Access Management

OIDC REST API Makes the DevOps Job Easy

This article is intended for administrators of Access Management solutions. It outlines how to follow the fundamental concept of REST API for OIDC and leverage the REST API in a DevOps process.

OAuth and OpenID Connect (OIDC) have become the key specifications for authentication and authorization of Web and API data and application assets. They enable delegation and consent for access management decisions, allowing the composition of data distributed across SaaS and other app providers into modern composite applications. OIDC provides a mechanism for sharing user data to enable a cohesive, frictionless single sign-on experience across properties.

From an administrative perspective, OIDC objects often require updates driven by changes in requirements for client applications, such as the need to refresh client credentials, update a redirect URI, modify scope parameters, or update signing and encryption certificates. Administrators typically manage these OIDC objects manually through an admin UI.

With the introduction of REST API to manage federation objects of access management solutions, administrators can manage the objects remotely using REST client.  Using REST API, OIDC objects can be managed such as create an OIDC client, update an existing client and enable/disable OIDC objects.

Who can leverage the OIDC Provider REST API?

Application security remains a top priority in the digital experience to maintain the integrity of application access by users. The growing release frequency of applications in DevOps demands accelerated means of managing access policies to protect IT assets.

DevOps or application developers keep bugging you to create the OIDC client for their requirement to test the flows with SaaS apps like Salesforce or AWS.  In production scenarios, you are requested to add additional scope details for an existing OIDC client.  All these needs keep changing based on an organization’s business need.

A REST API is an essential piece to support the DevOps process to manage the rapidly growing application terrain in business.   REST APIs help to move applications into production quickly.    OpenID Connect enables application developers to configure the authentication for access to critical applications.

REST API for OIDC significantly reduces the TCO by automating the process to manage OIDC clients and delegate the tasks to DevOps and your application developers.

Taking an example as described in the below flow diagram, you can create an OIDC Provider specific object using REST API or administrative UI. You can grant access to your DevOps team to manage OIDC Client objects based on their client application requirements.

This effective process removes the dependency on administrators to create required OIDC client objects by application owners or by DevOps.  

Similarly, the REST API allows other use cases such as letting your DevOps team instantly update the client certificates in the OIDC Provider object whenever the certificates expire, and let your DevOps team regenerate a client secret when they move an application into production without having hassle process in the access management to get the updated client properties from an administrator.

REST API for OIDC Provider builds client registration process as self-service to DevOps and application owners.

To learn more about how REST API for OIDC can help benefit your organization, visit our site.

About the author

Ravi Kumar Kanukollu is currently the Product Manager for the Layer7 Access Management portfolio, responsible for SiteMinder and Directory products and taking the product to the market. Prior to Broadcom, Ravi held engineering and product management responsibilities at Pegasystems for the Security & Integration product. Ravi has 10 years of experience in Cyber Security, making him a thought leader in the access management and federation space.