Registering RQA as a client in Jazz Authorization Server

The OpenShift® administrator can register RQA as a client in the Jazz Authorization Server to enable RQA administrators to log in to the RQA administrator dashboard. Complete this process only if you want to use the liberty-based authentication, such as Jazz Authorization Server authorization.

Complete the following steps to register RQA as a client in Jazz Authorization Server.

1. Open the openid-configuration URL in the browser to ensure that the Jazz Authorization Server is configured correctly.
   
   Format of the openid-configuration URL:
   https://JazzAuthServer:<PORT>/oidc/endpoint/jazzop/.well-known/openid-configuration
   Example of the openid-configuration URL:
   https://testrqawind1.fyre.ibm.com:9643/oidc/endpoint/jazzop/.well-known/openid-configuration
2. Complete the following steps to submit the Jazz client registration request by using an appropriate REST client, such as postman:
   Important: If you use custom hostnames for the RQA administrator dashboard and the RQA widget, refer to the Registering RQA as a client in Jazz Authorization Server by using custom hostname topic to register RQA as a client in the Jazz Authorization Server.
   1. Ensure that you create the redirect URL for the RQA Administrator dashboard and keep it handy. You need to provide the same when you register RQA as a client:
      • Redirect URIs: The redirect URI is the URI to which Jazz redirects the browser after the SSO process is initiated. Build your redirect URI in the following manner:
        • For RQA administrator dashboard:
          Format: https://<your RQA instance name>-admindash-route-<OpenShift project name where RQA will be deployed>.<domain name>/auth/sso/callback
          Example: https://rqa-admindash-route-projectname.apps.clusteraddress.xyz.com/auth/sso/callback
      • Trusted URI prefixes: The trusted URI prefix is the URI that Jazz trusts to allow SSO process. Build the trusted URIs in the following manner:
        • For RQA administrator dashboard:
          Format: https://<your RQA instance name>-admindash-route-<OpenShift project name where RQA will be deployed>.<domain name>
          Example: https://rqa-admindash-route-projectname.apps.clusteraddress.xyz.com
      Important:

      If you plan to use a custom hostname, Substitute https://<your RQA instance name>-admindash-route-<OpenShift project name where RQA will be deployed>.<domain name>/callback with an appropriate URI under redirect_uris. For more information, see Registering RQA as a client in Jazz Authorization Server by using custom hostname.

      Also, substitute https://<your RQA instance name>-admindash-route-<OpenShift project name where RQA will be deployed>.<domain name> with an appropriate URI under trusted_uri_prefixes. For more information, see Registering RQA as a client in Jazz Authorization Server by using custom hostname.

   2. In the update client window, click the Authorization tab.
   3. From the TYPE list, select Basic Auth, and enter the RQA primary administrator's Jazz username and password in the Username and Password fields.
      The token is automatically generated and shown under the Headers tab.
      Example:

      
   4. Click the Body tab and provide the details, such as redirect_uris and trusted_uri_prefixes that you noted down earlier.
      Example:

      {
              "client_secret_expires_at": 0,
              "token_endpoint_auth_method": "client_secret_basic",
              "scope": "openid profile",
              "grant_types": [
                 "authorization_code",
                 "client_credentials",
                 "implicit",
                 "refresh_token",
                 "urn:ietf:params:oauth:grant-type:jwt-bearer"
               ],
             "response_types": [
                 "code",
                 "token",
                 "id_token token"
              ],
             "application_type": "web",
             "subject_type": "public",
             "preauthorized_scope": "openid profile",
             "introspect_tokens": true,
             "trusted_uri_prefixes": [
               "https://<your RQA instance name>-admindash-route-<OpenShift project name where RQA will be deployed>.<domain name>"
              ],
             "resource_ids": [],
             "client_name": "RQATenant",
             "redirect_uris": [
               "https://<your RQA instance name>-admindash-route-<OpenShift project name where RQA will be deployed>.<domain name>/auth/sso/callback"
             ],
            "allow_regexp_redirects": false
        }

   5. Click Send. The RQA client is created.
      In the Response pane, the RQA client details are shown that includes details, such as client_id and client_secret.

      Example:

      {
      "client_id_issued_at": 1582014795,
      "registration_client_uri": "https://jas.my.company.com:9643/oidc/endpoint/jazzop/registration/d1c27f3b551f6c7ea89d05432e587e82",
      "client_secret_expires_at": 0,
      "token_endpoint_auth_method": "client_secret_basic",
      "scope": "openid profile",
      "grant_types": [
          "authorization_code",
          "client_credentials",
          "implicit",
          "refresh_token",
          "urn:ietf:params:oauth:grant-type:jwt-bearer"
      ],
      "response_types": [
          "code",
          "token",
          "id_token token"
      ],
      "application_type": "web",
      "subject_type": "public",
      "post_logout_redirect_uris": [],
      "preauthorized_scope": "openid profile",
      "introspect_tokens": true,
      "trusted_uri_prefixes": [
          "https://localhost/",
          "https://<your RQA instance name>-admindash-route-<OpenShift project name where RQA will be deployed>.<domain name>",
      ],
      "resource_ids": [],
      "functional_user_groupIds": [],
      "client_id": "d1c27f3b551f6c7ea89d05432e587e82",
      "client_secret": "zSHUssqSJNs1YCaCBK0aPEVV42Ho22xU1EOjerermZKcczTyofyZ540Ztb5r",
      "client_name": "RQATenant",
      "redirect_uris": [
          "https://<your RQA instance name>-admindash-route-<OpenShift project name where RQA will be deployed>.<domain name>/auth/sso/callback",
      ],
      "allow_regexp_redirects": false
      }