Create a new OIDC issuer in Vultr IAM to enable federated identity authentication. Configure the issuer URL and audience for trusted token verification.
An OIDC issuer registers an external identity provider's public key with Vultr so that Vultr can validate JWT tokens issued by that provider. This enables federated role assumption — users authenticated by the external IdP (such as Okta, Google, or Azure AD) can assume roles in Vultr without separate Vultr credentials.
The issuer requires the JWK (JSON Web Key) public key components from the external identity provider's JWKS endpoint.
This guide explains how to create an OIDC issuer using the Vultr API.
Retrieve the external identity provider's JWKS. Replace IDP-JWKS-URL with the provider's JWKS endpoint (e.g., https://dev-123456.okta.com/oauth2/default/v1/keys).
$ curl "IDP-JWKS-URL"
Note the kid, n, and e values from the first RSA key in the response.
Send a POST request to the Create OIDC Issuer endpoint. Replace IDP-ISSUER-URI with the provider's issuer URL, and IDP-KID, IDP-N-VALUE, IDP-E-VALUE with the JWK values from the previous step.
$ curl "https://api.vultr.com/v2/oidc/issuer" \
-X POST \
-H "Authorization: Bearer ${VULTR_API_KEY}" \
-H "Content-Type: application/json" \
-d '{
"issuer": {
"source": "external",
"uri": "IDP-ISSUER-URI",
"kid": "IDP-KID",
"kty": "RSA",
"alg": "RS256",
"use": "sig",
"n": "IDP-N-VALUE",
"e": "IDP-E-VALUE"
}
}'
The source field accepts external for third-party identity providers. Note the id for use in role trust configurations.