Authentication using OpenShift

Overview

Dex can make use of users and groups defined within OpenShift by querying the platform provided OAuth server.

Configuration

Creating an OAuth Client

Two forms of OAuth Clients can be utilized:

Using a Service Account as an OAuth Client

OpenShift Service Accounts can be used as a constrained form of OAuth client. Making use of a Service Account to represent an OAuth Client is the recommended option as it does not require elevated privileged within the OpenShift cluster. Create a new Service Account or make use of an existing Service Account.

Patch the Service Account to add an annotation for location of the Redirect URI

  1. oc patch serviceaccount <name> --type='json' -p='[{"op": "add", "path": "/metadata/annotations/serviceaccounts.openshift.io~1oauth-redirecturi.dex", "value":"https://<dex_url>/callback"}]'

The Client ID for a Service Account representing an OAuth Client takes the form system:serviceaccount:<namespace>:<service_account_name>

The Client Secret for a Service Account representing an OAuth Client is the long lived OAuth Token that is configued for the Service Account. Execute the following command to retrieve the OAuth Token.

  1. oc serviceaccounts get-token <name>

Registering An Additional OAuth Client

Instead of using a constrained form of Service Account to represent an OAuth Client, an additional OAuthClient resource can be created.

Create a new OAuthClient resource similar to the following:

  1. kind: OAuthClient
  2. apiVersion: oauth.openshift.io/v1
  3. metadata:
  4. name: dex
  5. # The value that should be utilized as the `client_secret`
  6. secret: "<clientSecret>"
  7. # List of valid addresses for the callback. Ensure one of the values that are provided is `(dex issuer)/callback`
  8. redirectURIs:
  9. - "https:///<dex_url>/callback"
  10. grantMethod: prompt

Dex Configuration

The following is an example of a configuration for examples/config-dev.yaml:

  1. connectors:
  2. - type: openshift
  3. # Required field for connector id.
  4. id: openshift
  5. # Required field for connector name.
  6. name: OpenShift
  7. config:
  8. # OpenShift API
  9. issuer: https://api.mycluster.example.com:6443
  10. # Credentials can be string literals or pulled from the environment.
  11. clientID: $OPENSHIFT_OAUTH_CLIENT_ID
  12. clientSecret: $OPENSHIFT_OAUTH_CLIENT_SECRET
  13. redirectURI: http://127.0.0.1:5556/dex/
  14. # Optional: Specify whether to communicate to OpenShift without validating SSL ceertificates
  15. insecureCA: false
  16. # Optional: The location of file containing SSL certificates to commmunicate to OpenShift
  17. rootCA: /etc/ssl/openshift.pem
  18. # Optional list of required groups a user must be a member of
  19. groups:
  20. - users