github.com/kyma-project/kyma-environment-broker@v0.0.1/docs/user/04-10-custom-oidc-configuration.md

github.com/kyma-project/kyma-environment-broker@v0.0.1/docs/user/04-10-custom-oidc-configuration.md (about)

     1  # Custom OIDC configuration
     2  
     3  To create an SAP BTP, Kyma runtime with a custom Open ID Connect (OIDC) configuration, specify the additional `oidc` provisioning parameters. See the example:
     4  
     5  ```bash
     6     export VERSION=1.15.0
     7     curl --request PUT "https://$BROKER_URL/oauth/v2/service_instances/$INSTANCE_ID?accepts_incomplete=true" \
     8     --header 'X-Broker-API-Version: 2.14' \
     9     --header 'Content-Type: application/json' \
    10     --header "$AUTHORIZATION_HEADER" \
    11     --header 'Content-Type: application/json' \
    12     --data-raw "{
    13         \"service_id\": \"47c9dcbf-ff30-448e-ab36-d3bad66ba281\",
    14         \"plan_id\": \"4deee563-e5ec-4731-b9b1-53b42d855f0c\",
    15         \"context\": {
    16             \"globalaccount_id\": \"$GLOBAL_ACCOUNT_ID\"
    17         },
    18         \"parameters\": {
    19             \"name\": \"$NAME\",
    20             \"region\": \"$REGION\",
    21             \"oidc\": {
    22                \"clientID\": \"9bd05ed7-a930-44e6-8c79-e6defeb7dec5\",
    23                \"issuerURL\": \"https://kymatest.accounts400.ondemand.com\",
    24                \"groupsClaim\": \"groups\",
    25                \"signingAlgs\": [\"RS256\"],
    26                \"usernamePrefix\": \"-\",
    27                \"usernameClaim\": \"sub\"
    28             }
    29         }
    30     }"
    31  ```
    32  > **NOTE:** `clientID` and `issuerURL` values are mandatory for custom OIDC configuration.
    33  
    34  If you do not provide the `oidc` object in the provisioning request or leave all object's properties empty, the default OIDC configuration is used.
    35  However, if you do not provide the `oidc` object in the update request or leave all object’s properties empty, the saved OIDC configuration stays untouched.
    36  See the following JSON example without the `oidc` object:
    37  ```json
    38  {
    39    "service_id" : "47c9dcbf-ff30-448e-ab36-d3bad66ba281",
    40    "plan_id" : "4deee563-e5ec-4731-b9b1-53b42d855f0c",
    41    "context" : {
    42      "globalaccount_id" : {GLOBAL_ACCOUNT_ID}
    43    },
    44    "parameters" : {
    45      "name" : {CLUSTER_NAME}
    46    }
    47  }
    48  ```
    49  See the following JSON example with the `oidc` object whose properties are empty:
    50  ```json
    51  {
    52    "service_id" : "47c9dcbf-ff30-448e-ab36-d3bad66ba281",
    53    "plan_id" : "4deee563-e5ec-4731-b9b1-53b42d855f0c",
    54    "context" : {
    55      "globalaccount_id" : {GLOBAL_ACCOUNT_ID}
    56    },
    57    "parameters" : {
    58      "name" : {CLUSTER_NAME},
    59      "oidc" : {
    60        "clientID" : "",
    61        "issuerURL" : "",
    62        "groupsClaim" : "",
    63        "signingAlgs" : [],
    64        "usernamePrefix" : "",
    65        "usernameClaim" : ""
    66      }
    67    }
    68  }
    69  ```
    70  This is the default OIDC configuration in JSON:
    71  ```json
    72  {
    73    ...
    74      "oidc" : {
    75        "clientID" : "9bd05ed7-a930-44e6-8c79-e6defeb7dec9",
    76        "issuerURL" : "https://kymatest.accounts400.ondemand.com",
    77        "groupsClaim" : "groups",
    78        "signingAlgs" : ["RS256"],
    79        "usernamePrefix" : "-",
    80        "usernameClaim" : "sub"
    81      }
    82    ...
    83  }
    84  ```
    85  
    86  To update the OIDC configuration, provide values for the mandatory properties. Without these values, a validation error occurs.
    87  The update operation overwrites the OIDC configuration values provided in JSON. It means that OIDC properties with empty values are considered valid. See the following scenario:
    88  
    89     1. An existing instance has the following OIDC configuration:
    90     ```
    91      ClientID: 9bd05ed7-a930-44e6-8c79-e6defeb7dec9
    92      IssuerURL: https://kymatest.accounts400.ondemand.com
    93      GroupsClaim: groups
    94      UsernameClaim: sub
    95      UsernamePrefix: -
    96      SigningAlgs: RS256
    97     ```
    98     2. A user sends an update request (HTTP PUT) with the following JSON in the payload:
    99     ```json
   100      {
   101        "service_id" : "47c9dcbf-ff30-448e-ab36-d3bad66ba281",
   102        "plan_id" : "4deee563-e5ec-4731-b9b1-53b42d855f0c",
   103        "context" : {
   104          "globalaccount_id" : {GLOBAL_ACCOUNT_ID}
   105        },
   106        "parameters" : {
   107          "name" : {CLUSTER_NAME},
   108         "oidc" : {
   109            "clientID" : "new-client-id",
   110            "issuerURL" : "https://new-issuer-url.local.com",
   111            "groupsClaim" : "",
   112            "signingAlgs" : [],
   113            "usernamePrefix" : "",
   114            "usernameClaim" : ""
   115          }
   116        }
   117      }
   118    ```
   119     3. The OIDC configuration is updated to include the values of the `oidc` object from JSON provided in the update request:
   120     ```
   121      ClientID: new-client-id
   122      IssuerURL: https://new-issuer-url.local.com
   123      GroupsClaim:
   124      UsernameClaim:
   125      UsernamePrefix:
   126      SigningAlgs:
   127     ```