Add OpenID Connect Identity Provider
This method creates an OpenID Connect (OIDC) Identity Provider in the Vault. Any user who is a member of the Vault admins group can run this web service.
|
This API must be used with the Add authentication method API in order to have a complete authentication configuration. When you add an OIDC Identity Provider, you must also add the provider to the list of authentication methods using the same ID, and add the provider's base URL to the access restriction list by using the following APIs: |
URL
|
-
Make sure there are no spaces in the URL.
-
The following characters are not supported in URL values: + & %
-
If the URL includes a dot (.), add a forward slash (/) at the end of the URL. For example: api/Safes/MySafe/Members/user@cyber.com/
Resource information
|
HTTP method |
Content type |
|---|---|
|
POST |
application/json |
Header parameter
|
Parameter |
Description |
|---|---|
| Authorization |
The token that identifies the session, encoded in BASE 64. Type: string Mandatory: yes Default value: none |
Body parameters
{"id": "opserver", "authenticationFlow": "Code", "discoveryEndpointUrl": "https://Domain.com/OPServer/.well-known/openid-configuration", "clientId": "pvwa", "clientSecret": "secret", "clientSecretMethod" : "basic" } |
|
Parameter |
Description |
|---|---|
|
id |
The unique identifier of the provider. This ID is used to identify the OIDC Identity Provider in PVWA. Type: string Mandatory: yes Default value: none Max length: 50 |
|
authenticationFlow |
The OIDC connection flow. Type: string Mandatory: no Default value: Code Valid values: Code |
|
authenticationEndpointUrl |
The URL of the provider's authorization endpoint. Authentication requests will be sent to this URL. Note: This is not relevant if the Discovery URL is provided. Type: URL Mandatory: yes (when no discovery URL is provided) Default value: none |
|
issuer |
The Issuer Identifier for the OpenID Provider. This is used by the application to verify that the response was issued from a specific provider. Note: This is not relevant if the Discovery URL is provided. Type: string Mandatory: yes (when no discovery URL is provided) Default value: none |
|
description |
A description of the provider. Type: string Mandatory: no Default value: none Max length: 255 |
|
discoveryEndpointUrl |
OIDC defines a discovery mechanism, called OpenID Connect Discovery, where an OIDC Identity provider publishes its metadata at a well-known URL. This URL is metadata that describes the provider's configuration. Type: URL Mandatory: yes Default value: none |
|
jwkSet |
(JSON web key set) The set of keys provided by the OIDC Identity Provider for validating JWT (JSON web tokens) during the authentication flow. The JSON must include a "keys" parameter, which is an array of JWKs (JWT signing keys). Note: This is not relevant if the Discovery URL is provided. Type: string Mandatory: yes (when no discovery URL is provided) Default value: none |
|
clientId |
The unique identifier for the client application. This ID is created by the provider, and assigned to each client application upon registration. Type: string Mandatory: yes Default value: none Max length: 100 |
|
clientSecret |
The client secret is only known to the application and the provider for secure communication during the authentication flow. This secret is created by the provider, and assigned to each client application upon registration. Type: string Mandatory: yes Default value: none Max length: 200 |
|
clientSecretMethod |
The client authentication method for the client secret. Type: string Mandatory: yes Default value: none Valid values: Basic, Post Max length: 50 |
|
userNameClaim |
The property in the ID token provided by the OIDC Identity Provider that contains the user name. Note: By default, the system will use the preferred_username claim in the ID token. Type: string Mandatory: no Default value: preferred_username Valid characters: Aa-Zz, underscore "_" Max length: 50 |
Result
|
|
Parameter |
Description |
|---|---|
|
id |
The unique identifier of the provider. This ID is used to identify the OIDC Identity Provider in PVWA. Type: string |
|
authenticationFlow |
The OIDC connection flow. Type: string |
|
authenticationEndpointUrl |
The URL of the provider's authorization endpoint. Authentication requests will be sent to this URL. Note: This is not relevant if the Discovery URL is provided. Type: URL |
|
issuer |
The Issuer Identifier for the OpenID Provider. This is used by the application to verify that the response was issued from a specific provider. Note: This is not relevant if the Discovery URL is provided. Type: string |
|
description |
A description of the provider. Type: string |
|
discoveryEndpointUrl |
OIDC defines a discovery mechanism, called OpenID Connect Discovery, where an OIDC Identity provider publishes its metadata at a well-known URL. This URL is metadata that describes the provider's configuration. Type: URL |
|
jwkSet |
(JSON web key set) The set of keys provided by the OIDC Identity Provider for validating JWT (JSON web tokens) during the authentication flow. The JSON must include a "keys" parameter, which is an array of JWKs (JWT signing keys). Note: This is not relevant if the Discovery URL is provided. Type: JSON that represents a set of JWKs |
|
clientId |
The unique identifier for the client application. This ID is created by the provider, and assigned to each client application upon registration. Type: string |
|
clientSecretMethod |
The client authentication method for the client secret. Type: string Valid values: Basic, Post |
|
userNameClaim |
The property in the ID token provided by the OIDC Identity Provider that contains the user name. Note: By default, the system will use the preferred_username claim in the ID token. Type: string |
Return codes
For a complete list of return codes, see Return Codes.
