How to prevent Tenant users from viewing the OIDC Client Secret after initial configuration
search cancel

How to prevent Tenant users from viewing the OIDC Client Secret after initial configuration

book

Article ID: 427853

calendar_today

Updated On:

Products

VMware Cloud Director

Issue/Introduction

  • Viewing the Client Secret in the Cloud Director (VCD) Tenant portal under Administration > Identity Providers > OIDC.
  • Clicking the "eye" secret visibility icon shows the Client Secret value in plaintext after initial configuration of OpenID Connect (OIDC) Identity Provider.

Environment

  • VMware Cloud Director 10.6.1.2

Resolution

Currently there is no Right in VCD which controls visibility only of the Client Secret value.
Edit and view permissions for the entire Administration > Identity Providers > OIDC section can be removed for a Tenant user's Role by removing the following Rights:

  • Organization >  Edit Organization OAuth Settings
  • Organization >  View OAuth Settings

Example steps would be as follows:

  1. Log into the VCD Provider portal as a System Administrator.
  2. Navigate to Administration > Tenant Access Control > Global Roles.
  3. Clone the default "Organization Administrator" Role to a new Global Role, for example called "Organization Administrator without OIDC".
  4. During cloning of this new Global Role, select the Modify Selected Rights option.
  5. Deselect the two Rights associated with configuring OIDC:

    Organization >  Edit Organization OAuth Settings
    Organization >  View OAuth Settings

  6. After saving this new Global Role, select it, click Publish, and proceed to publish the Global Role to the Organization where OIDC settings are to be hidden.
  7. Open the Organization's Tenant portal and proceed to change the assigned Role of the Users and Groups from the default "Organization Administrator" Global Role to the new custom one "Organization Administrator without OIDC". More information on changing the Role of Users and Groups can be found in the documentation on how to Modify a User in Your VMware Cloud Director Tenant Portal and Edit a Group Using Your VMware Cloud Director Tenant Portal respectively.
  8. Users logging into the VCD Tenant portal with this new Role will have no visibility of the Administration > Identity Providers > OIDC section.

Additional Information

For more information on configuring OIDC see the documentation, Configure Your System to Use an OpenID Connect Identity Provider Using Your VMware Cloud Director Tenant Portal.

For more information on configuring Global Roles see the documentation, Managing Global VMware Cloud Director Tenant Roles.

Powered by Wolken Software