OIDC Identity Provider

OIDC Identity Provider

OpenID Connect is an interoperable authentication protocol based on the OAuth 2.0 family of specifications. It uses straightforward REST/JSON message flows with a design goal of “making simple things simple and complicated things possible”. It’s uniquely easy for developers to integrate, compared to any preceding Identity protocol, such as Keycloak, Okta, Dex, Auth0, Gluu, and many more.

Prerequisites

You need to deploy a Kubernetes cluster and install KubeSphere in the cluster. For details, see Installing on Linux and Installing on Kubernetes.

Procedure

  1. Log in to KubeSphere as admin, move the cursor to OIDC Identity Provider - 图1 in the lower-right corner, click kubectl, and run the following command to edit ks-installer of the CRD ClusterConfiguration:

    1. kubectl -n kubesphere-system edit cc ks-installer

  2. Add the following fields under spec.authentication.jwtSecret.

    Example of using Google Identity Platform:

    1. spec:
    2.   authentication:
    3.     jwtSecret: ''
    4.     authenticateRateLimiterMaxTries: 10
    5.     authenticateRateLimiterDuration: 10m0s
    6.     oauthOptions:
    7.       accessTokenMaxAge: 1h
    8.       accessTokenInactivityTimeout: 30m
    9.       identityProviders:
    10.       - name: google
    11.         type: OIDCIdentityProvider
    12.         mappingMethod: auto
    13.         provider:
    14.           clientID: '********'
    15.           clientSecret: '********'
    16.           issuer: https://accounts.google.com
    17.           redirectURL:  'https://ks-console/oauth/redirect/google'

    See description of parameters as below:

    ParameterDescription
    clientIDThe OAuth2 client ID.
    clientSecretThe OAuth2 client secret.
    redirectURLThe redirected URL to ks-console in the following format: https://<Domain name>/oauth/redirect/<Provider name>. The <Provider name> in the URL corresponds to the value of oauthOptions:identityProviders:name.
    issuerDefines how Clients dynamically discover information about OpenID Providers.
    preferredUsernameKeyConfigurable key which contains the preferred username claims. This parameter is optional.
    emailKeyConfigurable key which contains the email claims. This parameter is optional.
    getUserInfoGetUserInfo uses the userinfo endpoint to get additional claims for the token. This is especially useful where upstreams return “thin” ID tokens. This parameter is optional.
    insecureSkipVerifyUsed to turn off TLS certificate verification.