4.2.11 Identity Provider Properties
Under identityProvider, enter property values for the JSON Web Token (JWT) which the MicroTx coordinator uses for authentication.
When you set authentication.requestsWithNoJWT to DENY, you must provides values for all the identity provider properties listed in the table below.
However, provide values for the audience, adminUserRoles, adminUserRolesPath, and clientSecretName properties to ensure that users can access the MicroTx console. If you don't want to provide access to the MicroTx console, you can skip providing values for these properties.
| Property | Description |
|---|---|
serverType |
Enter idcs if you are using Oracle IDCS as the identity provider. Otherwise, enter other. The default value is other.
|
scopes |
If the serverType is idcs, you must specify a scope to grant different levels of access. If you are not using Oracle IDCS as the identity provider, do not provide a value for this property. For Oracle IDCS, enter a space-separated list of scopes. The default scope for Oracle IDCS is openid groups.
|
issuer |
Identifies the JWT token issuer. Enter the URI of the identity server that you have set up. It is the value of the issuer field in the Discovery URL. For example, https://identity.oraclecloud.com. See Run the Discovery URL.
|
jwksUri |
The URL of the identity provider's publicly hosted jwksUri, which is used to validate signature of the JWT. The JSON Web Key Set (JWKS) contains the cryptographic keys which are used to verify the incoming JWT tokens. See Run the Discovery URL.
|
identityProviderUrl |
Specify the URL of the JWT identity provider. This information is required to create a new access token by using the refresh token. If you do not provide this information, expired access tokens are not auto-refreshed. For example, http://192.0.2.1:8080/auth/realms/tmmdev when you use Keycloak as the identity provider. See Run the Discovery URL.
|
audience |
Enter the audience of the token. Every JWT is validated to check the audience. You must provide a value for this parameter to access the MicroTx console. Note down this value from the JWT access token. |
adminUserRoles |
Enter a comma-separated list of names of the administrator roles that you have configured in the identity provider to grant access to the MicroTx administrator APIs. Only the users that are granted this role are permitted to access the console. For example, admin, consoleadmin. See Specify the Admin Role in YAML file.
|
adminUserRolesPath |
Enter the path to the administrator role in the JWT token. For example, realm_access, roles. See Specify the Admin Role in YAML file.
|
clientSecretName |
Enter the name of the Kubernetes secret that you have created to ensure that users can access the MicroTx console. See Create a Secret with Identity Provider Client Credentials. |
The following code snippet provides sample values for the authentication field in the values.yaml file. The sample values in this example are based on Run the Discovery URL and Specify the Admin Role in YAML file.
identityProvider:
issuer: "https://identity.oraclecloud.com"
jwksUri: "https://idcs-a83e4...identity.oraclecloud.com:443/admin/v1/SigningCert/jwk"
identityProviderUrl: "https://idcs-a83e4...identity.oraclecloud.com/oauth2/v1/token"
audience: "account"
adminUserRoles: "admin"
adminUserRolesPath: "userAppRoles"
clientSecretName: "console-identity-client-secret"The example tenant base URL, https://idcs-a83e4...identity.oraclecloud.com, has been truncated with ellipses (...) for readability. Copy the complete value in your environment.
Parent topic: Configure the values.yaml File