Alauda Container Platform

OIDC Management

The platform supports the OIDC (OpenID Connect) protocol, enabling platform administrators to log in using third-party accounts after adding OIDC configuration. Platform administrators can also update and delete configured OIDC services.

Overview of OIDC

OIDC (OpenID Connect) is an identity authentication standard protocol based on the OAuth 2.0 protocol. It uses an OAuth 2.0 authorization server to provide user identity authentication for third-party clients and passes the corresponding identity authentication information to the client.

OIDC allows all types of clients (including server-side, mobile, and JavaScript clients) to request and receive authenticated sessions and end-user information. This specification suite is extensible, allowing participants to use optional features such as identity data encryption, OpenID Provider discovery, and session management when meaningful. For more information, refer to the OIDC official documentation.

Adding OIDC

By adding OIDC, you can use third-party platform accounts to log in to the platform.

Note: After OIDC users successfully log in to the platform, the platform will use the user's email attribute as the unique identifier. OIDC-supported third-party platform users must have an email attribute; otherwise, they will not be able to log in to the platform.

Procedure of Operation

  1. In the left navigation bar, click Users > IDPs.

  2. Click Add OIDC.

  3. Configure the Basic Information parameters.

  4. Configure the OIDC Server Configuration parameters:

    • Identity Provider URL: The issuer URL, which is the access address of the OIDC identity provider.

    • Client ID: The client identifier for the OIDC client.

    • Client Secret: The secret key for the OIDC client.

    • Redirect URI: The callback address after logging in to the third-party platform, which is the URL of the dex issuer + /callback.

    • Logout URL: The address visited by the user after performing the Logout operation. If empty, the logout address will be the platform's initial login page.

  5. In the IDP Service Configuration Validation area, enter the Username and Password of a valid OIDC account to verify the configuration.

    Tip: If the username and password are incorrect, an error will be reported during addition, indicating invalid credentials, and OIDC cannot be added.

  6. Click Create.

Adding OIDC via YAML

In addition to form configuration, the platform also supports adding OIDC through YAML, which allows for more flexible configuration of authentication parameters, claim mappings, user group synchronization, and other advanced features.

Example: Configuring OIDC Connector

The following example demonstrates how to configure an OIDC connector for integrating with OIDC identity authentication services. This configuration example is suitable for the following scenarios:

  1. Need to integrate OIDC as an identity authentication server.

  2. Need to support user group information synchronization.

  3. Need to customize logout redirect address.

  4. Need to configure specific OIDC scopes.

  5. Need to customize claim mappings.

apiVersion: dex.coreos.com/v1
kind: Connector
# Connector basic information
id: oidc               # Connector unique identifier
name: oidc             # Connector display name
type: oidc             # Connector type is OIDC
metadata:
  annotations:
    cpaas.io/description: "11"  # Connector description
  name: oidc
  namespace: cpaas-system
spec:
  config:
    # OIDC server configuration
    # Configure server connection information, including server address, client credentials, and callback address
    issuer: http://auth.com/auth/realms/master               # OIDC server address
    clientID: dex                                            # Client ID
    # Service account secret key, valid when creating Connector resources for the first time
    clientSecret: xxxxxxx
    redirectURI: https://example.com/dex/callback            # Callback address, must match the address registered by the OIDC client
    
    # Security configuration
    # Configure SSL verification and user information acquisition method
    insecureSkipVerify: true                                # Whether to skip SSL verification, it is recommended to set to false in a production environment
    getUserInfo: false                                      # Whether to obtain additional user information through the UserInfo endpoint

    # Logout configuration
    # Configure the redirect address after user logout
    logoutURL: https://test.com                            # Logout redirect address, can be customized to the page jumped after user logout

    # Scope configuration
    # Configure the required authorization scope, ensure that the OIDC server supports these scopes
    scopes:                                                 
      - openid                                             # Required, used for OIDC basic authentication
      - profile                                            # Optional, used to obtain user basic information
      - email                                              # Optional, used to obtain user email

    # Claim mapping configuration
    # Configure the mapping relationship between OIDC returned claims and platform user attributes
    claimMapping:                                          
      email: email                                         # Email mapping, used for user unique identification
      groups: groups                                       # User group mapping, used for organization structure
      phone: ""                                            # Phone mapping, optional
      preferred_username: preferred_username               # Username mapping, used for display name

    # User group configuration
    # Configure user group synchronization related parameters, ensure that the token contains group information
    groupsKey: groups                                      # Specify the key name of group information
    insecureEnableGroups: false                           # Whether to enable group synchronization function

Relevant Operations

You can click the on the right in the list page or click Actions in the upper-right corner on the details page to update or delete OIDC as needed.

OperationDescription
Update OIDCUpdate the added OIDC configuration. After updating the OIDC configuration information, the original users and authentication methods will be reset and synchronized according to the current configuration.
Delete OIDCDelete OIDC that is no longer used by the platform. After deleting OIDC, all users synchronized to the platform through this OIDC will have an Invalid status (the binding relationship between users and roles remains unchanged), and they cannot log in to the platform. After re-integrating, users can be activated by successfully logging in to the platform.

Tip: After deleting IDP, if you need to delete users and user groups synchronized to the platform through OIDC, check the checkbox Clean IDP Users and User Groups below the prompt box.
ON THIS PAGE