Create
const url = 'https://example-corp.console.ves.volterra.io/api/v1/api/production/us-east-1/namespaces/default/api/web/custom/namespaces/example/oidc_providers';const options = { method: 'POST', headers: {Authorization: '<Authorization>', 'Content-Type': 'application/json'}, body: '{"namespace":"example","spec":{"azure_oidc_spec_type":{"authorization_url":"example","backchannel_logout":true,"client_id":"example","client_secret":"example","default_scopes":"example","issuer":"example","jwks_url":"example","logout_url":"example","prompt":"UNSPECIFIED","token_url":"example","user_info_url":"example"},"google_oidc_spec_type":{"client_id":"example","client_secret":"example","hosted_domain":"example"},"oidc_v10_spec_type":{"allowed_clock_skew":"example","authorization_url":"example","backchannel_logout":true,"client_id":"example","client_secret":"example","default_scopes":"example","disable_user_info":true,"display_name":"example","forwarded_query_parameters":"example","issuer":"example","jwks_url":"example","logout_url":"example","pass_current_locale":true,"pass_login_hint":true,"prompt":"UNSPECIFIED","token_url":"example","user_info_url":"example","validate_signatures":true},"okta_oidc_spec_type":{"authorization_url":"example","backchannel_logout":true,"client_id":"example","client_secret":"example","default_scopes":"example","issuer":"example","jwks_url":"example","logout_url":"example","prompt":"UNSPECIFIED","token_url":"example","user_info_url":"example"},"provider_type":"DEFAULT"}}'};
try { const response = await fetch(url, options); const data = await response.json(); console.log(data);} catch (error) { console.error(error);}curl --request POST \ --url https://example-corp.console.ves.volterra.io/api/v1/api/production/us-east-1/namespaces/default/api/web/custom/namespaces/example/oidc_providers \ --header 'Authorization: <Authorization>' \ --header 'Content-Type: application/json' \ --data '{ "namespace": "example", "spec": { "azure_oidc_spec_type": { "authorization_url": "example", "backchannel_logout": true, "client_id": "example", "client_secret": "example", "default_scopes": "example", "issuer": "example", "jwks_url": "example", "logout_url": "example", "prompt": "UNSPECIFIED", "token_url": "example", "user_info_url": "example" }, "google_oidc_spec_type": { "client_id": "example", "client_secret": "example", "hosted_domain": "example" }, "oidc_v10_spec_type": { "allowed_clock_skew": "example", "authorization_url": "example", "backchannel_logout": true, "client_id": "example", "client_secret": "example", "default_scopes": "example", "disable_user_info": true, "display_name": "example", "forwarded_query_parameters": "example", "issuer": "example", "jwks_url": "example", "logout_url": "example", "pass_current_locale": true, "pass_login_hint": true, "prompt": "UNSPECIFIED", "token_url": "example", "user_info_url": "example", "validate_signatures": true }, "okta_oidc_spec_type": { "authorization_url": "example", "backchannel_logout": true, "client_id": "example", "client_secret": "example", "default_scopes": "example", "issuer": "example", "jwks_url": "example", "logout_url": "example", "prompt": "UNSPECIFIED", "token_url": "example", "user_info_url": "example" }, "provider_type": "DEFAULT" } }'Create creates an OIDC provider in F5XC Identity. Currently we support creating provider for brokering Google identity provider and any generic OIDC provider that support OpenID Connect protocol V1.0. To configure type Google (provider_type 1), user is not required to provide well-known URL details as its already pre-configured. Parameters such as client ID, client secret and additional optional parameters as specified in the create schema needs to be provided. To configure default type (provider_type 0), user needs to provide well-known URLs and additional fields as required part of create schema. Check create response section for the details on action that needs to be taken POST sending a successful create request.
Authorizations
Section titled “Authorizations”Parameters
Section titled “Parameters”Path Parameters
Section titled “Path Parameters”Namespace Supports only system namespace.
Request Bodyrequired
Section titled “Request Bodyrequired”Create request shape for creating an OIDC provider in IAM.
object
Supports only system namespace.
object
object
The authorization URL of your OIDC application. Required: YES.
Does the external IDP support backchannel logout?
Client ID of the OIDC application registered with Azure provider. REQUIRED field Required: YES.
Secret of the OIDC application registered with Azure provider. Required: YES.
The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. The recommendation is to set the default scopes as ‘openid profile email’ and is to add additional scopes if needed.
The issuer identifier for the issuer of the response. If not provided, no validation will be performed.
URL where identity provider keys in JWK format are stored.
Logout URL specified in your OIDC application.
The token URL of your OIDC application. Required: YES.
The User Info URL specified in your OIDC application.
object
Client ID of the OIDC application registered with google provider. REQUIRED field Required: YES.
Secret of the OIDC application registered with google provider. Required: YES.
Set hosted domain to restrict user input on login form to use email address from this email domain. For example, setting value company.com will enforce user email input to have only username@company.com leave empty if no restriction is required for email address. Ie for example allow user@company1.com and user@company2.com.
object
Clock skew in seconds that is tolerated when validating identity provider tokens. Default value is zero.
The authorization URL of your OIDC application. Required: YES.
Does the external IDP support backchannel logout?
Client ID of the OIDC application registered with your identity/OIDC provider. Required: YES.
Secret of the OIDC application registered with your identity/OIDC provider. Required: YES.
The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. The recommendation is to set the default scopes as ‘openid profile email’ and is to add additional scopes if needed.
Disable fetching of user info information.
Friendly name for identity provider.
Non OpenID Connect/OAuth standard query parameters to be forwarded to external IDP from the initial application request to Authorization Endpoint. Multiple parameters can be entered, separated by comma (,).
The issuer identifier for the issuer of the response. If not provided, no validation will be performed.
URL where identity provider keys in JWK format are stored.
Logout URL specified in your OIDC application.
Pass the current locale to the identity provider.
Pass login_hint to identity provider.
The token URL of your OIDC application. Required: YES.
The User Info URL specified in your OIDC application.
Enable/disable signature validation of external IDP signatures.
object
The authorization URL of your OIDC application. Required: YES.
Does the external IDP support backchannel logout?
Client ID of the OIDC application registered with Azure provider. Required: YES.
Secret of the OIDC application registered with Azure provider. Required: YES.
The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. The recommendation is to set the default scopes as ‘openid profile email’ and is to add additional scopes if needed.
The issuer identifier for the issuer of the response. If not provided, no validation will be performed.
URL where identity provider keys in JWK format are stored.
Logout URL specified in your OIDC application.
The token URL of your OIDC application. Required: YES.
The User Info URL specified in your OIDC application.
Responses
Section titled “Responses”A successful response.
Create response is the response format for the response of request to create an OIDC provider in IAM.
object
X-displayName : “Logout Redirect URI” After successful logout, OIDC application may require redirect URI to be white-listed. Configure this URI in your OIDC app so user logout is correctly sent back our identity which will then redirect back to console app’s redirect.
Upon successful creation of OIDC provider object, User needs to whitelist/allow value of this redirect URI in their OIDC application’s allowed redirect URLs. This is required as part of the OIDC authentication process, F5XC identity will be brokering the request for authentication and will be sending authentication request with URL set in the redirect_uri. POST successful authentication of client browser and your identity provider, identity provider sends response back to F5 Distributed Cloud identity as per this redirect URI. So its a must that user has updated their OIDC application with this redirect URL as valid for authentication to go through.
Example
{ "err": "EUNKNOWN"}Returned when operation is not authorized.
Examplegenerated
exampleReturned when there is no permission to access resource.
Examplegenerated
exampleReturned when resource is not found.
Examplegenerated
exampleReturned when operation on resource is conflicting with current value.
Examplegenerated
exampleReturned when operation has been rejected as it is happening too frequently.
Examplegenerated
exampleReturned when server encountered an error in processing API.
Examplegenerated
exampleReturned when service is unavailable temporarily.
Examplegenerated
exampleReturned when server timed out processing request.
Examplegenerated
example