OIDC registration with the client custom resource
Create a custom resource for OpenID Connect (OIDC) registration.
The controller for OIDC registration generates secret objects by using a client ID and secret key. The secret objects can be used for OIDC challenges. The identity management (IM) service applies role-based access control (RBAC) to the OIDC registration custom resource and binds the ability to allow operator or higher roles to create, view, and list these objects.
- The custom resource is added to the appropriate roles so that users with that role can create OIDC Client resources.
- The OIDC Client resource contains the OIDC registration payload and the name of the secret that is required to inject the resulting OIDC Client ID and secret.
- The OIDC registration controller watches for the OIDC Client resource to be created and then processes it.
- The processing status of the OIDC Client resource is stored in the status portion of the resource, and the secret is created with the client ID and secret information.
Complete these steps to create the Client
custom resource. After you create the custom resource, you can integrate it with your application to enable OIDC-based authentication.
- Define a custom resource named
Client
and save it as a YAML file. For example,sample-oidc-client.yaml
. To ensure that the namespace is authorized by the namespace scope operator, see Authorizing foundational services to perform operations on workloads in a namespace.
Following is a sample custom resource:
apiVersion: oidc.security.ibm.com/v1
kind: Client
metadata:
name: eventstreams-client
namespace: default
spec:
secret: eventstreams-oidcclient-secret
oidcLibertyClient:
post_logout_redirect_uris:
- <console URL>:443
redirect_uris:
- <console URL>:443/api/auth/callback
trusted_uri_prefixes:
- <console URL>:443
The spec
section includes information about initiating the OIDC Client registration process.
-
secret
is the name for the secret that is generated during registration. -
oidcLibertyClient
contains the post logout redirect urls (post_logout_redirect_uris
), trusted url prefixes (trusted_uri_prefixes
), and redirect urls (redirect_uris
).
Following is a sample custom resource:
apiVersion: oidc.security.ibm.com/v1
kind: Client
metadata:
name: eventstreams-client
namespace: default
spec:
secret: eventstreams-oidcclient-secret
oidcLibertyClient:
post_logout_redirect_uris:
- https://myapp.example.com:443
redirect_uris:
- https://myapp.example.com:443/api/auth/callback
trusted_uri_prefixes:
- https://myapp.example.com:443
-
Create the custom resource.
oc create -f <crd-yaml-file-name>.yaml
Following is an example command:
oc create -f sample-oidc-client.yaml
The command creates the resource, registers the client, and generates the secret (which is
eventstreams-oidcclient-secret
in the example), which includes the client ID and client secret. -
Check whether the registration is successful.
oc get Client <client-resource-name> -n <client-resource-namespace>
Following is an example command:
oc get Client eventstreams-client -n default
If the resource is successfully registered, you see a message similar to the following message:
status: conditions: lastTransactionTime: "2019-12-12T23:17:42Z" message: OIDC client registration successful reason: CreateClientSuccessful status: "True" type: "Ready"
APIs
You can use the following APIs to create and manage OIDC registration custom resource.
Before you use these APIs, see Preparing to run component or management API commands.
The <cluster_address>
is the IBM Cloud Pak console route. You can get the IBM Cloud Pak console route by running the following command:
oc -n <your-foundational-services-namespace> get route cp-console -o yaml
The IBM Cloud Pak console route is in the spec.host
section.
Create OIDC registration
curl -X "POST" --header 'Content-Type: application/json' --header 'Accept: application/json' --header "Authorization: bearer $ACCESS_TOKEN" --data @registration.json "https://<cluster_address>:443/idprovider/v1/auth/registration" --insecure
Update existing OIDC registration
curl -X "PUT" --header 'Content-Type: application/json' --header 'Accept: application/json' --header "Authorization: bearer $ACCESS_TOKEN" -d --data @registration.json "https://<cluster_address>:443/idprovider/v1/auth/registration/$CLIENT_ID" --insecure
GET existing OIDC registration information
curl -X "GET" --header 'Content-Type: application/json' --header 'Accept: application/json' --header "Authorization: bearer $ACCESS_TOKEN" "https://<cluster_address>:443/idprovider/v1/auth/registration/$CLIENT_ID" --insecure
DELETE existing oidc registration
curl -X "DELETE" --header 'Content-Type: application/json' --header 'Accept: application/json' --header "Authorization: bearer $ACCESS_TOKEN" "https://<cluster_address>:443/idprovider/v1/auth/registration/$CLIENT_ID" --insecure