How to register IBM RPA as OIDC client with IAM

To register IBM RPA as OIDC Client with IAM you must run a sequence of cURL commands, perform some other actions within Red Hat® OpenShift® Container Platform web console and select the folder of your choice.

Note:This procedure applies to IBM RPA on premises 21.0.1 and 21.0.0 only. IBM RPA 21.0.2 uses User Management Service (UMS) to act as single sign-on (SSO) provider.

You must follow the following instructions to generate the keys (clientId and clientSecret) that is used during the IBM RPA server installation in the OIDC Configuration Panel.

The instructions in this procedure are for Windows™ machines.


You must have the following requirements before you start the procedure:

  • Install cURL on your computer to run the cURL commands.
  • Install a text editor (Notepad++ or similar) to create a JSON file.
  • User with permission to run Command Prompt as an administrator.


Log in into Red Hat® OpenShift® web console

Use your credentials to log in into Red Hat® OpenShift® web console.

Download oc.exe file

  1. Click the Question Mark (?) on taskbar > Command-Line Tools > Download OC for Windows.
  2. Save it in a folder with short path, since you must open it later on.

Generate a login token on Red Hat® OpenShift® Container Platform

  1. Click your profile name on taskbar > Copy Log in Command. You are redirected to another webpage.
  2. Click Display Token.
  3. Copy the Log in with this token cURL command.

Log in into OC (Command Prompt required)

  1. Run Command Prompt as administrator.

  2. Open the path to oc.exe file within the Command Prompt:

    cd path/to/file
  3. Run oc.exe. You can run it only by using the command prompt.

  4. Run the log in command copied from OpenShift web console.

Get OAuth2.0 client registration secret

  1. Run the following cURL command:

    oc -n ibm-common-services get secret platform-oidc-credentials -o yaml
  2. After running the command, you receive a list of information containing:

    OAUTH2_CLIENT_REGISTRATION_SECRET: (Required for next step)
    And more...


  1. Open the folder that you saved oc.exe file.

  2. Create a text file named encoded.txt.

  3. Paste the OAUTH_CLIENT_REGISTRATION_SECRET that you generated into the encoded.txt file.

  4. Run the command:

    certutil -decode encoded.txt decoded.txt
  5. This creates a new file named "decoded.txt" with the decoded OAUTH_CLIENT_REGISTRATION_SECRET.

Note:This decoded password is used later when invoking IAM Registration API.

Provide sample registration.json file

  1. Create a new text file in the folder.

  2. Copy this and paste in a text editor, inserting your own IBM RPA's API PORT:

        "scope": "openid",
        "preauthorized_scope": "openid",
        "introspect_tokens": true,
        "response_types": [
            "id_token token"
        "grant_types": [
        "redirect_uris": ["https://{IP_ADDRESS}:{RPA_API_PORT}/oidc-callback" ],
        "post_logout_redirect_uris": ["https://{IP_ADDRESS}:{RPA_UI_PORT}"],
        "trusted_uri_prefixes": ["https://{IP_ADDRESS}:{RPA_UI_PORT}", "https://{IP_ADDRESS}:{RPA_API_PORT}"],
        "appTokenAllowed": true,
        "allow_regexp_redirects": false
  3. Save as a registration.json file.

Provide command to use cURL to invoke IAM registration API

Run the following cURL command:

curl -i -v -k -X POST -u oauthadmin:{DECODED_PASSWORD} -H "Content-Type: application/json" --data @registration.json
Note:Note that the oauthadmin field in the cURL command is using the decoded password you generated. You are also entering the JSON file you have created in the cURL command.

Expected output

Among all data that is generated, you must save clientId and clientSecret.Both will be used in the Server installation, in the OIDC configuration section.