How to register IBM RPA as OIDC client with IAM
To register IBM RPA as OIDC Client with IAM you must run a sequence of cURL commands, perform some other actions within Red Hat® OpenShift® Container Platform web console and select the folder of your choice.
You must follow the following instructions to generate the keys (clientId and clientSecret) that is used during the IBM RPA server installation in the OIDC Configuration Panel.
The instructions in this procedure are for Windows™ machines.
Requirements
You must have the following requirements before you start the procedure:
- Install cURL on your computer to run the cURL commands.
- Install a text editor (Notepad++ or similar) to create a JSON file.
- User with permission to run Command Prompt as an administrator.
Procedure
Log in into Red Hat® OpenShift® web console
Use your credentials to log in into Red Hat® OpenShift® web console.
Download oc.exe file
- Click the Question Mark (?) on taskbar > Command-Line Tools > Download OC for Windows.
- Save it in a folder with short path, since you must open it later on.
Generate a login token on Red Hat® OpenShift® Container Platform
- Click your profile name on taskbar > Copy Log in Command. You are redirected to another webpage.
- Click Display Token.
- Copy the Log in with this token cURL command.
Log in into OC (Command Prompt required)
-
Run Command Prompt as administrator.
-
Open the path to
oc.exefile within the Command Prompt:cd path/to/file -
Run oc.exe. You can run it only by using the command prompt.
-
Run the log in command copied from OpenShift web console.
Get OAuth2.0 client registration secret
-
Run the following cURL command:
oc -n ibm-common-services get secret platform-oidc-credentials -o yaml -
After running the command, you receive a list of information containing:
IBMID_CLIENT_SECRET: IBMID_PROFILE_CLIENT_SECRET: OAUTH2_CLIENT_REGISTRATION_SECRET: (Required for next step) WLP_CLIENT_ID: WLP_CLIENT_SECRET: WLP_SCOPE: And more...
Decode OAUTH_CLIENT_REGISTRATION_SECRET
-
Open the folder that you saved
oc.exefile. -
Create a text file named
encoded.txt. -
Paste the
OAUTH_CLIENT_REGISTRATION_SECRETthat you generated into theencoded.txtfile. -
Run the command:
certutil -decode encoded.txt decoded.txt -
This creates a new file named "decoded.txt" with the decoded
OAUTH_CLIENT_REGISTRATION_SECRET.
Provide sample registration.json file
-
Create a new text file in the folder.
-
Copy this and paste in a text editor, inserting your own
IBM RPA's API PORT:{ "scope": "openid", "preauthorized_scope": "openid", "introspect_tokens": true, "response_types": [ "code", "token", "id_token token" ], "grant_types": [ "authorization_code", "client_credentials", "implicit", "refresh_token", "urn:ietf:params:oauth:grant-type:jwt-bearer", "password" ], "redirect_uris": ["https://{IP_ADDRESS}:{RPA_API_PORT}/oidc-callback" ], "post_logout_redirect_uris": ["https://{IP_ADDRESS}:{RPA_UI_PORT}"], "trusted_uri_prefixes": ["https://{IP_ADDRESS}:{RPA_UI_PORT}", "https://{IP_ADDRESS}:{RPA_API_PORT}"], "appTokenAllowed": true, "allow_regexp_redirects": false } -
Save as a
registration.jsonfile.
Provide command to use cURL to invoke IAM registration API
Run the following cURL command:
curl -i -v -k -X POST -u oauthadmin:{DECODED_PASSWORD} -H "Content-Type: application/json" --data @registration.json https://cp-console.apps.rpa-sso5.cp.fyre.ibm.com:443/idauth/oidc/endpoint/OP/registration
oauthadmin field in the cURL command is using the decoded password you generated. You are also entering the JSON file you have created in the cURL command.Expected output
Among all data that is generated, you must save clientId and clientSecret.Both will be used in the Server installation, in the OIDC configuration
section.