Add guides for common OIDC providers #3917
Conversation
lasomethingsomething
added
the
user-guide
|
What's the status of this? |
|
I really want to get this in but haven't found the time to move it to a reviewable state. Will see if I can get it there by end of this week. |
|
@makkes Got it, thanks much. PTAL at the other draft docs PRs on OIDC and see if you can bring them together into a structure that works. We can also do this together if you'd like. |
makkes
force-pushed
the
oidc-guides
branch
3 times, most recently
from
7d1ccbe
to
1758064
Compare
|
@enekofb @bigkevmcd this is now finally ready for review. |
|
adding some more folks for visibility. |
| redirectURL: http://YOUR_WEAVE_GITOPS_DOMAIN/oauth2/callback | ||
| customScopes: openid | ||
| claimUsername: sub | ||
| ``` |
There was a problem hiding this comment.
Maybe we want to talk about the groups on Azure?
And recommend that users use roles https://learn.microsoft.com/en-us/security/zero-trust/develop/configure-tokens-group-claims-app-roles ?
There was a problem hiding this comment.
👍🏻 I will need to set this up one more time to see what specifically is necessary for getting the groups.
There was a problem hiding this comment.
Tested this once more and added a step to configure group claims.
There was a problem hiding this comment.
Did this get pushed?
customScopes: openidThere was a problem hiding this comment.
The funny thing is you don't need to request any other scope if the groups claim is configured. The claim will be pushed nonetheless. 🤷🏻♂️ Microsoft doing Microsoft things.
I validated them all manually. The perfect setup would be for us to add e2e tests to the code base verifying proper OIDC functionality but that's completely out of scope of this PR. I'd be happy to start this afterwards, though. |
|
@enekofb @bigkevmcd addressed all your comments. ptal |
| @@ -135,6 +135,8 @@ You may decide to give your engineering teams access to the WGE dashboard so the | |||
|
|
|||
| OIDC extends the OAuth2 authorization protocol by including an additional field (ID Token) that contains information (claims) about a user's identity. After a user successfully authenticates with the OIDC provider, Weave GitOps Enterprise uses this information to impersonate the user in any calls to the Kubernetes API. This allows cluster administrators to use RBAC rules to control access to the cluster and the dashboard. | |||
|
|
|||
| For more specific examples of how to setup OIDC with Weave GitOps, see [this guide](../../../guides/oidc/). | |||
|
@bigkevmcd do you want to take another look at this? I'd love to merge this today or tomorrow so we can take care of #4113 next. |
This is a first revision of this guide and likely subject to extension/improvement going forward but it'll definitely help setting up Weave GitOps as an OIDC client properly. Signed-off-by: Max Jonas Werner <[email protected]>
|
|
||
| Google's identity provider does not support the groups scope which Weave GitOps requests by default. That's why in | ||
| this example the `customScopes` field is set to only request the `openid` and `email` scopes. |
| redirectURL: http://YOUR_WEAVE_GITOPS_DOMAIN/oauth2/callback | ||
| customScopes: openid | ||
| claimUsername: sub | ||
| ``` |
There was a problem hiding this comment.
Did this get pushed?
customScopes: openid| 1. Log in to the Keycloak admin console and [create a realm](https://www.keycloak.org/docs/latest/server_admin/#configuring-realms). | ||
| 1. [Create a client application](https://www.keycloak.org/docs/latest/authorization_services/index.html#_resource_server_create_client) | ||
| and choose "OpenID Connect" as the client type. | ||
| 1. Make sure to set the "Client Authenticator" on the "Credentials" tab to "Client Id and Secret" and generate a secret. |
There was a problem hiding this comment.
Do we need to say anything about scopes for the client?
Do we need to say anything about groups for this? (realm roles?!)
There was a problem hiding this comment.
I basically stopped iterating on this part of the page as soon as #4113 arrived because that PR provides all the nitty-gritty details of using WeGO with Keycloak. So I suppose this part will be overridden soon, anyway.
There was a problem hiding this comment.
Gotcha, maybe we can remove this?
There was a problem hiding this comment.
And link to the other doc?
There was a problem hiding this comment.
Yes, I will as soon as the other doc is merged.
This is a first revision of this guide and likely subject to extension/improvement going forward but it'll definitely help setting up Weave GitOps as an OIDC client properly.
https://staging.docs.gitops.weave.works/oidc-guides/docs/next/guides/oidc/