Add OpenID Connect Identity Provider

This method creates an OpenID Connect (OIDC) Identity Provider in the Vault. Any user who is a member of the Vault admins group can run this web service.

 

This API must be used with the Add authentication method API in order to have a complete authentication configuration.

When you add an OIDC Identity Provider, you must also add the provider to the list of authentication methods using the same ID, and add the provider's base URL to the access restriction list by using the following APIs:

URL

 
https://{PVWA_SERVER}/passwordvault/api/Configuration/OIDC/Providers
 

Make sure there are no spaces in the URL.

The following characters are not supported in URL values: + & %

Resource information

HTTP method

Content type

POST

application/json

Header parameter

Parameter

Description

Authorization

The token that identifies the session, encoded in BASE 64.

Type: string

Mandatory: yes

Default value: none

Body parameters

 
{
"id": "opserver",
"authenticationFlow": "Code",
"discoveryEndpointUrl": "https://Domain.com/OPServer/.well-known/openid-configuration",
"clientId": "pvwa",
"clientSecret": "secret",
"clientSecretMethod" : "basic"
}

 

Parameter

Description

id

The unique identifier of the provider.

This ID is used to identify the OIDC Identity Provider in PVWA.

Type: string

Mandatory: yes

Default value: none

Max length: 50

authenticationFlow

The OIDC connection flow.

Type: string

Mandatory: no

Default value: Code

Valid values: Code

authenticationEndpointUrl

The URL of the provider's authorization endpoint. Authentication requests will be sent to this URL.

Note: This is not relevant if the Discovery URL is provided.

Type: URL

Mandatory: yes (when no discovery URL is provided)

Default value: none

issuer

The Issuer Identifier for the OpenID Provider. This is used by the application to verify that the response was issued from a specific provider.

Note: This is not relevant if the Discovery URL is provided.

Type: string

Mandatory: yes (when no discovery URL is provided)

Default value: none

description

A description of the provider.

Type: string

Mandatory: no

Default value: none

Max length: 255

discoveryEndpointUrl

OIDC defines a discovery mechanism, called OpenID Connect Discovery, where an OIDC Identity provider publishes its metadata at a well-known URL.

This URL is metadata that describes the provider's configuration.

Type: URL

Mandatory: yes

Default value: none

jwkSet

(JSON web key set) The set of keys provided by the OIDC Identity Provider for validating JWT (JSON web tokens) during the authentication flow.

The JSON must include a "keys" parameter, which is an array of JWKs (JWT signing keys).

Note: This is not relevant if the Discovery URL is provided.

Type: string

Mandatory: yes (when no discovery URL is provided)

Default value: none

clientId

The unique identifier for the client application.

This ID is created by the provider, and assigned to each client application upon registration.

Type: string

Mandatory: yes

Default value: none

Max length: 100

clientSecret

The client secret is only known to the application and the provider for secure communication during the authentication flow.

This secret is created by the provider, and assigned to each client application upon registration.

Type: string

Mandatory: yes

Default value: none

Max length: 200

clientSecretMethod

The client authentication method for the client secret.

Type: string

Mandatory: yes

Default value: none

Valid values: Basic, Post

Max length: 50

userNameClaim

The property in the ID token provided by the OIDC Identity Provider that contains the user name.

Note: By default, the system will use the preferred_username claim in the ID token.

Type: string

Mandatory: no

Default value: preferred_username

Valid characters: Aa-Zz, underscore "_"

Max length: 50

Result

 
{
"id": "opserver",
"authenticationFlow": "Code",
"authenticationEndpointUrl": "",
"discoveryEndpointUrl": "https://Domain.com/OPServer/.well-known/openid-configuration",
"issuer": "",
"description": "",
"jwkSet": "",
"clientId": "pvwa",
"clientSecretMethod" : "basic",
"userNameClaim": "preferred_username"
}

Parameter

Description

id

The unique identifier of the provider.

This ID is used to identify the OIDC Identity Provider in PVWA.

Type: string

authenticationFlow

The OIDC connection flow.

Type: string

authenticationEndpointUrl

The URL of the provider's authorization endpoint. Authentication requests will be sent to this URL.

Note: This is not relevant if the Discovery URL is provided.

Type: URL

issuer

The Issuer Identifier for the OpenID Provider. This is used by the application to verify that the response was issued from a specific provider.

Note: This is not relevant if the Discovery URL is provided.

Type: string

description

A description of the provider.

Type: string

discoveryEndpointUrl

OIDC defines a discovery mechanism, called OpenID Connect Discovery, where an OIDC Identity provider publishes its metadata at a well-known URL.

This URL is metadata that describes the provider's configuration.

Type: URL

jwkSet

(JSON web key set) The set of keys provided by the OIDC Identity Provider for validating JWT (JSON web tokens) during the authentication flow.

The JSON must include a "keys" parameter, which is an array of JWKs (JWT signing keys).

Note: This is not relevant if the Discovery URL is provided.

Type: JSON that represents a set of JWKs

clientId

The unique identifier for the client application.

This ID is created by the provider, and assigned to each client application upon registration.

Type: string

clientSecretMethod

The client authentication method for the client secret.

Type: string

Valid values: Basic, Post

userNameClaim

The property in the ID token provided by the OIDC Identity Provider that contains the user name.

Note: By default, the system will use the preferred_username claim in the ID token.

Type: string

Return codes

For a complete list of return codes, see Return Codes.