Automated client registration method 3

Define a CustomResourceDefinition (CRD) for OpenID Connect (OIDC) registration.

The controller for OIDC registration generates secret objects by using a client ID and secret key. The secret objects can be used for OIDC challenges. IAM service applies role-based access control (RBAC) to the OIDC registration CRD and binds the ability to allow Operator or higher roles to create, view, or list these objects.

• The CRD kind is added to the appropriate team role or roles so that users with that role can create OIDC Client resources.
• The OIDC Client resource contains the OIDC registration payload and the name of the secret that is required to inject the resulting OIDC Client ID and secret.
• The OIDC registration controller watches for the OIDC Client resource to be created and processes it.
• The processing status of the OIDC Client resource is stored in the status portion of the resource, and the secret is created with the client ID and secret information.

Complete these steps:

1. Define a CRD named Client and save it as a YAML file. For example, sample-oidc-client.yaml.To ensure that the namespace is authorized by the namespace scope operator, see Authorizing foundational services to perform operations on workloads in a namespace

Following is a sample CRD:

apiVersion: oidc.security.ibm.com/v1
kind: Client
metadata:
  name: eventstreams-client
  namespace: default
spec:
  secret: eventstreams-oidcclient-secret
  oidcLibertyClient:
    post_logout_redirect_uris:
    - <console URL>:443
    redirect_uris:
    - <console URL>:443/api/auth/callback
    trusted_uri_prefixes:
    - <console URL>:443

The spec section includes information about initiating the OIDC Client Registration process.

• secret is the name for the secret that is generated during registration.

• oidcLibertyClient contains the post logout redirect urls (post_logout_redirect_uris), trusted url prefixes (trusted_uri_prefixes), and redirect urls (redirect_uris).

Following is a sample CRD:

     apiVersion: oidc.security.ibm.com/v1
     kind: Client
     metadata:
       name: eventstreams-client
       namespace: default
     spec:
       secret: eventstreams-oidcclient-secret
       oidcLibertyClient:
         post_logout_redirect_uris:
         - https://myapp.example.com:443
         redirect_uris:
         - https://myapp.example.com:443/api/auth/callback
         trusted_uri_prefixes:
         - https://myapp.example.com:443

1. Create the CRD.

    oc create -f <crd-yaml-file-name>.yaml
   

   Following is an example command:

    oc create -f sample-oidc-client.yaml
   

   The command creates the resource, registers the client, and generates the secret (which is eventstreams-oidcclient-secret in the example), which includes the client ID and client secret.

2. Check whether the registration is successful.

    oc get Client <client-resource-name> -n <client-resource-namespace>
   

   Following is an example command:

    oc get Client eventstreams-client -n default
   

   If the resource is successfully registered, you see a message similar to the following message:

    status:
      conditions:
        lastTransactionTime: "2019-12-12T23:17:42Z"
        message: OIDC client registration successful
        reason: CreateClientSuccessful
        status: "True"
        type: "Ready"
   

APIs

You can use the following APIs to create and manage OIDC registration CRD.

Before you use these APIs, see Preparing to run component or management API commands.

The <cluster_address> is the IBM Cloud Pak console route. You can get the IBM Cloud Pak console route by running the following command:

oc -n ibm-common-services get route cp-console -o yaml

The IBM Cloud Pak console route is in the spec.host section.

Create OIDC registration

curl -X "POST" --header 'Content-Type: application/json' --header 'Accept: application/json' --header "Authorization: bearer $ACCESS_TOKEN" --data @registration.json  "https://<cluster_address>:443/idprovider/v1/auth/registration" --insecure

Update existing OIDC registration

curl -X "PUT" --header 'Content-Type: application/json' --header 'Accept: application/json' --header "Authorization: bearer $ACCESS_TOKEN" -d --data @registration.json   "https://<cluster_address>:443/idprovider/v1/auth/registration/$CLIENT_ID" --insecure

GET existing OIDC registration information

curl -X "GET" --header 'Content-Type: application/json' --header 'Accept: application/json' --header "Authorization: bearer $ACCESS_TOKEN"  "https://<cluster_address>:443/idprovider/v1/auth/registration/$CLIENT_ID" --insecure

DELETE existing oidc registration

curl -X "DELETE" --header 'Content-Type: application/json' --header 'Accept: application/json' --header "Authorization: bearer $ACCESS_TOKEN" "https://<cluster_address>:443/idprovider/v1/auth/registration/$CLIENT_ID" --insecure