0

Trying to configure GCIP with Salesforce Identity as IDP. Tried configuring OIDC based integration. Noticed that there is no field for providing (sfdc) client secret for OIDC based configuration. Also, the response_type=id_token is getting invoked from GCIP side. We want to use authorization code flow (response_type=code) to integrate with SFDC. Is it possible?

enter image description here

tronline
  • 117
  • 1
  • 9

1 Answers1

2

Code flow for OIDC providers is supported on the GCIP backend. It is just not yet exposed in the Cloud Console or the Admin SDKs.

Notice it is documented here in the REST API.

You will need to set {code: true}

Here is a snippet in Node.js (untested):

// https://cloud.google.com/identity-platform/docs/reference/rest/v2/projects.oauthIdpConfigs/patch
return new Promise((resolve, reject) => {
  request({
      headers: {
        'Authorization': `Bearer ${accessToken}`,
        'Content-Type': 'application/json',
      },
      url: `https://identitytoolkit.googleapis.com/admin/v2/projects` +
          `/${projectId}/oauthIdpConfigs/${oidcProviderId}?updateMask=responseType`,
      method: 'PATCH',
      body: JSON.stringify({
        responseType: {
          idToken: true,
          code: true,
        }
      }),
    }, (error, response) => {
      if (!error && response.statusCode === 200) {
        resolve();
      } else {
        reject(error);
      }
    });
  });
});
bojeil
  • 29,642
  • 4
  • 69
  • 76
  • where can i set this json fragment {code: true} without getting into low level details of REST API use? – tronline Dec 23 '20 at 13:35
  • I added a snippet. – bojeil Dec 23 '20 at 19:32
  • this may sound basic query; I was using cloud run hosted app for auth handshake along with settings on gcip identity platform. Since auth code flow is not yet enabled on settings, where will i plug this nodejs code you shared – tronline Dec 23 '20 at 20:04
  • 1
    This is just a sample REST API to enable the code flow on your provider in GCIP. You don't have to run the exact thing. You can even just translate to a cURL command and substitute the missing parameters. You only need to run this once. – bojeil Dec 23 '20 at 22:08
  • ok. So this api need to be invoked only once to enable code flow, if I understand well. – tronline Dec 24 '20 at 05:22
  • Tried using the client provided next to [API] (https://cloud.google.com/identity-platform/docs/reference/rest/v2/projects.oauthIdpConfigs/patch) , results in CONFIGURATION_NOT_FOUND error – tronline Dec 24 '20 at 11:44