From 0665203c487d7739f6047f0af366529b9834fab9 Mon Sep 17 00:00:00 2001 From: Marek Michali Date: Tue, 15 Apr 2025 08:50:25 +0200 Subject: [PATCH 01/23] Update OIDC documentation with OIDC list --- docs/user/04-10-custom-oidc-configuration.md | 69 ++++++++++++++++---- 1 file changed, 58 insertions(+), 11 deletions(-) diff --git a/docs/user/04-10-custom-oidc-configuration.md b/docs/user/04-10-custom-oidc-configuration.md index e2cb18968d..2bf716f745 100644 --- a/docs/user/04-10-custom-oidc-configuration.md +++ b/docs/user/04-10-custom-oidc-configuration.md @@ -1,11 +1,47 @@ # Custom OIDC Configuration -To create an SAP BTP, Kyma runtime with a custom Open ID Connect (OIDC) configuration, specify the additional `oidc` provisioning parameters. +To create an SAP BTP, Kyma runtime with a custom Open ID Connect (OIDC) configuration, you can specify either a single `oidc` object or a list of `oidc` objects as provisioning parameters. While both options are supported, using a list of `oidc` objects is the recommended approach, even if you are defining only one OIDC configuration. The single `oidc` object is only supported for backward compatibility. > [!NOTE] > `clientID` and `issuerURL` values are mandatory for custom OIDC configuration. -See the example: +See the example with the OIDC list: + +```bash + export VERion:SIO15.0 + curl --request PUT "https://$BROKER_URL/oauth/v2/service_instances/$INSTANCE_ID?accepts_incomplete=true" \ + --header 'X-Broker-API-Version: 2.14' \ + --header 'Content-Type: application/json' \ + --header "$AUTHORIZATION_HEADER" \ + --header 'Content-Type: application/json' \ + --data-raw "{ + \"service_id\": \"47c9dcbf-ff30-448e-ab36-d3bad66ba281\", + \"plan_id\": \"4deee563-e5ec-4731-b9b1-53b42d855f0c\", + \"context\": { + \"globalaccount_id\": \"$GLOBAL_ACCOUNT_ID\" + }, + \"parameters\": { + \"name\": \"$NAME\", + \"region\": \"$REGION\", + \"oidc\": { + \"list\": [ + { + \"clientID\": \"9bd05ed7-a930-44e6-8c79-e6defeb7dec5\", + \"issuerURL\": \"https://kymatest.accounts400.ondemand.com\", + \"groupsClaim\": \"groups\", + \"groupPrefix\": \"-\", + \"signingAlgs\": [\"RS256\"], + \"usernamePrefix\": \"-\", + \"usernameClaim\": \"sub\", + \"requiredClaims\": [], + } + ] + } + } + }" +``` +
+See the example with the single OIDC object (not recommended): ```bash export VERSION=1.15.0 @@ -35,9 +71,11 @@ See the example: }" ``` -If you do not provide the `oidc` object in the provisioning request or leave all object's properties empty, the default OIDC configuration is used. -However, if you do not provide the `oidc` object in the update request or leave all object’s properties empty, the saved OIDC configuration stays untouched. -See the following JSON example without the `oidc` object: +
+ +If you do not include the `oidc` list or the single `oidc` object in the provisioning request, the default OIDC configuration is applied. However, if you provide an empty `oidc` list (with zero elements), no OIDC configuration will be applied to the instance. Unlike the single `oidc` object, which defaults to the predefined values when its properties are left empty, the `oidc` list does not inherit default values for its items and they need to be explicitly defined. + +See the following JSON example without the `oidc` object or list: ```json { @@ -69,9 +107,11 @@ See the following JSON example with the `oidc` object whose properties are empty "clientID" : "", "issuerURL" : "", "groupsClaim" : "", + "groupsPrefix" : "", "signingAlgs" : [], "usernamePrefix" : "", - "usernameClaim" : "" + "usernameClaim" : "", + "requiredClaims" : [] } } } @@ -86,26 +126,29 @@ This is the default OIDC configuration in JSON: "clientID" : "9bd05ed7-a930-44e6-8c79-e6defeb7dec9", "issuerURL" : "https://kymatest.accounts400.ondemand.com", "groupsClaim" : "groups", + "groupsPrefix" : "-", "signingAlgs" : ["RS256"], "usernamePrefix" : "-", - "usernameClaim" : "sub" + "usernameClaim" : "sub", + "requiredClaims" : [] } ... } ``` -To update the OIDC configuration, provide values for the mandatory properties. Without these values, a validation error occurs. -The update operation overwrites the OIDC configuration values provided in JSON. It means that OIDC properties with empty values are considered valid. See the following scenario: +To update the OIDC configuration, provide values for the mandatory properties. Without these values, a validation error occurs. If you omit the `oidc` list or the single `oidc` object in the update request, the existing OIDC configuration remains unchanged. Providing an empty `oidc` list clears the OIDC configuration for the instance. The update operation overwrites the OIDC configuration values provided in JSON, meaning that OIDC properties with empty values are considered valid and will replace the existing values. This behavior applies to both the `oidc` object and the `oidc` list. - 1. An existing instance has the following OIDC configuration: + 1. An existing instance has the following single OIDC object configuration: ``` ClientID: 9bd05ed7-a930-44e6-8c79-e6defeb7dec9 IssuerURL: https://kymatest.accounts400.ondemand.com GroupsClaim: groups + GroupsPrefix: - UsernameClaim: sub UsernamePrefix: - SigningAlgs: RS256 + RequiredClaims: [] ``` 2. A user sends an update request (HTTP PUT) with the following JSON in the payload: @@ -123,9 +166,11 @@ The update operation overwrites the OIDC configuration values provided in JSON. "clientID" : "new-client-id", "issuerURL" : "https://new-issuer-url.local.com", "groupsClaim" : "", + "groupsPrefix" : "", "signingAlgs" : [], "usernamePrefix" : "", - "usernameClaim" : "" + "usernameClaim" : "", + "requiredClaims" : [] } } } @@ -137,7 +182,9 @@ The update operation overwrites the OIDC configuration values provided in JSON. ClientID: new-client-id IssuerURL: https://new-issuer-url.local.com GroupsClaim: + GroupsPrefix: UsernameClaim: UsernamePrefix: SigningAlgs: + RequiredClaims: ``` From ec9182c470843e1d11a45ab801772f3104092386 Mon Sep 17 00:00:00 2001 From: Marek Michali Date: Tue, 15 Apr 2025 11:03:43 +0200 Subject: [PATCH 02/23] Update docs --- docs/user/04-10-custom-oidc-configuration.md | 247 +++++++++++++++---- 1 file changed, 200 insertions(+), 47 deletions(-) diff --git a/docs/user/04-10-custom-oidc-configuration.md b/docs/user/04-10-custom-oidc-configuration.md index 2bf716f745..ac4c47238f 100644 --- a/docs/user/04-10-custom-oidc-configuration.md +++ b/docs/user/04-10-custom-oidc-configuration.md @@ -1,6 +1,6 @@ # Custom OIDC Configuration -To create an SAP BTP, Kyma runtime with a custom Open ID Connect (OIDC) configuration, you can specify either a single `oidc` object or a list of `oidc` objects as provisioning parameters. While both options are supported, using a list of `oidc` objects is the recommended approach, even if you are defining only one OIDC configuration. The single `oidc` object is only supported for backward compatibility. +To create an SAP BTP, Kyma runtime with a custom Open ID Connect (OIDC) configuration, you can specify either a single `oidc` object or a list of `oidc` objects as provisioning parameters. While both options are supported, using a list of `oidc` objects is the recommended approach, even if you are defining only one OIDC configuration. The list allows you to define multiple OIDC configurations. The single `oidc` object is only supported for backward compatibility. > [!NOTE] > `clientID` and `issuerURL` values are mandatory for custom OIDC configuration. @@ -8,7 +8,7 @@ To create an SAP BTP, Kyma runtime with a custom Open ID Connect (OIDC) configur See the example with the OIDC list: ```bash - export VERion:SIO15.0 + export VERSION=1.15.0 curl --request PUT "https://$BROKER_URL/oauth/v2/service_instances/$INSTANCE_ID?accepts_incomplete=true" \ --header 'X-Broker-API-Version: 2.14' \ --header 'Content-Type: application/json' \ @@ -91,6 +91,51 @@ See the following JSON example without the `oidc` object or list: } ``` +See the following JSON example with the `oidc` list whose item has empty properties: + +```json +{ + "service_id" : "47c9dcbf-ff30-448e-ab36-d3bad66ba281", + "plan_id" : "4deee563-e5ec-4731-b9b1-53b42d855f0c", + "context" : { + "globalaccount_id" : {GLOBAL_ACCOUNT_ID} + }, + "parameters" : { + "region": {REGION}, + "name" : {CLUSTER_NAME}, + "oidc" : { + "clientID" : "", + "issuerURL" : "", + "groupsClaim" : "", + "groupsPrefix" : "", + "signingAlgs" : [], + "usernamePrefix" : "", + "usernameClaim" : "", + "requiredClaims" : [] + } + } +} +``` + +This is the default OIDC configuration in JSON: + +```json +{ + ... + "oidc" : { + "clientID" : "9bd05ed7-a930-44e6-8c79-e6defeb7dec9", + "issuerURL" : "https://kymatest.accounts400.ondemand.com", + "groupsClaim" : "groups", + "groupsPrefix" : "-", + "signingAlgs" : ["RS256"], + "usernamePrefix" : "-", + "usernameClaim" : "sub", + "requiredClaims" : [] + } + ... +} +``` + See the following JSON example with the `oidc` object whose properties are empty: ```json @@ -138,53 +183,161 @@ This is the default OIDC configuration in JSON: To update the OIDC configuration, provide values for the mandatory properties. Without these values, a validation error occurs. If you omit the `oidc` list or the single `oidc` object in the update request, the existing OIDC configuration remains unchanged. Providing an empty `oidc` list clears the OIDC configuration for the instance. The update operation overwrites the OIDC configuration values provided in JSON, meaning that OIDC properties with empty values are considered valid and will replace the existing values. This behavior applies to both the `oidc` object and the `oidc` list. - 1. An existing instance has the following single OIDC object configuration: +### Scenario: Instance with an OIDC Object List - ``` - ClientID: 9bd05ed7-a930-44e6-8c79-e6defeb7dec9 - IssuerURL: https://kymatest.accounts400.ondemand.com - GroupsClaim: groups - GroupsPrefix: - - UsernameClaim: sub - UsernamePrefix: - - SigningAlgs: RS256 - RequiredClaims: [] - ``` +1. **Current OIDC Configuration** + The instance has the following OIDC object list configuration: - 2. A user sends an update request (HTTP PUT) with the following JSON in the payload: + ```json + [ + { + "ClientID": "9bd05ed7-a930-44e6-8c79-e6defeb7dec9", + "IssuerURL": "https://kymatest.accounts400.ondemand.com", + "GroupsClaim": "groups", + "GroupsPrefix": "-", + "UsernameClaim": "sub", + "UsernamePrefix": "-", + "SigningAlgs": ["RS256"], + "RequiredClaims": [] + }, + { + "ClientID": "3f2a1c8e-7b4d-4e2f-9a6b-2d8e5f7c9d12", + "IssuerURL": "https://foo.bar.com", + "GroupsClaim": "groups", + "GroupsPrefix": "-", + "UsernameClaim": "sub", + "UsernamePrefix": "acme-", + "SigningAlgs": ["RS256"], + "RequiredClaims": [] + } + ] + ``` + +2. **Update Request** + The user sends an HTTP PATCH request with the following payload to update the OIDC configuration: - ```json + ```json + { + "service_id": "47c9dcbf-ff30-448e-ab36-d3bad66ba281", + "plan_id": "4deee563-e5ec-4731-b9b1-53b42d855f0c", + "context": { + "globalaccount_id": "{GLOBAL_ACCOUNT_ID}" + }, + "parameters": { + "name": "{CLUSTER_NAME}", + "oidc": { + "list": [ { - "service_id" : "47c9dcbf-ff30-448e-ab36-d3bad66ba281", - "plan_id" : "4deee563-e5ec-4731-b9b1-53b42d855f0c", - "context" : { - "globalaccount_id" : {GLOBAL_ACCOUNT_ID} - }, - "parameters" : { - "name" : {CLUSTER_NAME}, - "oidc" : { - "clientID" : "new-client-id", - "issuerURL" : "https://new-issuer-url.local.com", - "groupsClaim" : "", - "groupsPrefix" : "", - "signingAlgs" : [], - "usernamePrefix" : "", - "usernameClaim" : "", - "requiredClaims" : [] - } - } + "clientID": "9bd05ed7-a930-44e6-8c79-e6defeb7dec9", + "issuerURL": "https://kymatest.accounts400.ondemand.com", + "groupsClaim": "groups", + "groupsPrefix": "-", + "signingAlgs": ["RS256"], + "usernameClaim": "sub", + "usernamePrefix": "-", + "requiredClaims": [] + }, + { + "clientID": "test", + "issuerURL": "https://test.com", + "groupsClaim": "", + "groupsPrefix": "", + "signingAlgs": [], + "usernameClaim": "", + "usernamePrefix": "", + "requiredClaims": [] } - ``` - - 3. The OIDC configuration is updated to include the values of the `oidc` object from JSON provided in the update request: - - ``` - ClientID: new-client-id - IssuerURL: https://new-issuer-url.local.com - GroupsClaim: - GroupsPrefix: - UsernameClaim: - UsernamePrefix: - SigningAlgs: - RequiredClaims: - ``` + ] + } + } + } + ``` + +3. **Updated OIDC Configuration** + After the update, the OIDC configuration is modified to reflect the values provided in the request: + + ```json + [ + { + "ClientID": "9bd05ed7-a930-44e6-8c79-e6defeb7dec9", + "IssuerURL": "https://kymatest.accounts400.ondemand.com", + "GroupsClaim": "groups", + "GroupsPrefix": "-", + "UsernameClaim": "sub", + "UsernamePrefix": "-", + "SigningAlgs": ["RS256"], + "RequiredClaims": [] + }, + { + "ClientID": "test", + "IssuerURL": "https://test.com", + "GroupsClaim": "", + "GroupsPrefix": "", + "UsernameClaim": "", + "UsernamePrefix": "", + "SigningAlgs": [], + "RequiredClaims": [] + } + ] + ``` + + +### Scenario: Instance with a Single OIDC Object + +1. **Current OIDC Configuration** + The instance has the following OIDC object configuration: + + ```json + { + "clientID": "9bd05ed7-a930-44e6-8c79-e6defeb7dec9", + "issuerURL": "https://kymatest.accounts400.ondemand.com", + "groupsClaim": "groups", + "groupsPrefix": "-", + "usernameClaim": "sub", + "usernamePrefix": "-", + "signingAlgs": ["RS256"], + "requiredClaims": [] + } + ``` + +2. **Update Request** + The user sends an HTTP PATCH request with the following payload to update the OIDC configuration: + + ```json + { + "service_id": "47c9dcbf-ff30-448e-ab36-d3bad66ba281", + "plan_id": "4deee563-e5ec-4731-b9b1-53b42d855f0c", + "context": { + "globalaccount_id": "{GLOBAL_ACCOUNT_ID}" + }, + "parameters": { + "name": "{CLUSTER_NAME}", + "oidc": { + "clientID": "new-client-id", + "issuerURL": "https://new-issuer-url.local.com", + "groupsClaim": "", + "groupsPrefix": "", + "signingAlgs": [], + "usernamePrefix": "", + "usernameClaim": "", + "requiredClaims": [] + } + } + } + ``` + +3. **Updated OIDC Configuration** + After the update, the OIDC configuration is modified to reflect the values provided in the request: + + ```json + { + "clientID": "new-client-id", + "issuerURL": "https://new-issuer-url.local.com", + "groupsClaim": "", + "groupsPrefix": "", + "usernameClaim": "", + "usernamePrefix": "", + "signingAlgs": [], + "requiredClaims": [] + } + ``` From 7a315457630ac6bfaf9e37cfaf7893675cf7d420 Mon Sep 17 00:00:00 2001 From: Marek Michali Date: Fri, 18 Apr 2025 13:37:42 +0200 Subject: [PATCH 03/23] More examples --- docs/user/04-10-custom-oidc-configuration.md | 74 ++++++++++++++------ 1 file changed, 52 insertions(+), 22 deletions(-) diff --git a/docs/user/04-10-custom-oidc-configuration.md b/docs/user/04-10-custom-oidc-configuration.md index ac4c47238f..1d10812a94 100644 --- a/docs/user/04-10-custom-oidc-configuration.md +++ b/docs/user/04-10-custom-oidc-configuration.md @@ -2,11 +2,11 @@ To create an SAP BTP, Kyma runtime with a custom Open ID Connect (OIDC) configuration, you can specify either a single `oidc` object or a list of `oidc` objects as provisioning parameters. While both options are supported, using a list of `oidc` objects is the recommended approach, even if you are defining only one OIDC configuration. The list allows you to define multiple OIDC configurations. The single `oidc` object is only supported for backward compatibility. -> [!NOTE] -> `clientID` and `issuerURL` values are mandatory for custom OIDC configuration. - See the example with the OIDC list: +> [!NOTE] +> All fields except `requiredClaims` are mandatory when using the `oidc` list for custom OIDC configuration. + ```bash export VERSION=1.15.0 curl --request PUT "https://$BROKER_URL/oauth/v2/service_instances/$INSTANCE_ID?accepts_incomplete=true" \ @@ -43,6 +43,9 @@ See the example with the OIDC list:
See the example with the single OIDC object (not recommended): +> [!NOTE] +> `clientID` and `issuerURL` values are mandatory when using the single `oidc` object for for custom OIDC configuration. + ```bash export VERSION=1.15.0 curl --request PUT "https://$BROKER_URL/oauth/v2/service_instances/$INSTANCE_ID?accepts_incomplete=true" \ @@ -91,7 +94,26 @@ See the following JSON example without the `oidc` object or list: } ``` -See the following JSON example with the `oidc` list whose item has empty properties: +This is the applied OIDC configuration in JSON: + +```json +{ + ... + "oidc" : { + "clientID" : "9bd05ed7-a930-44e6-8c79-e6defeb7dec9", + "issuerURL" : "https://kymatest.accounts400.ondemand.com", + "groupsClaim" : "groups", + "groupsPrefix" : "-", + "signingAlgs" : ["RS256"], + "usernamePrefix" : "-", + "usernameClaim" : "sub", + "requiredClaims" : [] + } + ... +} +``` + +See the following JSON example with the `oidc` list: ```json { @@ -104,33 +126,41 @@ See the following JSON example with the `oidc` list whose item has empty propert "region": {REGION}, "name" : {CLUSTER_NAME}, "oidc" : { - "clientID" : "", - "issuerURL" : "", - "groupsClaim" : "", - "groupsPrefix" : "", - "signingAlgs" : [], - "usernamePrefix" : "", - "usernameClaim" : "", - "requiredClaims" : [] + "list": [ + { + "clientID" : "9bd05ed7-a930-44e6-8c79-e6defeb7dec9", + "issuerURL" : "https://kymatest.accounts400.ondemand.com", + "groupsClaim" : "groups", + "groupsPrefix" : "-", + "signingAlgs" : ["RS256"], + "usernamePrefix" : "-", + "usernameClaim" : "sub", + "requiredClaims" : ["first-claim=value", "second-claim=value"] + } + ] } } } ``` -This is the default OIDC configuration in JSON: +This is the applied OIDC configuration in JSON: ```json { ... "oidc" : { - "clientID" : "9bd05ed7-a930-44e6-8c79-e6defeb7dec9", - "issuerURL" : "https://kymatest.accounts400.ondemand.com", - "groupsClaim" : "groups", - "groupsPrefix" : "-", - "signingAlgs" : ["RS256"], - "usernamePrefix" : "-", - "usernameClaim" : "sub", - "requiredClaims" : [] + "list": [ + { + "clientID" : "9bd05ed7-a930-44e6-8c79-e6defeb7dec9", + "issuerURL" : "https://kymatest.accounts400.ondemand.com", + "groupsClaim" : "groups", + "groupsPrefix" : "-", + "signingAlgs" : ["RS256"], + "usernamePrefix" : "-", + "usernameClaim" : "sub", + "requiredClaims" : ["first-claim=value", "second-claim=value"] + } + ] } ... } @@ -162,7 +192,7 @@ See the following JSON example with the `oidc` object whose properties are empty } ``` -This is the default OIDC configuration in JSON: +This is the applied default OIDC configuration in JSON: ```json { From 9457b8213bd0074aa2ceb8ce11d0392942433b48 Mon Sep 17 00:00:00 2001 From: Marek Michali Date: Fri, 18 Apr 2025 14:14:53 +0200 Subject: [PATCH 04/23] Better examples --- docs/user/04-10-custom-oidc-configuration.md | 86 ++++++++++---------- 1 file changed, 43 insertions(+), 43 deletions(-) diff --git a/docs/user/04-10-custom-oidc-configuration.md b/docs/user/04-10-custom-oidc-configuration.md index 1d10812a94..f8da49d5b4 100644 --- a/docs/user/04-10-custom-oidc-configuration.md +++ b/docs/user/04-10-custom-oidc-configuration.md @@ -211,7 +211,7 @@ This is the applied default OIDC configuration in JSON: } ``` -To update the OIDC configuration, provide values for the mandatory properties. Without these values, a validation error occurs. If you omit the `oidc` list or the single `oidc` object in the update request, the existing OIDC configuration remains unchanged. Providing an empty `oidc` list clears the OIDC configuration for the instance. The update operation overwrites the OIDC configuration values provided in JSON, meaning that OIDC properties with empty values are considered valid and will replace the existing values. This behavior applies to both the `oidc` object and the `oidc` list. +To update the OIDC configuration, provide values for the mandatory properties. Without these values, a validation error occurs. If you omit the `oidc` list or the single `oidc` object in the update request, the existing OIDC configuration remains unchanged. Providing an empty `oidc` list clears the OIDC configuration for the instance. The update operation overwrites the OIDC configuration values provided in JSON for the `oidc` list, meaning that OIDC properties with empty values are considered valid and will replace the existing values. However, for the single `oidc` object, empty values do not change the configuration, and only the provided values are updated. ### Scenario: Instance with an OIDC Object List @@ -221,24 +221,24 @@ To update the OIDC configuration, provide values for the mandatory properties. W ```json [ { - "ClientID": "9bd05ed7-a930-44e6-8c79-e6defeb7dec9", - "IssuerURL": "https://kymatest.accounts400.ondemand.com", - "GroupsClaim": "groups", - "GroupsPrefix": "-", - "UsernameClaim": "sub", - "UsernamePrefix": "-", - "SigningAlgs": ["RS256"], - "RequiredClaims": [] + "clientID": "9bd05ed7-a930-44e6-8c79-e6defeb7dec9", + "issuerURL": "https://kymatest.accounts400.ondemand.com", + "groupsClaim": "groups", + "groupsPrefix": "-", + "usernameClaim": "sub", + "usernamePrefix": "-", + "signingAlgs": ["RS256"], + "requiredClaims": ["first-claim=value", "second-claim=value"] }, { - "ClientID": "3f2a1c8e-7b4d-4e2f-9a6b-2d8e5f7c9d12", - "IssuerURL": "https://foo.bar.com", - "GroupsClaim": "groups", - "GroupsPrefix": "-", - "UsernameClaim": "sub", - "UsernamePrefix": "acme-", - "SigningAlgs": ["RS256"], - "RequiredClaims": [] + "clientID": "3f2a1c8e-7b4d-4e2f-9a6b-2d8e5f7c9d12", + "issuerURL": "https://foo.bar.com", + "groupsClaim": "groups", + "groupsPrefix": "-", + "usernameClaim": "sub", + "usernamePrefix": "acme-", + "signingAlgs": ["RS256"], + "requiredClaims": [] } ] ``` @@ -270,11 +270,11 @@ To update the OIDC configuration, provide values for the mandatory properties. W { "clientID": "test", "issuerURL": "https://test.com", - "groupsClaim": "", - "groupsPrefix": "", - "signingAlgs": [], - "usernameClaim": "", - "usernamePrefix": "", + "groupsClaim": "groups", + "groupsPrefix": "-", + "usernameClaim": "sub", + "usernamePrefix": "acme-", + "signingAlgs": ["RS256"], "requiredClaims": [] } ] @@ -289,24 +289,24 @@ To update the OIDC configuration, provide values for the mandatory properties. W ```json [ { - "ClientID": "9bd05ed7-a930-44e6-8c79-e6defeb7dec9", - "IssuerURL": "https://kymatest.accounts400.ondemand.com", - "GroupsClaim": "groups", - "GroupsPrefix": "-", - "UsernameClaim": "sub", - "UsernamePrefix": "-", - "SigningAlgs": ["RS256"], - "RequiredClaims": [] + "clientID": "9bd05ed7-a930-44e6-8c79-e6defeb7dec9", + "issuerURL": "https://kymatest.accounts400.ondemand.com", + "groupsClaim": "groups", + "groupsPrefix": "-", + "usernameClaim": "sub", + "usernamePrefix": "-", + "signingAlgs": ["RS256"], + "requiredClaims": [] }, { - "ClientID": "test", - "IssuerURL": "https://test.com", - "GroupsClaim": "", - "GroupsPrefix": "", - "UsernameClaim": "", - "UsernamePrefix": "", - "SigningAlgs": [], - "RequiredClaims": [] + "clientID": "test", + "issuerURL": "https://test.com", + "groupsClaim": "groups", + "groupsPrefix": "-", + "usernameClaim": "sub", + "usernamePrefix": "acme-", + "signingAlgs": ["RS256"], + "requiredClaims": [] } ] ``` @@ -363,11 +363,11 @@ To update the OIDC configuration, provide values for the mandatory properties. W { "clientID": "new-client-id", "issuerURL": "https://new-issuer-url.local.com", - "groupsClaim": "", - "groupsPrefix": "", - "usernameClaim": "", - "usernamePrefix": "", - "signingAlgs": [], + "groupsClaim": "groups", + "groupsPrefix": "-", + "usernameClaim": "sub", + "usernamePrefix": "-", + "signingAlgs": ["RS256"], "requiredClaims": [] } ``` From 9bdc5f849a866da1ae1f4160c6a47bcd3664fd75 Mon Sep 17 00:00:00 2001 From: Marek Michali Date: Fri, 18 Apr 2025 14:17:56 +0200 Subject: [PATCH 05/23] No back to object --- docs/user/04-10-custom-oidc-configuration.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/user/04-10-custom-oidc-configuration.md b/docs/user/04-10-custom-oidc-configuration.md index f8da49d5b4..d0722fcbae 100644 --- a/docs/user/04-10-custom-oidc-configuration.md +++ b/docs/user/04-10-custom-oidc-configuration.md @@ -211,7 +211,7 @@ This is the applied default OIDC configuration in JSON: } ``` -To update the OIDC configuration, provide values for the mandatory properties. Without these values, a validation error occurs. If you omit the `oidc` list or the single `oidc` object in the update request, the existing OIDC configuration remains unchanged. Providing an empty `oidc` list clears the OIDC configuration for the instance. The update operation overwrites the OIDC configuration values provided in JSON for the `oidc` list, meaning that OIDC properties with empty values are considered valid and will replace the existing values. However, for the single `oidc` object, empty values do not change the configuration, and only the provided values are updated. +To update the OIDC configuration, provide values for the mandatory properties. Without these values, a validation error occurs. If you omit the `oidc` list or the single `oidc` object in the update request, the existing OIDC configuration remains unchanged. Providing an empty `oidc` list clears the OIDC configuration for the instance. The update operation overwrites the OIDC configuration values provided in JSON for the `oidc` list, meaning that OIDC properties with empty values are considered valid and will replace the existing values. However, for the single `oidc` object, empty values do not change the configuration, and only the provided values are updated. It is possible to update the configuration from a single `oidc` object to an `oidc` list. However, updating from an `oidc` list to a single `oidc` object is not supported. ### Scenario: Instance with an OIDC Object List From 22d8459a6dbd768a06b3edadf57147c012db2c2b Mon Sep 17 00:00:00 2001 From: Marek Michali Date: Fri, 18 Apr 2025 14:30:49 +0200 Subject: [PATCH 06/23] Better sections --- docs/user/04-10-custom-oidc-configuration.md | 105 +++++++++++-------- 1 file changed, 63 insertions(+), 42 deletions(-) diff --git a/docs/user/04-10-custom-oidc-configuration.md b/docs/user/04-10-custom-oidc-configuration.md index d0722fcbae..8c4d195f0a 100644 --- a/docs/user/04-10-custom-oidc-configuration.md +++ b/docs/user/04-10-custom-oidc-configuration.md @@ -78,7 +78,11 @@ See the example with the OIDC list: If you do not include the `oidc` list or the single `oidc` object in the provisioning request, the default OIDC configuration is applied. However, if you provide an empty `oidc` list (with zero elements), no OIDC configuration will be applied to the instance. Unlike the single `oidc` object, which defaults to the predefined values when its properties are left empty, the `oidc` list does not inherit default values for its items and they need to be explicitly defined. -See the following JSON example without the `oidc` object or list: +### Example 1: Without the `oidc` Object or List + +This example demonstrates a request without specifying any `oidc` configuration. The default OIDC configuration is applied automatically. + +**Request:** ```json { @@ -94,26 +98,32 @@ See the following JSON example without the `oidc` object or list: } ``` -This is the applied OIDC configuration in JSON: +**Applied OIDC Configuration:** ```json { ... - "oidc" : { - "clientID" : "9bd05ed7-a930-44e6-8c79-e6defeb7dec9", - "issuerURL" : "https://kymatest.accounts400.ondemand.com", - "groupsClaim" : "groups", - "groupsPrefix" : "-", - "signingAlgs" : ["RS256"], - "usernamePrefix" : "-", - "usernameClaim" : "sub", - "requiredClaims" : [] - } + "oidc" : { + "clientID" : "9bd05ed7-a930-44e6-8c79-e6defeb7dec9", + "issuerURL" : "https://kymatest.accounts400.ondemand.com", + "groupsClaim" : "groups", + "groupsPrefix" : "-", + "signingAlgs" : ["RS256"], + "usernamePrefix" : "-", + "usernameClaim" : "sub", + "requiredClaims" : [] + } ... } ``` -See the following JSON example with the `oidc` list: +--- + +### Example 2: With the `oidc` List + +This example shows a request with an `oidc` list containing a single configuration. The list allows defining multiple OIDC configurations. + +**Request:** ```json { @@ -143,30 +153,36 @@ See the following JSON example with the `oidc` list: } ``` -This is the applied OIDC configuration in JSON: +**Applied OIDC Configuration:** ```json { ... - "oidc" : { - "list": [ - { - "clientID" : "9bd05ed7-a930-44e6-8c79-e6defeb7dec9", - "issuerURL" : "https://kymatest.accounts400.ondemand.com", - "groupsClaim" : "groups", - "groupsPrefix" : "-", - "signingAlgs" : ["RS256"], - "usernamePrefix" : "-", - "usernameClaim" : "sub", - "requiredClaims" : ["first-claim=value", "second-claim=value"] - } - ] - } + "oidc" : { + "list": [ + { + "clientID" : "9bd05ed7-a930-44e6-8c79-e6defeb7dec9", + "issuerURL" : "https://kymatest.accounts400.ondemand.com", + "groupsClaim" : "groups", + "groupsPrefix" : "-", + "signingAlgs" : ["RS256"], + "usernamePrefix" : "-", + "usernameClaim" : "sub", + "requiredClaims" : ["first-claim=value", "second-claim=value"] + } + ] + } ... } ``` -See the following JSON example with the `oidc` object whose properties are empty: +--- + +### Example 3: With the `oidc` Object (Empty Properties) + +This example illustrates a request with an `oidc` object where all properties are left empty. The default OIDC configuration is applied. + +**Request:** ```json { @@ -192,28 +208,32 @@ See the following JSON example with the `oidc` object whose properties are empty } ``` -This is the applied default OIDC configuration in JSON: +**Applied OIDC Configuration:** ```json { ... - "oidc" : { - "clientID" : "9bd05ed7-a930-44e6-8c79-e6defeb7dec9", - "issuerURL" : "https://kymatest.accounts400.ondemand.com", - "groupsClaim" : "groups", - "groupsPrefix" : "-", - "signingAlgs" : ["RS256"], - "usernamePrefix" : "-", - "usernameClaim" : "sub", - "requiredClaims" : [] - } + "oidc" : { + "clientID" : "9bd05ed7-a930-44e6-8c79-e6defeb7dec9", + "issuerURL" : "https://kymatest.accounts400.ondemand.com", + "groupsClaim" : "groups", + "groupsPrefix" : "-", + "signingAlgs" : ["RS256"], + "usernamePrefix" : "-", + "usernameClaim" : "sub", + "requiredClaims" : [] + } ... } ``` +## Updating the OIDC Configuration + To update the OIDC configuration, provide values for the mandatory properties. Without these values, a validation error occurs. If you omit the `oidc` list or the single `oidc` object in the update request, the existing OIDC configuration remains unchanged. Providing an empty `oidc` list clears the OIDC configuration for the instance. The update operation overwrites the OIDC configuration values provided in JSON for the `oidc` list, meaning that OIDC properties with empty values are considered valid and will replace the existing values. However, for the single `oidc` object, empty values do not change the configuration, and only the provided values are updated. It is possible to update the configuration from a single `oidc` object to an `oidc` list. However, updating from an `oidc` list to a single `oidc` object is not supported. -### Scenario: Instance with an OIDC Object List +--- + +### Scenario 1: Updating an Instance with an OIDC Object List 1. **Current OIDC Configuration** The instance has the following OIDC object list configuration: @@ -311,8 +331,9 @@ To update the OIDC configuration, provide values for the mandatory properties. W ] ``` +--- -### Scenario: Instance with a Single OIDC Object +### Scenario 2: Updating an Instance with a Single OIDC Object 1. **Current OIDC Configuration** The instance has the following OIDC object configuration: From 8d933faa4ce41430deba0f088e44291e882d8abd Mon Sep 17 00:00:00 2001 From: Marek Michali <56163696+MarekMichali@users.noreply.github.com> Date: Wed, 30 Apr 2025 13:29:12 +0200 Subject: [PATCH 07/23] Update docs/user/04-10-custom-oidc-configuration.md Co-authored-by: Iwona Langer --- docs/user/04-10-custom-oidc-configuration.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/user/04-10-custom-oidc-configuration.md b/docs/user/04-10-custom-oidc-configuration.md index 8c4d195f0a..ae662c1817 100644 --- a/docs/user/04-10-custom-oidc-configuration.md +++ b/docs/user/04-10-custom-oidc-configuration.md @@ -1,6 +1,6 @@ # Custom OIDC Configuration -To create an SAP BTP, Kyma runtime with a custom Open ID Connect (OIDC) configuration, you can specify either a single `oidc` object or a list of `oidc` objects as provisioning parameters. While both options are supported, using a list of `oidc` objects is the recommended approach, even if you are defining only one OIDC configuration. The list allows you to define multiple OIDC configurations. The single `oidc` object is only supported for backward compatibility. +To create an SAP BTP, Kyma runtime with a custom Open ID Connect (OIDC) configuration, specify either a list of `oidc` objects or a single `oidc` object as a provisioning parameter. While both options are supported, using a list of `oidc` objects is the recommended approach, even if you are defining only one OIDC configuration. The list allows you to define multiple OIDC configurations. The single `oidc` object is only supported for backward compatibility. See the example with the OIDC list: From f108fe3a0b65beff54bd05d3a4ab706f1a40fc16 Mon Sep 17 00:00:00 2001 From: Marek Michali <56163696+MarekMichali@users.noreply.github.com> Date: Wed, 30 Apr 2025 13:29:37 +0200 Subject: [PATCH 08/23] Update docs/user/04-10-custom-oidc-configuration.md Co-authored-by: Iwona Langer --- docs/user/04-10-custom-oidc-configuration.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/user/04-10-custom-oidc-configuration.md b/docs/user/04-10-custom-oidc-configuration.md index ae662c1817..72dfaf28c1 100644 --- a/docs/user/04-10-custom-oidc-configuration.md +++ b/docs/user/04-10-custom-oidc-configuration.md @@ -76,7 +76,7 @@ See the example with the OIDC list:
-If you do not include the `oidc` list or the single `oidc` object in the provisioning request, the default OIDC configuration is applied. However, if you provide an empty `oidc` list (with zero elements), no OIDC configuration will be applied to the instance. Unlike the single `oidc` object, which defaults to the predefined values when its properties are left empty, the `oidc` list does not inherit default values for its items and they need to be explicitly defined. +If you do not include an `oidc` list or a single `oidc` object in the provisioning request, the default OIDC configuration is applied. However, if you provide an empty `oidc` list with zero elements, no OIDC configuration is applied to the instance. Unlike the single `oidc` object, which defaults to the predefined values when its properties are left empty, the `oidc` list does not inherit default values for its items and they must be explicitly defined. ### Example 1: Without the `oidc` Object or List From 9db955deac513cb727baef35f8ea00b6b98b1a8b Mon Sep 17 00:00:00 2001 From: Marek Michali <56163696+MarekMichali@users.noreply.github.com> Date: Wed, 30 Apr 2025 13:29:50 +0200 Subject: [PATCH 09/23] Update docs/user/04-10-custom-oidc-configuration.md Co-authored-by: Iwona Langer --- docs/user/04-10-custom-oidc-configuration.md | 1 - 1 file changed, 1 deletion(-) diff --git a/docs/user/04-10-custom-oidc-configuration.md b/docs/user/04-10-custom-oidc-configuration.md index 72dfaf28c1..2d86ace7b5 100644 --- a/docs/user/04-10-custom-oidc-configuration.md +++ b/docs/user/04-10-custom-oidc-configuration.md @@ -39,7 +39,6 @@ See the example with the OIDC list: } } }" -```
See the example with the single OIDC object (not recommended): From 0cc0d0868265e73cb03fdab598a0fe2cfaefcfd9 Mon Sep 17 00:00:00 2001 From: Marek Michali <56163696+MarekMichali@users.noreply.github.com> Date: Wed, 30 Apr 2025 13:31:04 +0200 Subject: [PATCH 10/23] Update docs/user/04-10-custom-oidc-configuration.md Co-authored-by: Iwona Langer --- docs/user/04-10-custom-oidc-configuration.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/user/04-10-custom-oidc-configuration.md b/docs/user/04-10-custom-oidc-configuration.md index 2d86ace7b5..36afb12bd7 100644 --- a/docs/user/04-10-custom-oidc-configuration.md +++ b/docs/user/04-10-custom-oidc-configuration.md @@ -40,7 +40,7 @@ See the example with the OIDC list: } }"
-See the example with the single OIDC object (not recommended): +See an example configuration with a single OIDC object (not recommended): > [!NOTE] > `clientID` and `issuerURL` values are mandatory when using the single `oidc` object for for custom OIDC configuration. From 3b13640dc3f62bf215620c8d49a34529c217d82d Mon Sep 17 00:00:00 2001 From: Marek Michali <56163696+MarekMichali@users.noreply.github.com> Date: Wed, 30 Apr 2025 13:31:16 +0200 Subject: [PATCH 11/23] Update docs/user/04-10-custom-oidc-configuration.md Co-authored-by: Iwona Langer --- docs/user/04-10-custom-oidc-configuration.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/docs/user/04-10-custom-oidc-configuration.md b/docs/user/04-10-custom-oidc-configuration.md index 36afb12bd7..301cdff10b 100644 --- a/docs/user/04-10-custom-oidc-configuration.md +++ b/docs/user/04-10-custom-oidc-configuration.md @@ -262,8 +262,7 @@ To update the OIDC configuration, provide values for the mandatory properties. W ] ``` -2. **Update Request** - The user sends an HTTP PATCH request with the following payload to update the OIDC configuration: +2. To update the OIDC configuration, the user sends an HTTP PATCH request with the following payload: ```json { From f583120c34c4da5c3fd2f240492bd765a1cb2197 Mon Sep 17 00:00:00 2001 From: Marek Michali <56163696+MarekMichali@users.noreply.github.com> Date: Wed, 30 Apr 2025 13:31:27 +0200 Subject: [PATCH 12/23] Update docs/user/04-10-custom-oidc-configuration.md Co-authored-by: Iwona Langer --- docs/user/04-10-custom-oidc-configuration.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/docs/user/04-10-custom-oidc-configuration.md b/docs/user/04-10-custom-oidc-configuration.md index 301cdff10b..1d879f9597 100644 --- a/docs/user/04-10-custom-oidc-configuration.md +++ b/docs/user/04-10-custom-oidc-configuration.md @@ -301,8 +301,7 @@ To update the OIDC configuration, provide values for the mandatory properties. W } ``` -3. **Updated OIDC Configuration** - After the update, the OIDC configuration is modified to reflect the values provided in the request: +3. After the update, the OIDC configuration is modified to reflect the values provided in the request: ```json [ From 424b3b64de57acd643f936908fb2bcdedfd0daf3 Mon Sep 17 00:00:00 2001 From: Marek Michali <56163696+MarekMichali@users.noreply.github.com> Date: Wed, 30 Apr 2025 13:31:40 +0200 Subject: [PATCH 13/23] Update docs/user/04-10-custom-oidc-configuration.md Co-authored-by: Iwona Langer --- docs/user/04-10-custom-oidc-configuration.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/docs/user/04-10-custom-oidc-configuration.md b/docs/user/04-10-custom-oidc-configuration.md index 1d879f9597..736382a6a6 100644 --- a/docs/user/04-10-custom-oidc-configuration.md +++ b/docs/user/04-10-custom-oidc-configuration.md @@ -332,8 +332,7 @@ To update the OIDC configuration, provide values for the mandatory properties. W ### Scenario 2: Updating an Instance with a Single OIDC Object -1. **Current OIDC Configuration** - The instance has the following OIDC object configuration: +1. The instance has the following OIDC object configuration: ```json { From 5e2d646326e73b5d769f6cd567eaccf43f51bb60 Mon Sep 17 00:00:00 2001 From: Marek Michali <56163696+MarekMichali@users.noreply.github.com> Date: Wed, 30 Apr 2025 13:31:47 +0200 Subject: [PATCH 14/23] Update docs/user/04-10-custom-oidc-configuration.md Co-authored-by: Iwona Langer --- docs/user/04-10-custom-oidc-configuration.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/docs/user/04-10-custom-oidc-configuration.md b/docs/user/04-10-custom-oidc-configuration.md index 736382a6a6..0d1bd9db1e 100644 --- a/docs/user/04-10-custom-oidc-configuration.md +++ b/docs/user/04-10-custom-oidc-configuration.md @@ -347,8 +347,7 @@ To update the OIDC configuration, provide values for the mandatory properties. W } ``` -2. **Update Request** - The user sends an HTTP PATCH request with the following payload to update the OIDC configuration: +2. To update the OIDC configuration, the user sends an HTTP PATCH request with the following payload: ```json { From c6b877384c7f77defe61636e9765aadc48eafa23 Mon Sep 17 00:00:00 2001 From: Marek Michali <56163696+MarekMichali@users.noreply.github.com> Date: Wed, 30 Apr 2025 13:31:53 +0200 Subject: [PATCH 15/23] Update docs/user/04-10-custom-oidc-configuration.md Co-authored-by: Iwona Langer --- docs/user/04-10-custom-oidc-configuration.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/docs/user/04-10-custom-oidc-configuration.md b/docs/user/04-10-custom-oidc-configuration.md index 0d1bd9db1e..bfbf958a04 100644 --- a/docs/user/04-10-custom-oidc-configuration.md +++ b/docs/user/04-10-custom-oidc-configuration.md @@ -372,8 +372,7 @@ To update the OIDC configuration, provide values for the mandatory properties. W } ``` -3. **Updated OIDC Configuration** - After the update, the OIDC configuration is modified to reflect the values provided in the request: +3. After the update, the OIDC configuration is modified to reflect the values provided in the request: ```json { From 4605752d23740d4abf32cd14d26f58f1fadbd2b8 Mon Sep 17 00:00:00 2001 From: Marek Michali <56163696+MarekMichali@users.noreply.github.com> Date: Wed, 30 Apr 2025 13:32:13 +0200 Subject: [PATCH 16/23] Update docs/user/04-10-custom-oidc-configuration.md Co-authored-by: Iwona Langer --- docs/user/04-10-custom-oidc-configuration.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/user/04-10-custom-oidc-configuration.md b/docs/user/04-10-custom-oidc-configuration.md index bfbf958a04..8f12324282 100644 --- a/docs/user/04-10-custom-oidc-configuration.md +++ b/docs/user/04-10-custom-oidc-configuration.md @@ -43,7 +43,7 @@ See the example with the OIDC list: See an example configuration with a single OIDC object (not recommended): > [!NOTE] -> `clientID` and `issuerURL` values are mandatory when using the single `oidc` object for for custom OIDC configuration. +> `clientID` and `issuerURL` values are mandatory when using a single `oidc` object for custom OIDC configuration. ```bash export VERSION=1.15.0 From ac511929b87c0a789397305e72c58914185e521c Mon Sep 17 00:00:00 2001 From: Marek Michali <56163696+MarekMichali@users.noreply.github.com> Date: Wed, 30 Apr 2025 13:32:25 +0200 Subject: [PATCH 17/23] Update docs/user/04-10-custom-oidc-configuration.md Co-authored-by: Iwona Langer --- docs/user/04-10-custom-oidc-configuration.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/user/04-10-custom-oidc-configuration.md b/docs/user/04-10-custom-oidc-configuration.md index 8f12324282..a14deb45ae 100644 --- a/docs/user/04-10-custom-oidc-configuration.md +++ b/docs/user/04-10-custom-oidc-configuration.md @@ -77,7 +77,9 @@ See the example with the OIDC list: If you do not include an `oidc` list or a single `oidc` object in the provisioning request, the default OIDC configuration is applied. However, if you provide an empty `oidc` list with zero elements, no OIDC configuration is applied to the instance. Unlike the single `oidc` object, which defaults to the predefined values when its properties are left empty, the `oidc` list does not inherit default values for its items and they must be explicitly defined. -### Example 1: Without the `oidc` Object or List +## Examples + +### Configuration with No `oidc` Object and No List This example demonstrates a request without specifying any `oidc` configuration. The default OIDC configuration is applied automatically. From 96d099a401f91ed6b404a5632594f307cc1f4220 Mon Sep 17 00:00:00 2001 From: Marek Michali <56163696+MarekMichali@users.noreply.github.com> Date: Wed, 30 Apr 2025 13:32:36 +0200 Subject: [PATCH 18/23] Update docs/user/04-10-custom-oidc-configuration.md Co-authored-by: Iwona Langer --- docs/user/04-10-custom-oidc-configuration.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/user/04-10-custom-oidc-configuration.md b/docs/user/04-10-custom-oidc-configuration.md index a14deb45ae..17f9b0f8c1 100644 --- a/docs/user/04-10-custom-oidc-configuration.md +++ b/docs/user/04-10-custom-oidc-configuration.md @@ -120,7 +120,7 @@ This example demonstrates a request without specifying any `oidc` configuration. --- -### Example 2: With the `oidc` List +### Configuration with the `oidc` List This example shows a request with an `oidc` list containing a single configuration. The list allows defining multiple OIDC configurations. From 1eafde7dc486da13e05717629c369dc00d419fc4 Mon Sep 17 00:00:00 2001 From: Marek Michali <56163696+MarekMichali@users.noreply.github.com> Date: Wed, 30 Apr 2025 13:32:46 +0200 Subject: [PATCH 19/23] Update docs/user/04-10-custom-oidc-configuration.md Co-authored-by: Iwona Langer --- docs/user/04-10-custom-oidc-configuration.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/user/04-10-custom-oidc-configuration.md b/docs/user/04-10-custom-oidc-configuration.md index 17f9b0f8c1..5740c7b80e 100644 --- a/docs/user/04-10-custom-oidc-configuration.md +++ b/docs/user/04-10-custom-oidc-configuration.md @@ -179,7 +179,7 @@ This example shows a request with an `oidc` list containing a single configurati --- -### Example 3: With the `oidc` Object (Empty Properties) +### Configuration with an Empty `oidc` Object This example illustrates a request with an `oidc` object where all properties are left empty. The default OIDC configuration is applied. From 98f8179c81f9167ff2a2f1c6b266ea8a594e8326 Mon Sep 17 00:00:00 2001 From: Marek Michali <56163696+MarekMichali@users.noreply.github.com> Date: Wed, 30 Apr 2025 13:33:52 +0200 Subject: [PATCH 20/23] Update docs/user/04-10-custom-oidc-configuration.md Co-authored-by: Iwona Langer --- docs/user/04-10-custom-oidc-configuration.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/user/04-10-custom-oidc-configuration.md b/docs/user/04-10-custom-oidc-configuration.md index 5740c7b80e..af400eb6bb 100644 --- a/docs/user/04-10-custom-oidc-configuration.md +++ b/docs/user/04-10-custom-oidc-configuration.md @@ -230,7 +230,7 @@ This example illustrates a request with an `oidc` object where all properties ar ## Updating the OIDC Configuration -To update the OIDC configuration, provide values for the mandatory properties. Without these values, a validation error occurs. If you omit the `oidc` list or the single `oidc` object in the update request, the existing OIDC configuration remains unchanged. Providing an empty `oidc` list clears the OIDC configuration for the instance. The update operation overwrites the OIDC configuration values provided in JSON for the `oidc` list, meaning that OIDC properties with empty values are considered valid and will replace the existing values. However, for the single `oidc` object, empty values do not change the configuration, and only the provided values are updated. It is possible to update the configuration from a single `oidc` object to an `oidc` list. However, updating from an `oidc` list to a single `oidc` object is not supported. +To update the OIDC configuration, provide values for the mandatory properties. Without these values, a validation error occurs. If you omit the `oidc` list or the single `oidc` object in the update request, the existing OIDC configuration remains unchanged. Providing an empty `oidc` list clears the OIDC configuration for the instance. The update operation overwrites the OIDC configuration values provided in JSON for the `oidc` list, meaning that OIDC properties with empty values are considered valid and replace the existing values. However, for a single `oidc` object, empty values do not change the configuration, and only the provided values are updated. It is possible to update the configuration from a single `oidc` object to an `oidc` list. However, updating from an `oidc` list to a single `oidc` object is not supported. --- From 699bdbd454464de54262c61a6d13a5869443d3a2 Mon Sep 17 00:00:00 2001 From: Marek Michali <56163696+MarekMichali@users.noreply.github.com> Date: Wed, 30 Apr 2025 13:34:14 +0200 Subject: [PATCH 21/23] Update docs/user/04-10-custom-oidc-configuration.md Co-authored-by: Iwona Langer --- docs/user/04-10-custom-oidc-configuration.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/user/04-10-custom-oidc-configuration.md b/docs/user/04-10-custom-oidc-configuration.md index af400eb6bb..bf5173a6ed 100644 --- a/docs/user/04-10-custom-oidc-configuration.md +++ b/docs/user/04-10-custom-oidc-configuration.md @@ -234,7 +234,7 @@ To update the OIDC configuration, provide values for the mandatory properties. W --- -### Scenario 1: Updating an Instance with an OIDC Object List +### Updating an Instance with an OIDC Object List 1. **Current OIDC Configuration** The instance has the following OIDC object list configuration: From 9d8760dece60967ddbec82ecf25ba6f8c5a973f3 Mon Sep 17 00:00:00 2001 From: Marek Michali <56163696+MarekMichali@users.noreply.github.com> Date: Wed, 30 Apr 2025 13:34:26 +0200 Subject: [PATCH 22/23] Update docs/user/04-10-custom-oidc-configuration.md Co-authored-by: Iwona Langer --- docs/user/04-10-custom-oidc-configuration.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/user/04-10-custom-oidc-configuration.md b/docs/user/04-10-custom-oidc-configuration.md index bf5173a6ed..f89db9b121 100644 --- a/docs/user/04-10-custom-oidc-configuration.md +++ b/docs/user/04-10-custom-oidc-configuration.md @@ -332,7 +332,7 @@ To update the OIDC configuration, provide values for the mandatory properties. W --- -### Scenario 2: Updating an Instance with a Single OIDC Object +### Updating an Instance with a Single OIDC Object 1. The instance has the following OIDC object configuration: From a29261bc67efcc95fe15cbb7a99a3bc1c6a50e55 Mon Sep 17 00:00:00 2001 From: Marek Michali <56163696+MarekMichali@users.noreply.github.com> Date: Wed, 30 Apr 2025 13:34:37 +0200 Subject: [PATCH 23/23] Update docs/user/04-10-custom-oidc-configuration.md Co-authored-by: Iwona Langer --- docs/user/04-10-custom-oidc-configuration.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/docs/user/04-10-custom-oidc-configuration.md b/docs/user/04-10-custom-oidc-configuration.md index f89db9b121..9ebf981dcc 100644 --- a/docs/user/04-10-custom-oidc-configuration.md +++ b/docs/user/04-10-custom-oidc-configuration.md @@ -236,8 +236,7 @@ To update the OIDC configuration, provide values for the mandatory properties. W ### Updating an Instance with an OIDC Object List -1. **Current OIDC Configuration** - The instance has the following OIDC object list configuration: +1. The instance has the following OIDC object list configuration: ```json [