Run the script (create-oidc-user-registry.sh), and if it is successful, you will find the following output that shows the User Registry called azure-oidc is created.
% ./create-oidc-user-registry.sh
apic login -r admin/default-idp-1 -s https://cpd-cp4i.itzroks-3100015379-c5zltg-6ccd7f378ae819553d37d5f2ee142bd6-0000.us-south.containers.appdomain.cloud/integration/apis/apic/myapic -u admin -p ***************
Warning: Using default toolkit credentials.
Logged into cpd-cp4i.itzroks-3100015379-c5zltg-6ccd7f378ae819553d37d5f2ee142bd6-0000.us-south.containers.appdomain.cloud successfully
Create user registry azure-oidc.
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 1753 100 1753 0 0 2317 0 --:--:-- --:--:-- --:--:-- 2328
{
"name": "azure-oidc",
"title": "azure-oidc",
"visibility": {
"type": "public"
},
"case_sensitive": false,
"email_required": false,
"email_unique_if_exist": true,
"configuration": {
"provider_type": "standard",
"authorization_endpoint": "https://login.microsoftonline.com/83100458-a9da-4cf4-bf20-a39f85680132/oauth2/v2.0/authorize",
"token_endpoint": {
"endpoint": "https://login.microsoftonline.com/83100458-a9da-4cf4-bf20-a39f85680132/oauth2/v2.0/token",
"tls_client_profile_url": "https://cpd-cp4i.itzroks-3100015379-c5zltg-6ccd7f378ae819553d37d5f2ee142bd6-0000.us-south.containers.appdomain.cloud/integration/apis/apic/myapic/api/orgs/0e5bc3ae-e943-4626-825c-5287650247f8/tls-client-profiles/359edadf-1905-48d2-b169-08705f8f296f"
},
"userinfo_endpoint": {
"endpoint": "https://graph.microsoft.com/oidc/userinfo",
"tls_client_profile_url": "https://cpd-cp4i.itzroks-3100015379-c5zltg-6ccd7f378ae819553d37d5f2ee142bd6-0000.us-south.containers.appdomain.cloud/integration/apis/apic/myapic/api/orgs/0e5bc3ae-e943-4626-825c-5287650247f8/tls-client-profiles/359edadf-1905-48d2-b169-08705f8f296f"
},
"jwks_uri": {
"endpoint": "https://login.microsoftonline.com/83100458-a9da-4cf4-bf20-a39f85680132/discovery/v2.0/keys",
"tls_client_profile_url": "https://cpd-cp4i.itzroks-3100015379-c5zltg-6ccd7f378ae819553d37d5f2ee142bd6-0000.us-south.containers.appdomain.cloud/integration/apis/apic/myapic/api/orgs/0e5bc3ae-e943-4626-825c-5287650247f8/tls-client-profiles/359edadf-1905-48d2-b169-08705f8f296f"
},
"logout_endpoint": "https://login.microsoftonline.com/83100458-a9da-4cf4-bf20-a39f85680132/oauth2/v2.0/logout",
"client_id": "******* masked out *******",
"client_secret": "******* masked out *******",
"response_type": "code",
"scope": "openid email",
"credential_location": "auth_header",
"features": [
"auto_onboard",
"userinfo"
],
"field_mapping": {
"email": "email",
"username": "name",
"first_name": "given_name",
"last_name": "family_name"
}
},
"registry_type": "oidc",
"org_url": "https://cpd-cp4i.itzroks-3100015379-c5zltg-6ccd7f378ae819553d37d5f2ee142bd6-0000.us-south.containers.appdomain.cloud/integration/apis/apic/myapic/api/orgs/0e5bc3ae-e943-4626-825c-5287650247f8",
"integration_url": "https://cpd-cp4i.itzroks-3100015379-c5zltg-6ccd7f378ae819553d37d5f2ee142bd6-0000.us-south.containers.appdomain.cloud/integration/apis/apic/myapic/api/cloud/integrations/user-registry/a2872422-95c1-4ebd-84ce-6907e78811a9"
}
{
"type": "user_registry",
"api_version": "2.0.0",
"id": "62fc9261-3393-4aa6-a273-14e0b2cf705a",
"name": "azure-oidc",
"title": "azure-oidc",
"visibility": {
"type": "public"
},
"case_sensitive": false,
"email_required": false,
"email_unique_if_exist": true,
"configuration": {
"provider_type": "standard",
"authorization_endpoint": "https://login.microsoftonline.com/83100458-a9da-4cf4-bf20-a39f85680132/oauth2/v2.0/authorize",
"token_endpoint": {
"endpoint": "https://login.microsoftonline.com/83100458-a9da-4cf4-bf20-a39f85680132/oauth2/v2.0/token",
"tls_client_profile_url": "https://cpd-cp4i.itzroks-3100015379-c5zltg-6ccd7f378ae819553d37d5f2ee142bd6-0000.us-south.containers.appdomain.cloud/integration/apis/apic/myapic/api/orgs/0e5bc3ae-e943-4626-825c-5287650247f8/tls-client-profiles/359edadf-1905-48d2-b169-08705f8f296f"
},
"userinfo_endpoint": {
"endpoint": "https://graph.microsoft.com/oidc/userinfo",
"tls_client_profile_url": "https://cpd-cp4i.itzroks-3100015379-c5zltg-6ccd7f378ae819553d37d5f2ee142bd6-0000.us-south.containers.appdomain.cloud/integration/apis/apic/myapic/api/orgs/0e5bc3ae-e943-4626-825c-5287650247f8/tls-client-profiles/359edadf-1905-48d2-b169-08705f8f296f"
},
"jwks_uri": {
"endpoint": "https://login.microsoftonline.com/83100458-a9da-4cf4-bf20-a39f85680132/discovery/v2.0/keys",
"tls_client_profile_url": "https://cpd-cp4i.itzroks-3100015379-c5zltg-6ccd7f378ae819553d37d5f2ee142bd6-0000.us-south.containers.appdomain.cloud/integration/apis/apic/myapic/api/orgs/0e5bc3ae-e943-4626-825c-5287650247f8/tls-client-profiles/359edadf-1905-48d2-b169-08705f8f296f"
},
"logout_endpoint": "https://login.microsoftonline.com/83100458-a9da-4cf4-bf20-a39f85680132/oauth2/v2.0/logout",
"client_id": "ed85e538-01d7-4659-88ee-de96e7ffdb49",
"client_secret": "********",
"response_type": "code",
"scope": "openid email",
"credential_location": "auth_header",
"features": [
"auto_onboard",
"userinfo"
],
"field_mapping": {
"email": "email",
"username": "name",
"first_name": "given_name",
"last_name": "family_name"
},
"request_endpoint": {},
"email_endpoint": {},
"state_ttl": "1200",
"redirect_uris": {
"provider": {
"redirect_uri": "https://cpd-cp4i.itzroks-3100015379-c5zltg-6ccd7f378ae819553d37d5f2ee142bd6-0000.us-south.containers.appdomain.cloud/integration/apis/apic/myapic/manager/uia/oauth2/redirect",
"redirect_uri_implicit": "https://cpd-cp4i.itzroks-3100015379-c5zltg-6ccd7f378ae819553d37d5f2ee142bd6-0000.us-south.containers.appdomain.cloud/integration/apis/apic/myapic/manager/oauth2/redirect",
"oidc_redirect_uri": "https://cpd-cp4i.itzroks-3100015379-c5zltg-6ccd7f378ae819553d37d5f2ee142bd6-0000.us-south.containers.appdomain.cloud/integration/apis/apic/myapic/api/oauth2/redirect"
},
"admin": {
"redirect_uri": "https://cpd-cp4i.itzroks-3100015379-c5zltg-6ccd7f378ae819553d37d5f2ee142bd6-0000.us-south.containers.appdomain.cloud/integration/apis/apic/myapic/admin/uia/oauth2/redirect",
"redirect_uri_implicit": "https://cpd-cp4i.itzroks-3100015379-c5zltg-6ccd7f378ae819553d37d5f2ee142bd6-0000.us-south.containers.appdomain.cloud/integration/apis/apic/myapic/admin/oauth2/redirect",
"oidc_redirect_uri": "https://cpd-cp4i.itzroks-3100015379-c5zltg-6ccd7f378ae819553d37d5f2ee142bd6-0000.us-south.containers.appdomain.cloud/integration/apis/apic/myapic/api/oauth2/redirect"
},
"consumer": {
"redirect_uri": "https://cpd-cp4i.itzroks-3100015379-c5zltg-6ccd7f378ae819553d37d5f2ee142bd6-0000.us-south.containers.appdomain.cloud/integration/apis/apic/myapic/consumer-api/ibm_apim/oauth2/redirect",
"oidc_redirect_uri": "https://cpd-cp4i.itzroks-3100015379-c5zltg-6ccd7f378ae819553d37d5f2ee142bd6-0000.us-south.containers.appdomain.cloud/integration/apis/apic/myapic/consumer-api/oauth2/redirect"
}
}
},
"registry_type": "oidc",
"integration_url": "https://cpd-cp4i.itzroks-3100015379-c5zltg-6ccd7f378ae819553d37d5f2ee142bd6-0000.us-south.containers.appdomain.cloud/integration/apis/apic/myapic/api/cloud/integrations/user-registry/a2872422-95c1-4ebd-84ce-6907e78811a9",
"owned": true,
"external_group_mapping_enabled": false,
"identity_providers": [
{
"name": "azure-oidc",
"title": "azure-oidc"
}
],
"user_managed": false,
"user_registry_managed": false,
"created_at": "2023-04-25T12:51:50.365Z",
"updated_at": "2023-04-25T12:51:50.365Z",
"org_url": "https://cpd-cp4i.itzroks-3100015379-c5zltg-6ccd7f378ae819553d37d5f2ee142bd6-0000.us-south.containers.appdomain.cloud/integration/apis/apic/myapic/api/orgs/0e5bc3ae-e943-4626-825c-5287650247f8",
"url": "https://cpd-cp4i.itzroks-3100015379-c5zltg-6ccd7f378ae819553d37d5f2ee142bd6-0000.us-south.containers.appdomain.cloud/integration/apis/apic/myapic/api/user-registries/0e5bc3ae-e943-4626-825c-5287650247f8/62fc9261-3393-4aa6-a273-14e0b2cf705a"
}
{
"admin_user_registry_urls": [ "https://cpd-cp4i.itzroks-3100015379-c5zltg-6ccd7f378ae819553d37d5f2ee142bd6-0000.us-south.containers.appdomain.cloud/integration/apis/apic/myapic/api/user-registries/0e5bc3ae-e943-4626-825c-5287650247f8/32b3ef9c-1500-4d3d-86d8-0aed44569daa","https://cpd-cp4i.itzroks-3100015379-c5zltg-6ccd7f378ae819553d37d5f2ee142bd6-0000.us-south.containers.appdomain.cloud/integration/apis/apic/myapic/api/user-registries/0e5bc3ae-e943-4626-825c-5287650247f8/42d3121a-9d31-47b5-a15b-b27ab2dd25de","https://cpd-cp4i.itzroks-3100015379-c5zltg-6ccd7f378ae819553d37d5f2ee142bd6-0000.us-south.containers.appdomain.cloud/integration/apis/apic/myapic/api/user-registries/0e5bc3ae-e943-4626-825c-5287650247f8/62fc9261-3393-4aa6-a273-14e0b2cf705a" ],
"admin_user_registry_default_url": https://cpd-cp4i.itzroks-3100015379-c5zltg-6ccd7f378ae819553d37d5f2ee142bd6-0000.us-south.containers.appdomain.cloud/integration/apis/apic/myapic/api/user-registries/0e5bc3ae-e943-4626-825c-5287650247f8/62fc9261-3393-4aa6-a273-14e0b2cf705a,
"provider_user_registry_urls": [ "https://cpd-cp4i.itzroks-3100015379-c5zltg-6ccd7f378ae819553d37d5f2ee142bd6-0000.us-south.containers.appdomain.cloud/integration/apis/apic/myapic/api/user-registries/0e5bc3ae-e943-4626-825c-5287650247f8/5b9aeec7-dac5-4d8b-bde3-e9d5acc04d76","https://cpd-cp4i.itzroks-3100015379-c5zltg-6ccd7f378ae819553d37d5f2ee142bd6-0000.us-south.containers.appdomain.cloud/integration/apis/apic/myapic/api/user-registries/0e5bc3ae-e943-4626-825c-5287650247f8/42d3121a-9d31-47b5-a15b-b27ab2dd25de","https://cpd-cp4i.itzroks-3100015379-c5zltg-6ccd7f378ae819553d37d5f2ee142bd6-0000.us-south.containers.appdomain.cloud/integration/apis/apic/myapic/api/user-registries/0e5bc3ae-e943-4626-825c-5287650247f8/62fc9261-3393-4aa6-a273-14e0b2cf705a" ],
"provider_user_registry_default_url": "https://cpd-cp4i.itzroks-3100015379-c5zltg-6ccd7f378ae819553d37d5f2ee142bd6-0000.us-south.containers.appdomain.cloud/integration/apis/apic/myapic/api/user-registries/0e5bc3ae-e943-4626-825c-5287650247f8/62fc9261-3393-4aa6-a273-14e0b2cf705a"
}
user-registry-setting https://cpd-cp4i.itzroks-3100015379-c5zltg-6ccd7f378ae819553d37d5f2ee142bd6-0000.us-south.containers.appdomain.cloud/integration/apis/apic/myapic/api/cloud/settings/user-registries
Let's inspect some key points about the script (create-azure-ad-oidc.sh).
- Obtain endpoints of the OIDC provider (authorization, token, userinfo, jwks_uri, logout) from Azure AD link (https://login.microsoftonline.com/${AZURE_TENANT_ID}/v2.0/.well-known/openid-configuration)
- Scopes:
- openid - openid token is returned
- email - email field is returned
- Features:
- auto_onboard - new users can automatically be onboard in API Connect
- userinfo - userinfo endpoint can be used to retrieve information about the user
- Field mapping
- email (APIC) is mapped to email (Azure AD)
- username (APIC) is mapped to name (Azure AD)
- first_name (APIC) is mapped to given_name (Azure AD)
- last_name (APIC) is mapped to family_name (Azure AD)