Cannot Establish an IdP as a Trusted Token Issuer through Console

[dhaura]

Describe the issue:

• There are some usecases where it is needed to create an IdP as a trusted toke issuer.
• For example, with the introduction of API based authentication, Native SDK based Federation is introduced and this new federation needs the IdP to be a trusted token issuer, in order to validate and exchange access tokens and id tokens received directly by the client from the external IdP. But currently, IS Console, doesn't have a Connections template to create an IdP as trusted token issuer as follows.

Screen.Recording.2023-11-02.at.10.32.45.mov

• Even though you cannot make an IdP a trusted token issuer through the Console, you can create an IdP as a trusted token issuer using the following curl command (accessing the API directly) where alias, idpIssuerName and jwks uri or certificates are specified as needed.

curl --location 'https://localhost:9443/api/server/v1/identity-providers' \
--header 'Accept: application/json' \
--header 'Accept-Language: en-US,en;q=0.5' \
--header 'Accept-Encoding: gzip, deflate, br' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer <TOKEN>' \
--header 'Origin: https://localhost:9443' \
--header 'Connection: keep-alive' \
--header 'Cookie: <COOKIES>' \
--header 'Sec-Fetch-Dest: empty' \
--header 'Sec-Fetch-Mode: cors' \
--header 'Sec-Fetch-Site: same-origin' \
--data '{
    "image": "https://localhost:9443/console/libs/themes/default/assets/images/identity-providers/enterprise-idp-illustration.svg",
    "isPrimary": false,
    "roles": {
        "mappings": [],
        "outboundProvisioningRoles": []
    },
    "name": "OIDC-TTI-IDP",
    "certificate": {
        "certificates": [],
        "jwksUri": "https://www.googleapis.com/oauth2/v3/certs"
    },
    "claims": {
        "userIdClaim": {
            "uri": "http://wso2.org/claims/username"
        },
        "roleClaim": {
            "uri": "http://wso2.org/claims/role"
        },
        "provisioningClaims": []
    },
    "description": "Authenticate users with Enterprise OIDC connections.",
    "alias": "<SAMPLE-ALIAS>",
    "homeRealmIdentifier": "",
    "provisioning": {
        "jit": {
            "userstore": "DEFAULT",
            "scheme": "PROVISION_SILENTLY",
            "isEnabled": true
        }
    },
    "federatedAuthenticators": {
        "defaultAuthenticatorId": "T3BlbklEQ29ubmVjdEF1dGhlbnRpY2F0b3I",
        "authenticators": [
            {
                "isEnabled": true,
                "authenticatorId": "T3BlbklEQ29ubmVjdEF1dGhlbnRpY2F0b3I",
                "properties": [
                    {
                        "value": "<SAMPLE-CLIENT-ID>",
                        "key": "ClientId"
                    },
                    {
                        "value": "<SAMPLE-CLIENT-SECRET>",
                        "key": "ClientSecret"
                    },
                    {
                        "value": "https://localhost:9443/commonauth",
                        "key": "callbackUrl"
                    },
                    {
                        "value": "scope=email openid profile",
                        "key": "AdditionalQueryParameters"
                    },
                    {
                        "key": "OAuth2AuthzEPUrl",
                        "value": "https://accounts.google.com/o/oauth2/v2/auth"
                    },
                    {
                        "key": "OAuth2TokenEPUrl",
                        "value": "https://oauth2.googleapis.com/token"
                    }
                ]
            }
        ]
    },
    "idpIssuerName": "https://accounts.google.com",
    "isFederationHub": false,
    "templateId": "enterprise-oidc-idp"
}'

How to reproduce:

• Log into IS console.
• Go to Connections section.
• Click on Create Connection.
• Verify that there is no option to create an IdP as trusted token issuer in any IdP template (except the trusted token issuer template). [To make an IdP a trusted token issuer, there should be an option to add IdP issuer name and jwks endpoint or certificate]

Expected behavior:

• IdP templates should include the option to make the IdP, a trusted token issuer.

Environment information:

• Product Version: IS 7.0.0 alpha2
• OS: macos Sonoma 14.0
• Database: Default
• Userstore: Default

---

Optional Fields

Related issues:

• API based authentication #15684

[aaujayasena]

@janakamarasena

[janakamarasena]

The issue here is that a couple of configs available in the carbon based management console is not available in the react console. Since the carbon conolse is being deprecated these configs should be available in the new console.

The following are the configs; Which is available under "Basic Information" of the idp configuration. IMO the configs under "Basic Information" in the carbon management console should be available to IdPs in the new console.