FunctiohGraph script to automatically rotate OIDC IdP signing keys
IAM offers Identity Providers with the Protocol OpenID Connect (OIDC). The configuration requires a Signing Key from the Service Provider (e.g., MS Entra ID). The Key is regularly changed on most Service Providers, and they publish valid keys according to OpenID Connect Discovery standard within the „jwks_uri“, where Identity Providers can fetch and update the key.
For IAM to be able to fetch the „jwks_uri“ and therefore the new valid signing keys, the backend component would need access to the internet. For security reasons, backend components of T Cloud Public are forcibly isolated from the internet.
The API to update the identity provider configuration and therefore the signing key can be publicly accessed. Customers can use this script to monitor changes on the signing keys of the service providers and update the identity provider configuration on T Cloud Public IAM side.
Step-by-step guide to deploy the IDP Key Rotation function using Console.
You need an account with these permissions:
- IAM: Create policies, create agencies, attach policies
- FunctionGraph: Create and configure functions
Step 1: Create IAM Policy
In Console, click Identity and Access Management. In left sidebar, click Permissions -> Policies/Roles, click Create Custom Policy button
Switch to JSON tab Enter this content:
Policy Name: IDP-Key-Rotation-Policy
{
"Version": "1.1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:identityProviders:listIdentityProviders",
"iam:identityProviders:getIdentityProvider",
"iam:identityProviders:updateIdentityProvider",
"iam:identityProviders:getProtocol",
"iam:identityProviders:updateProtocol",
"iam:identityProviders:getOpenIDConnectConfig",
"iam:identityProviders:updateOpenIDConnectConfig"
]
}
]
}Save Policy
Step 2: Create Agency In IAM console (from Step 1), click Agencies in left sidebar, click Create Agency button
Fill in the agency form:
| Field | Value | Notes |
|---|---|---|
| Agency Name | idp-key-rotation-agency |
Unique name for this agency |
| Agency Type | Cloud service | Agency for services |
| Cloud Service | FunctionGraph | Service that will use this agency |
| Validity Period | Unlimited | Agency doesn't expire |
| Description | "Agency for IDP key rotation function" | Optional but recommended |
Click Next, then select the IDP-Key-Rotation-Policy policy created in Step 1 Scope should show "All resources"
Click OK, then Finish
Before starting, collect these values:
| Variable | Where to Find | Your Value |
|---|---|---|
DOMAIN_NAME |
Console → My Credentials → Domain Name | |
PROJECT_NAME |
Usually eu-de |
|
IDP_IDS |
IAM → Identity Providers (exact names) | |
AZURE_TENANT_ID |
Azure Portal → Entra ID → Tenant ID |
- Log into Console
- Navigate to IAM (Identity and Access Management)
- Click Identity Providers in left sidebar
- Click Create Identity Provider
Fill in the form:
| Field | Value | Example | Notes |
|---|---|---|---|
| Name | AzureOIDC | Case-sensitive, must match IDP_IDS env var |
|
| Protocol | OpenID Connect | OpenID Connect | |
| SSO Type | Virtual user | Virtual user | |
| Status | Enabled | Enabled | |
| Description | Descriptive text | Azure AD OIDC authentication |
Optional |
- Click OK, then click Modify Identity Provider
Fill in OIDC configuration:
| Field | Value | Example | Notes |
|---|---|---|---|
| Access Type | programmatic access and management console | ||
| Identity Provider URL | https://login.microsoftonline.com/{AZURE_TENANT_ID}/v2.0 |
https://login.microsoftonline.com/4606102c-e3b4-4bba-a38f-cf14aa589558/v2.0 |
From Azure tenant ID |
| Client ID | Application (client) ID from Azure | 12345678-1234-1234-... |
From Azure app registration |
| Authorization endpoint | https://login.microsoftonline.com/{AZURE_TENANT_ID}/oauth2/v2.0/authorize |
https://login.microsoftonline.com/4606102c-e3b4-4bba-a38f-cf14aa589558/oauth2/v2.0/authorize |
|
| Scopes | openid email profile | openid email profile | |
| Response Type | id_token |
id_token |
|
| Response Mode | form_post |
form_post |
|
| Signing Key | paste the content from https://login.microsoftonline.com/common/discovery/v2.0/keys |
- Log into OTC Console
- Navigate to IAM (Identity and Access Management)
- Click Identity Providers in left sidebar
- Click Create Identity Provider
Fill in the form:
| Field | Value | Example | Notes |
|---|---|---|---|
| Name | GoogleOIDC | Case-sensitive, must match IDP_IDS env var |
|
| Protocol | OpenID Connect | OpenID Connect | |
| SSO Type | Virtual user | Virtual user | |
| Status | Enabled | Enabled | |
| Description | Descriptive text | Google OIDC authentication |
Optional |
- Click OK, then click Modify Identity Provider
Fill in OIDC configuration:
| Field | Value | Example | Notes |
|---|---|---|---|
| Access Type | programmatic access and management console | ||
| Identity Provider URL | https://accounts.google.com |
https://accounts.google.com |
|
| Client ID | Application (client) ID from Google | 654307938795-940laq83d985vnk3fngh8d3obrkrpuus.apps.googleusercontent.com |
|
| Authorization endpoint | https://accounts.google.com/o/oauth2/v2/auth |
https://accounts.google.com/o/oauth2/v2/auth |
|
| Scopes | openid email profile | openid email profile | |
| Response Type | id_token |
id_token |
|
| Response Mode | form_post |
form_post |
|
| Signing Key | paste the content from https://www.googleapis.com/oauth2/v3/certs |
- After protocol creation, go to Identity Conversion Rules tab
- Click Create Rule or Set Rule
Mapping configuration:
[
{
"remote": [
{
"type": "email"
}
],
"local": [
{
"user": {
"name": "{0}"
}
}
]
}
]- Download attached idp-key-rotation_latest.zip
- Go To FunctionGraph - Functions - Function List - Import Function
- Select Downloaded zip and Import
- Go to Configuration → Environment Variables
- Click Add Environment Variable for each:
| Key | Value |
|---|---|
IAM_ENDPOINT |
https://iam.eu-de.otc.t-systems.com |
DOMAIN_NAME |
Your domain name (from Step 1) |
PROJECT_NAME |
eu-de |
IDP_IDS |
AzureOIDC,GoogleOIDC (or your IDP names) |
AZURE_TENANT_ID |
Your Azure tenant ID (if using Azure) |
- Click Save
- Go to Configuration → Permissions
- Assign the created Agency from the previous step
- Click save
- Go to the function page
- Click Test tab
- In the test event input, enter:
{"action": "test_auth"}- Click Test
- Check the result - should show:
{
"statusCode": 200,
"body": {
"message": "OTC authentication successful",
"token_preview": "MIIGaQYJKoZIhvcNAQcC..."
}
}- Go to function page → Triggers tab
- Click Create Trigger
- Select Timer
| Field | Value |
|---|---|
| Name | daily-key-rotation |
| Trigger Status | Enabled |
| Schedule Type | Cron |
| Cron Expression | 0 0 0 * * ? |
| Additional Information | {"action": "rotate"} |
After running, the script should have changed the config of the IDP, changing the description of affected IDPs to "Key rotated via FunctionGraph at XXX"
Depending on IAM strategy, you can either allow or deny access to FunctionGraph at all. If you only want to grant access to a limited set of people and also deny access to e.g. tenant admins, you can create the following IAM policy and assign to users:
{
"Version": "1.1",
"Statement": [
{
"Effect": "Deny",
"Action": [
"functiongraph:trigger:*",
"functiongraph:function:*"
],
"Resource": [
"FUNCTIONGRAPH:::function:default/idp-key-rotation"
]
}
]
}