Here we’ll cover in more details how to configure and use authentication in Application Manager.
For authentication, there are two methods supported in Application Manager:
Both methods can be used at the same time by configuring them independently. By default, both methods are disabled.
To enable them, you need to provide a configuration in the main Application Manager configuration file.
Below is a non-exhaustive list of some of the more established OIDC providers available:
- Microsoft Azure AD
As well as these popular hosted solutions, there are a number of solutions for running your own OIDC compatible authentication provider.
Dex is one such option, which can also act as a bridge/proxy between other providers and protocols. For example using LDAP (Lightweight Directory Access Protocol), Active Directory, or SAML (Security Assertion Markup Language) on the backend and then speaking OIDC with Application Manager.
To enable OpenID Connect, you need to register a new client in your OIDC Provider’s side.
- Register a client as web application at your OIDC provider;
- Provide /api/auth/login/oidc path as the login redirect URI in your provider’s management console;
- Add clientId, secret and discoveryUri from your OIDC Provider to the Application Manager’s configuration file (see below);
- Optionally, you may configure custom scopes, groups and OIDC claims
Please conduct documentation of your OIDC Provider for more specific details.
Below, you will find the configuration options of Application Manager:
auth: # This entry enables oidc configuration, default value is "none". authentication: oidc # An OIDC configuration. Required if `authentication: oidc` is set. oidc: # OpenID Connect client configuration (required). Provided by your OIDC Provider. clientId: client-id-from-provider secret: client-secret-from-provider discoveryUri: a-url-to-openid-provider-discovery-api # Below are optional parameters, with their default values... # Claims of the OIDC token, received from the provider during authentication usernameClaim: email # Used to identify the user groupsClaim: groups # Used to identify groups a user belongs to # Requested response type(s), supported: # - code|code id_token|code token|code id_token token|id_token|id_token token responseType: code # Requested scopes (oidc scope is included by default) scopes: [email] # Connection timeouts to access OIDC endpoints (in milliseconds) connectTimeoutMs: 500 readTimeoutMs: 5000
In order to enable usage of API tokens, you have to specify an application secret.
auth: # Optionally enables API tokens apiTokens: # Application-specific secret used for API tokens secretKey: a-generated-string
If API tokens are not configured, the
api-tokens endpoints will return a
501 (not implemented).
The following example enables both OpenID Connect authentication and API tokens.
auth: authorization: oidc oidc: clientId: 00001234-5678-90ab-cdef-12ab34cd56ef secret: m0bzTCrdhROOCqPwxk52m/f8DJgC discoveryUri: https://login.microsoftonline.com/12345678-abcd-abcd-1234-1234567890ab/.well-known/openid-configuration usernameClaim: upn apiTokens: secret: cwQ6hmvWPR/C6m-dXcP[m^D
No authorization has been configured in this example. This will result in any authenticated request to be authorized.