Tetrate Service BridgeVersion: nexttsb.tetrate.io/v2
OIDC
| Name | Type | Description | Required |
|---|---|---|---|
| apiVersion | string | tsb.tetrate.io/v2 | true |
| kind | string | OIDC | true |
| metadata | object | Refer to the Kubernetes API documentation for the fields of the metadata field. | true |
| spec | object |
| false |
| status | object | false |
OIDC.spec
OIDC represents an OpenID Connect (OIDC) configuration that can be used to authenticate users in Service Bridge.
| Name | Type | Description | Required |
|---|---|---|---|
| config | object | OIDC settings for the OIDC provider. | true |
| secret | string | Base64 encoded client secret for the OIDC provider. | true |
| configGenerationMetadata | object | Default metadata values that will be propagated to the children Istio generated configurations. | false |
| deletionProtectionEnabled | boolean | When set, prevents the resource from being deleted. | false |
| description | string | A description of the resource. | false |
| displayName | string | User friendly name for the resource. | false |
| etag | string | The etag for the resource. | false |
| fqn | string | Fully-qualified name of the resource. | false |
OIDC.spec.config
OIDC settings for the OIDC provider.
| Name | Type | Description | Required |
|---|---|---|---|
| clientId | string | The client ID from the OIDC provider's application configuration settings. | true |
| providerConfig | object | OIDC provider configuration. | true |
| redirectUri | string | The public URI where TSB is accessed. | true |
| authorizationParams | map[string]string | Optional parameters that will be included in the authorization request to the authorization endpoint. | false |
| maxExpirationSeconds | integer | Optional max expiration time of issued tokens. Format: int32 | false |
| offlineAccessConfig | object | Optional OIDC settings specific to offline access. | false |
| scopes | []string | Scopes passed to the OIDC provider in the Authentication Request. | false |
OIDC.spec.config.providerConfig
OIDC provider configuration.
| Name | Type | Description | Required |
|---|---|---|---|
| dynamic | object | false | |
| static | object | false |
OIDC.spec.config.providerConfig.dynamic
| Name | Type | Description | Required |
|---|---|---|---|
| configurationUri | string | OIDC provider's well-known OIDC configuration URI. | true |
OIDC.spec.config.providerConfig.static
| Name | Type | Description | Required |
|---|---|---|---|
| authorizationEndpoint | string | The Authorization Endpoint for the OIDC provider. | true |
| tokenEndpoint | string | The Token Endpoint for the OIDC provider. | true |
| deviceCodeEndpoint | string | The Device Code endpoint for the OIDC provider. | false |
| introspectionEndpoint | string | The Introspection endpoint for the OIDC provider. | false |
| jwks | string | JSON string with the OIDC provider's JSON Web Key Sets. | false |
| jwksUri | string | URI for the OIDC provider's JSON Web Key Sets. | false |
OIDC.spec.config.offlineAccessConfig
Optional OIDC settings specific to offline access.
| Name | Type | Description | Required |
|---|---|---|---|
| deviceCodeAuth | object | OIDC settings for Device Code Authorization grant used with offline access. | false |
| tokenExchange | object | OIDC settings for Token Exchange grant used with offline access. | false |
OIDC.spec.config.offlineAccessConfig.deviceCodeAuth
OIDC settings for Device Code Authorization grant used with offline access.
| Name | Type | Description | Required |
|---|---|---|---|
| clientId | string | The client ID from the OIDC provider's application configuration settings. | false |
| providerConfig | object | OIDC provider configuration. | false |
| scopes | []string | Scopes passed to the OIDC provider in the Device Code request Required scope 'openid' is included by default, any additional scopes will be appended in the Device Code Authorization request. | false |
| skipClientIdCheck | boolean | Instructs JWT validation to ignore the 'aud' claim. | false |
OIDC.spec.config.offlineAccessConfig.deviceCodeAuth.providerConfig
OIDC provider configuration.
| Name | Type | Description | Required |
|---|---|---|---|
| dynamic | object | false | |
| static | object | false |
OIDC.spec.config.offlineAccessConfig.deviceCodeAuth.providerConfig.dynamic
| Name | Type | Description | Required |
|---|---|---|---|
| configurationUri | string | OIDC provider's well-known OIDC configuration URI. | true |
OIDC.spec.config.offlineAccessConfig.deviceCodeAuth.providerConfig.static
| Name | Type | Description | Required |
|---|---|---|---|
| authorizationEndpoint | string | The Authorization Endpoint for the OIDC provider. | true |
| tokenEndpoint | string | The Token Endpoint for the OIDC provider. | true |
| deviceCodeEndpoint | string | The Device Code endpoint for the OIDC provider. | false |
| introspectionEndpoint | string | The Introspection endpoint for the OIDC provider. | false |
| jwks | string | JSON string with the OIDC provider's JSON Web Key Sets. | false |
| jwksUri | string | URI for the OIDC provider's JSON Web Key Sets. | false |
OIDC.spec.config.offlineAccessConfig.tokenExchange
OIDC settings for Token Exchange grant used with offline access.
| Name | Type | Description | Required |
|---|---|---|---|
| clientId | string | The client ID from the OIDC provider's application configuration settings. | false |
| providerConfig | object | OIDC provider configuration. | false |
| scopes | []string | Scopes passed to the OIDC provider in the Device Code request Required scope 'openid' is included by default, any additional scopes will be appended in the Device Code Authorization request. | false |
| skipClientIdCheck | boolean | Instructs JWT validation to ignore the 'aud' claim. | false |
OIDC.spec.config.offlineAccessConfig.tokenExchange.providerConfig
OIDC provider configuration.
| Name | Type | Description | Required |
|---|---|---|---|
| dynamic | object | false | |
| static | object | false |
OIDC.spec.config.offlineAccessConfig.tokenExchange.providerConfig.dynamic
| Name | Type | Description | Required |
|---|---|---|---|
| configurationUri | string | OIDC provider's well-known OIDC configuration URI. | true |
OIDC.spec.config.offlineAccessConfig.tokenExchange.providerConfig.static
| Name | Type | Description | Required |
|---|---|---|---|
| authorizationEndpoint | string | The Authorization Endpoint for the OIDC provider. | true |
| tokenEndpoint | string | The Token Endpoint for the OIDC provider. | true |
| deviceCodeEndpoint | string | The Device Code endpoint for the OIDC provider. | false |
| introspectionEndpoint | string | The Introspection endpoint for the OIDC provider. | false |
| jwks | string | JSON string with the OIDC provider's JSON Web Key Sets. | false |
| jwksUri | string | URI for the OIDC provider's JSON Web Key Sets. | false |
OIDC.spec.configGenerationMetadata
Default metadata values that will be propagated to the children Istio generated configurations.
| Name | Type | Description | Required |
|---|---|---|---|
| annotations | map[string]string | Set of key value paris that will be added into the | false |
| labels | map[string]string | Set of key value paris that will be added into the | false |