if not provided no link will be displayed in the consent form.

String containing your Android App apiKey as defined in https://push.baidu.com/doc/guide/manufacturer, , this field is required if 'type' is baidu

String containing your Apple App Bundle ID as defined in https://developer.apple.com/documentation/appstoreconnectapi/bundle_ids, , this field is required if 'type' is apns_v2

String containing a authorization key, this field is required if 'type' is fcm or fcm_xmpp

String containing APNS certificate in a PEM format, this field is required if 'type' is apns

Certificate type, this field is required if 'type' is apns

String containing client_email of your Application available in firebase (See https://console.firebase.google.com/u/0/project/[Your project]/settings/serviceaccounts/adminsdk for explanation), this field is required if 'type' is fcm_v1

Boolean indicating if setting is enabled/disabled

String containing private_key of your Application available in firebase (See https://console.firebase.google.com/u/0/project/[Your project]/settings/serviceaccounts/adminsdk for explanation), this field is required if 'type' is fcm_v1

String containing private_key_id of your Application available in firebase (See https://console.firebase.google.com/u/0/project/[Your project]/settings/serviceaccounts/adminsdk for explanation), this field is required if 'type' is fcm_v1

String containing project_id of your Application available in firebase (See https://console.firebase.google.com/u/0/project/[Your project]/settings/serviceaccounts/adminsdk for explanation), this field is required if 'type' is fcm_v1

String containing your Android App secretKey as defined in https://push.baidu.com/doc/guide/manufacturer, this field is required if 'type' is baidu

String containing senderId of your Application available in firebase ( available in https://console.firebase.google.com/u/0/project/[Your project]/settings/cloudmessaging/) , this field is required if 'type' is fcm_xmpp

String containing token_uri of your Application available in firebase (See https://console.firebase.google.com/u/0/project/[Your project]/settings/serviceaccounts/adminsdk for explanation), this field is required if 'type' is fcm_v1

String containing your Android App apiKey as defined in https://push.baidu.com/doc/guide/manufacturer, , this field is required if 'type' is baidu

String containing a authorization key, this field is required if updated push notification settings type is fcm or fcm_xmpp

String containing APNS certificates in a PEM format, this field is required if updated push notification settings type is apns

String containing client_email of your Application available in firebase (See https://console.firebase.google.com/u/0/project/[Your project]/settings/serviceaccounts/adminsdk for explanation), this field is required if 'type' is fcm_v1

Boolean indicating if setting is enabled/disabled

String containing private_key of your Application available in firebase (See https://console.firebase.google.com/u/0/project/[Your project]/settings/serviceaccounts/adminsdk for explanation), this field is required if 'type' is fcm_v1

String containing private_key_id of your Application available in firebase (See https://console.firebase.google.com/u/0/project/[Your project]/settings/serviceaccounts/adminsdk for explanation), this field is required if 'type' is fcm_v1

String containing project_id of your Application available in firebase (See https://console.firebase.google.com/u/0/project/[Your project]/settings/serviceaccounts/adminsdk for explanation), this field is required if 'type' is fcm_v1

String containing your Android App secretKey as defined in https://push.baidu.com/doc/guide/manufacturer, , this field is required if 'type' is baidu