Creating an OpenID Connect Identity Provider Configuration
Function
This API is provided for the administrator to create an OpenID Connect identity provider configuration after creating an identity provider and registering a protocol (OpenID Connect).
The API can be called using both the global endpoint and region-specific endpoints.
Authorization Information
Each account is authorized to call all APIs, but its IAM users must obtain necessary permissions. For details, see Permissions and Supported Actions.
URI
POST /v3.0/OS-FEDERATION/identity-providers/{idp_id}/openid-connect-config
Parameter | Mandatory | Type | Description |
|---|---|---|---|
idp_id | Yes | String | Identity provider name. |
Request Parameters
Parameter | Mandatory | Type | Description |
|---|---|---|---|
Content-Type | Yes | String | Fill application/json;charset=utf8 in this field. |
X-Auth-Token | Yes | String | Access token issued to a user to bear its identity and permissions. For details about the permissions required by the token, see Actions. |
Parameter | Mandatory | Type | Description |
|---|---|---|---|
Yes | object | OpenID Connect configurations. |
Parameter | Mandatory | Type | Description |
|---|---|---|---|
access_mode | Yes | String | Access type. Options:
|
idp_url | Yes | String | URL of the OpenID Connect identity provider. This field corresponds to the iss field in the ID token. Length: 10 to 255 characters. |
client_id | Yes | String | ID of a client registered with the OpenID Connect identity provider. Length: 5 to 255 characters. |
authorization_endpoint | No | String | Authorization endpoint of the OpenID Connect identity provider. This parameter is mandatory when the access type is set to program_console. Length: 10 to 255 characters. |
scope | No | String | Scopes of authorization requests. This parameter is mandatory when the access type is set to program_console. Enumerated values:
|
response_type | No | String | Response type. This parameter is mandatory when the access type is set to program_console. Enumerated value:
|
response_mode | No | String | Response mode. This parameter is mandatory when the access type is set to program_console. Enumerated values:
|
signing_key | Yes | String | Public key used to sign the ID token of the OpenID Connect identity provider. Length: 10 to 30,000 characters. Format example: {
"keys":[
{
"kid":"d05ef20c4512645vv1..." ,
"n":"cws_cnjiwsbvweolwn_-vnl...",
"e":"AQAB",
"kty":"RSA",
"use":"sig",
"alg":"RS256"
}
]
} |
Response Parameters
Status code: 201
Parameter | Type | Description |
|---|---|---|
object | OpenID Connect configurations. |
Parameter | Type | Description |
|---|---|---|
access_mode | String | Access type. Options:
|
idp_url | String | URL of the OpenID Connect identity provider. This field corresponds to the iss field in the ID token. |
client_id | String | ID of a client registered with the OpenID Connect identity provider. |
authorization_endpoint | String | Authorization endpoint of the OpenID Connect identity provider. The value null is returned when the access type is set to program. |
scope | String | Scopes of authorization requests. The value null is returned when the access type is set to program. Enumerated values:
|
response_type | String | Response type. The value null is returned when the access type is set to program. Enumerated value:
|
response_mode | String | Response mode. The value null is returned when the access type is set to program. Enumerated values:
|
signing_key | String | Public key used to sign the ID token of the OpenID Connect identity provider. |
Example Request
- Request for creating an OpenID Connect identity provider that supports programmatic access configurations
POST /v3.0/OS-FEDERATION/identity-providers/{idp_id}/openid-connect-config { "openid_connect_config" : { "access_mode" : "program", "idp_url" : "https://accounts.example.com", "client_id" : "client_id_example", "signing_key" : "{\"keys\":[{\"kty\":\"RSA\",\"e\":\"AQAB\",\"use\":\"sig\",\"n\":\"example\",\"kid\":\"kid_example\",\"alg\":\"RS256\"}]}" } } - Request for creating an OpenID Connect identity provider that supports programmatic access and console access configurations
POST /v3.0/OS-FEDERATION/identity-providers/{idp_id}/openid-connect-config { "openid_connect_config" : { "access_mode" : "program_console", "idp_url" : "https://accounts.example.com", "client_id" : "client_id_example", "authorization_endpoint" : "https://accounts.example.com/o/oauth2/v2/auth", "scope" : "openid", "response_type" : "id_token", "response_mode" : "form_post", "signing_key" : "{\"keys\":[{\"kty\":\"RSA\",\"e\":\"AQAB\",\"use\":\"sig\",\"n\":\"example\",\"kid\":\"kid_example\",\"alg\":\"RS256\"}]}" } }
Example Response
Status code: 201
The identity provider is created successfully.
- Example 1
{ "openid_connect_config" : { "access_mode" : "program", "idp_url" : "https://accounts.example.com", "client_id" : "client_id_example", "signing_key" : "{\"keys\":[{\"kty\":\"RSA\",\"e\":\"AQAB\",\"use\":\"sig\",\"n\":\"example\",\"kid\":\"kid_example\",\"alg\":\"RS256\"}]}" } } - Example 2
{ "openid_connect_config" : { "access_mode" : "program_console", "idp_url" : "https://accounts.example.com", "client_id" : "client_id_example", "authorization_endpoint" : "https://accounts.example.com/o/oauth2/v2/auth", "scope" : "openid", "response_type" : "id_token", "response_mode" : "form_post", "signing_key" : "{\"keys\":[{\"kty\":\"RSA\",\"e\":\"AQAB\",\"use\":\"sig\",\"n\":\"example\",\"kid\":\"kid_example\",\"alg\":\"RS256\"}]}" } }
Status Codes
Status Code | Description |
|---|---|
201 | The identity provider is created successfully. |
400 | Invalid parameters. |
401 | Authentication failed. |
403 | Access denied. |
404 | The requested resource cannot be found. |
409 | The resource already exists. |
500 | Internal server error. |
Error Codes
For details, see Error Codes.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.
