Registering Identity Provider
Register Identity Provider in the third-party KMS for validating JSON Web Token (JWT).
OCI EKM ensures vendor neutrality by using OAuth2, the industry-standard protocol, to sign cryptographic operation requests using customer-granted access tokens. All cryptographic requests are transmitted securely over a dedicated, encrypted connection to the third-party KMS network. Upon receiving the request, the third-party KMS validates the authenticity by verifying the OAuth2 JSON Web Tokens (JWTs) token using JSON Web Key Set (JWKS), a well-Known endpoint issued by OCI Identity Cloud Service.
For OCI EKMS to securely communicate with the third-party KMS, you must register JWKS URL and Confidential resource app credentials for validating with JWT.
If you're a Thales CipherTrust Manager (CM) user, see Register JWT Issuer in Thales CipherTrust Manager (CM) in the Thales documentation for information on registering a JWT issuer. Thales users can use the following steps to register:
-
Go to your domain in OCI Console and find the Domain URL. See Finding an Identity Domain URL for instructions.
A domain URL looks like the following example:
https://idcs-<example_id>.identity.oraclecloud.com:443 -
Add /.well-known/idcs-configuration after .com and navigate to this URL. For example
https://idcs-<example_id>.identity.oraclecloud.com/.well-known/idcs-configuration - Copy the JSON Web Key Set (JWKS) URL and identity provider from this URL to the third-party KMS or Thales CipherTrust Manager (CM). On your CM, select Tick the jwks protected url and write the client ID and secret from the resource app that you created in OCI Identity Domain.