OIDC registration with the client custom resource

Create a custom resource for OpenID Connect (OIDC) registration.

The controller for OIDC registration generates secret objects by using a client ID and secret key. The secret objects can be used for OIDC challenges. The identity management (IM) service applies role-based access control (RBAC) to the OIDC registration custom resource and binds the ability to allow operator or higher roles to create, view, and list these objects.

Complete these steps to create the Client custom resource. After you create the custom resource, you can integrate it with your application to enable OIDC-based authentication.

  1. Define a custom resource named Client and save it as a YAML file. For example, sample-oidc-client.yaml. To ensure that the namespace is authorized by the namespace scope operator, see Authorizing foundational services to perform operations on workloads in a namespace.

Following is a sample custom resource:

apiVersion: oidc.security.ibm.com/v1
kind: Client
metadata:
  name: eventstreams-client
  namespace: default
spec:
  secret: eventstreams-oidcclient-secret
  oidcLibertyClient:
    post_logout_redirect_uris:
    - <console URL>:443
    redirect_uris:
    - <console URL>:443/api/auth/callback
    trusted_uri_prefixes:
    - <console URL>:443

The spec section includes information about initiating the OIDC Client registration process.

Following is a sample custom resource:

apiVersion: oidc.security.ibm.com/v1
kind: Client
metadata:
  name: eventstreams-client
  namespace: default
spec:
  secret: eventstreams-oidcclient-secret
  oidcLibertyClient:
    post_logout_redirect_uris:
    - https://myapp.example.com:443
    redirect_uris:
    - https://myapp.example.com:443/api/auth/callback
    trusted_uri_prefixes:
    - https://myapp.example.com:443
  1. Create the custom resource.

     oc create -f <crd-yaml-file-name>.yaml
    

    Following is an example command:

     oc create -f sample-oidc-client.yaml
    

    The command creates the resource, registers the client, and generates the secret (which is eventstreams-oidcclient-secret in the example), which includes the client ID and client secret.

  2. Check whether the registration is successful.

     oc get Client <client-resource-name> -n <client-resource-namespace>
    

    Following is an example command:

     oc get Client eventstreams-client -n default
    

    If the resource is successfully registered, you see a message similar to the following message:

     status:
       conditions:
         lastTransactionTime: "2019-12-12T23:17:42Z"
         message: OIDC client registration successful
         reason: CreateClientSuccessful
         status: "True"
         type: "Ready"
    

APIs

You can use the following APIs to create and manage OIDC registration custom resource.

Before you use these APIs, see Preparing to run component or management API commands.

The <cluster_address> is the IBM Cloud Pak console route. You can get the IBM Cloud Pak console route by running the following command:

oc -n <your-foundational-services-namespace> get route cp-console -o yaml

The IBM Cloud Pak console route is in the spec.host section.

Create OIDC registration

curl -X "POST" --header 'Content-Type: application/json' --header 'Accept: application/json' --header "Authorization: bearer $ACCESS_TOKEN" --data @registration.json  "https://<cluster_address>:443/idprovider/v1/auth/registration" --insecure

Update existing OIDC registration

curl -X "PUT" --header 'Content-Type: application/json' --header 'Accept: application/json' --header "Authorization: bearer $ACCESS_TOKEN" -d --data @registration.json   "https://<cluster_address>:443/idprovider/v1/auth/registration/$CLIENT_ID" --insecure

GET existing OIDC registration information

curl -X "GET" --header 'Content-Type: application/json' --header 'Accept: application/json' --header "Authorization: bearer $ACCESS_TOKEN"  "https://<cluster_address>:443/idprovider/v1/auth/registration/$CLIENT_ID" --insecure

DELETE existing oidc registration

curl -X "DELETE" --header 'Content-Type: application/json' --header 'Accept: application/json' --header "Authorization: bearer $ACCESS_TOKEN" "https://<cluster_address>:443/idprovider/v1/auth/registration/$CLIENT_ID" --insecure