< img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=3131724&fmt=gif" />
  1. Documentation / 
  2. v3.4 / 
  3. Access Control and Account Management / 
  4. External Authentication / 
  5. OIDC Identity Provider

Documentation

Last updated:
    Edit

    OIDC Identity Provider

    OIDC Identity Provider

    OpenID Connect is an interoperable authentication protocol based on the OAuth 2.0 family of specifications. It uses straightforward REST/JSON message flows with a design goal of “making simple things simple and complicated things possible”. It’s uniquely easy for developers to integrate, compared to any preceding Identity protocol, such as Keycloak, Okta, Dex, Auth0, Gluu, Casdoor and many more.

    Prerequisites

    You need to deploy a Kubernetes cluster and install Kube AI Hub in the cluster. For details, see Installing on Linux and Installing on Kubernetes.

    Procedure

    1. Log in to Kube AI Hub as admin, move the cursor to icon in the lower-right corner, click kubectl, and run the following command to edit ks-installer of the CRD ClusterConfiguration:

      kubectl -n kubesphere-system edit cc ks-installer

    2. Add the following fields under spec.authentication.jwtSecret.

      Example of using Google Identity Platform:

      spec:
  authentication:
    jwtSecret: ''
    authenticateRateLimiterMaxTries: 10
    authenticateRateLimiterDuration: 10m0s
    oauthOptions:
      accessTokenMaxAge: 1h
      accessTokenInactivityTimeout: 30m
      identityProviders:
      - name: google
        type: OIDCIdentityProvider
        mappingMethod: auto
        provider:
          clientID: '********'
          clientSecret: '********'
          issuer: https://accounts.google.com
          redirectURL:  'https://ks-console/oauth/redirect/google'

      See description of parameters as below:

      Parameter Description
      clientID The OAuth2 client ID.
      clientSecret The OAuth2 client secret.
      redirectURL The redirected URL to ks-console in the following format: https://<Domain name>/oauth/redirect/<Provider name>. The <Provider name> in the URL corresponds to the value of oauthOptions:identityProviders:name.
      issuer Defines how Clients dynamically discover information about OpenID Providers.
      preferredUsernameKey Configurable key which contains the preferred username claims. This parameter is optional.
      emailKey Configurable key which contains the email claims. This parameter is optional.
      getUserInfo GetUserInfo uses the userinfo endpoint to get additional claims for the token. This is especially useful where upstreams return "thin" ID tokens. This parameter is optional.
      insecureSkipVerify Used to turn off TLS certificate verification.
    Previous : Use an LDAP Service
    What’s on this Page