Creating an OpenID Connect Identity Provider

Function

This API is provided for the administrator to create an OpenID Connect identity provider.

URI

POST /v3.0/OS-FEDERATION/identity-providers/{idp_id}/openid-connect-config

Table 1 URI parameters

Parameter

Mandatory

Type

Description

idp_id

Yes

String

Identity provider ID.

Length: 1 to 64 characters

Request Parameters

Table 2 Parameters in the request header

Parameter

Mandatory

Type

Description

Content-Type

Yes

String

Fill application/json;charset=utf8 in this field.

X-Auth-Token

Yes

String

Token with Security Administrator permissions.

Table 3 Parameters in the request body

Parameter

Mandatory

Type

Description

openid_connect_config

Yes

object

OpenID Connect configurations.

Table 4 CreateOpenIDConnectConfig

Parameter

Mandatory

Type

Description

access_mode

Yes

String

Access type. Options:

  • program_console: programmatic access and management console access.

  • program: programmatic access only.

idp_url

Yes

String

URL of the OpenID Connect identity provider. This field corresponds to the iss field in the ID token.

Length: 10 to 255 characters

client_id

Yes

String

ID of a client registered with the OpenID Connect identity provider.

Length: 5 to 255 characters

authorization_endpoint

No

String

Authorization endpoint of the OpenID Connect identity provider.

This field is required only if access_mode is set to program_console.

Length: 10 to 255 characters

scope

No

String

Scope of authorization requests.

This field is required only if access_mode is set to program_console.

Enumerated values:

  • openid

  • email

  • profile

    Note

    • openid must be specified for this field.

    • You can specify 1 to 10 values and separate them with spaces.

    Example: openid, openid email, openid profile, and openid email profile.

response_type

No

String

Response type.

This field is required only if access_mode is set to program_console.

Enumerated value:

  • id_token

response_mode

No

String

Response mode.

This field is required only if access_mode is set to program_console.

Enumerated values:

  • fragment

  • form_post

signing_key

Yes

String

Public key used to sign the ID token of the OpenID Connect identity provider.

Length: 10 to 30,000 characters

Format example:

{
  "keys":[
     {
        "kid":"d05ef20c4512645vv1..." ,
        "n":"cws_cnjiwsbvweolwn_-vnl...",
        "e":"AQAB",
        "kty":"RSA",
        "use":"sig",
        "alg":"RS256"
      }
   ]
}

Response Parameters

Status code: 201

Table 5 Parameters in the response body

Parameter

Type

Description

openid_connect_config

object

OpenID Connect configurations.

Table 6 openid_connect_config

Parameter

Type

Description

access_mode

String

Access type. Options:

  • program_console: programmatic access and management console access.

  • program: programmatic access only.

idp_url

String

URL of the OpenID Connect identity provider. This field corresponds to the iss field in the ID token.

Length: 10 to 255 characters

client_id

String

ID of a client registered with the OpenID Connect identity provider.

Length: 5 to 255 characters

authorization_endpoint

String

Authorization endpoint of the OpenID Connect identity provider.

This field is required only if access_mode is set to program_console.

Length: 10 to 255 characters

scope

String

Scope of authorization requests.

This field is required only if access_mode is set to program_console.

Enumerated values:

  • openid

  • email

  • profile

    Note

    • openid must be specified for this field.

    • You can specify 1 to 10 values and separate them with spaces.

    Example: openid, openid email, openid profile, and openid email profile.

response_type

String

Response type.

This field is required only if access_mode is set to program_console.

Enumerated value:

  • id_token

response_mode

String

Response mode.

This field is required only if access_mode is set to program_console.

Enumerated values:

  • fragment

  • form_post

signing_key

String

Public key used to sign the ID token of the OpenID Connect identity provider.

Length: 10 to 30,000 characters

Example Request

  • Creating an identity provider that supports programmatic access

    POST /v3.0/OS-FEDERATION/identity-providers/{idp_id}/openid-connect-config
    
     {
       "openid_connect_config" : {
         "access_mode" : "program",
         "idp_url" : "https://accounts.example.com",
         "client_id" : "client_id_example",
         "signing_key" : "{\"keys\":[{\"kty\":\"RSA\",\"e\":\"AQAB\",\"use\":\"sig\",\"n\":\"example\",\"kid\":\"kid_example\",\"alg\":\"RS256\"}]}"
       }
     }
    
  • Creating an identity provider that supports programmatic access and management console access

    POST /v3.0/OS-FEDERATION/identity-providers/{idp_id}/openid-connect-config
    
     {
       "openid_connect_config" : {
         "access_mode" : "program_console",
         "idp_url" : "https://accounts.example.com",
         "client_id" : "client_id_example",
         "authorization_endpoint" : "https://accounts.example.com/o/oauth2/v2/auth",
         "scope" : "openid",
         "response_type" : "id_token",
         "response_mode" : "form_post",
         "signing_key" : "{\"keys\":[{\"kty\":\"RSA\",\"e\":\"AQAB\",\"use\":\"sig\",\"n\":\"example\",\"kid\":\"kid_example\",\"alg\":\"RS256\"}]}"
       }
     }
    

Example Response

Status code: 201

The identity provider is created successfully.

  • Example 1

    {
       "openid_connect_config" : {
         "access_mode" : "program",
         "idp_url" : "https://accounts.example.com",
         "client_id" : "client_id_example",
         "signing_key" : "{\"keys\":[{\"kty\":\"RSA\",\"e\":\"AQAB\",\"use\":\"sig\",\"n\":\"example\",\"kid\":\"kid_example\",\"alg\":\"RS256\"}]}"
       }
     }
    
  • Example 2

    {
       "openid_connect_config" : {
         "access_mode" : "program_console",
         "idp_url" : "https://accounts.example.com",
         "client_id" : "client_id_example",
         "authorization_endpoint" : "https://accounts.example.com/o/oauth2/v2/auth",
         "scope" : "openid",
         "response_type" : "id_token",
         "response_mode" : "form_post",
         "signing_key" : "{\"keys\":[{\"kty\":\"RSA\",\"e\":\"AQAB\",\"use\":\"sig\",\"n\":\"example\",\"kid\":\"kid_example\",\"alg\":\"RS256\"}]}"
       }
     }
    

Status code: 400

The server failed to process the request.

{
  "error_msg" : "Request body is invalid.",
  "error_code" : "IAM.0011"
}

Status code: 401

Authentication failed.

{
  "error_msg" : "The request you have made requires authentication.",
  "error_code" : "IAM.0001"
}

Status code: 403

Access denied.

{
  "error_msg" : "Policy doesn't allow %(actions)s to be performed.",
  "error_code" : "IAM.0003"
}

Status code: 404

The requested resource cannot be found.

{
  "error_msg" : "Could not find %(target)s: %(target_id)s.",
  "error_code" : "IAM.0004"
}

Status code: 409

The resource already exists.

{
  "error_msg" : "Conflict occurred attempting to store %(type)s - %(details)s.",
  "error_code" : "IAM.0005"
}

Status code: 500

Internal server error.

{
  "error_msg" : "An unexpected error prevented the server from fulfilling your request.",
  "error_code" : "IAM.0006"
}

Status Codes

Status Code

Description

201

The identity provider is created successfully.

400

The server failed to process the request.

401

Authentication failed.

403

Access denied.

404

The requested resource cannot be found.

409

The resource already exists.

500

Internal server error.