Authentication

Here we’ll cover in more details how to configure and use authentication in Application Manager.

Introduction

For authentication, there are two methods supported in Application Manager:

  • OpenID Connect (OIDC): is used to control access for users by third party OIDC identity provider;
  • API tokens: to allow programmatic access.

Both methods can be used at the same time by configuring them independently. By default, both methods are disabled.

To enable them, you need to provide a configuration in the main Application Manager configuration file.

OpenID Connect

Below is a non-exhaustive list of some of the more established OIDC providers available:

  • Okta
  • Google
  • Microsoft Azure AD

As well as these popular hosted solutions, there are a number of solutions for running your own OIDC compatible authentication provider.

Dex is one such option, which can also act as a bridge/proxy between other providers and protocols. For example using LDAP (Lightweight Directory Access Protocol), Active Directory, or SAML (Security Assertion Markup Language) on the backend and then speaking OIDC with Application Manager.

To enable OpenID Connect, you need to register a new client in your OIDC Provider’s side.

  1. Register a client as web application at your OIDC provider;
  2. Provide /api/auth/login/oidc path as the login redirect URI in your provider’s management console;
  3. Add clientId, secret and discoveryUri from your OIDC Provider to the Application Manager’s configuration file (see below);
  4. Optionally, you may configure custom scopes, groups and OIDC claims

Please conduct documentation of your OIDC Provider for more specific details.

Below, you will find the configuration options of Application Manager:

auth:
  # This entry enables oidc configuration, default value is "none".
  authentication: oidc

  # An OIDC configuration. Required if `authentication: oidc` is set.
  oidc:
    # OpenID Connect client configuration (required). Provided by your OIDC Provider.
    clientId: client-id-from-provider
    secret: client-secret-from-provider
    discoveryUri: a-url-to-openid-provider-discovery-api

    # Below are optional parameters, with their default values...

    # Claims of the OIDC token, received from the provider during authentication
    usernameClaim: email # Used to identify the user
    groupsClaim: groups  # Used to identify groups a user belongs to

    # Requested response type(s), supported:
    #  - code|code id_token|code token|code id_token token|id_token|id_token token
    responseType: code

    # Requested scopes (oidc scope is included by default)
    scopes: [email]

    # Connection timeouts to access OIDC endpoints (in milliseconds)
    connectTimeoutMs: 500
    readTimeoutMs: 5000

API Tokens

In order to enable usage of API tokens, you have to specify an application secret.

auth:
  # Optionally enables API tokens
  apiTokens:
    # Application-specific secret used for API tokens
    secretKey: a-generated-string

If API tokens are not configured, the api-tokens endpoints will return a 501 (not implemented).

Example Configuration

The following example enables both OpenID Connect authentication and API tokens.

auth:
  authorization: oidc

  oidc:
    clientId: 00001234-5678-90ab-cdef-12ab34cd56ef
    secret: m0bzTCrdhROOCqPwxk52m/f8DJgC
    discoveryUri: https://login.microsoftonline.com/12345678-abcd-abcd-1234-1234567890ab/.well-known/openid-configuration
    usernameClaim: upn

  apiTokens:
    secret: cwQ6hmvWPR/C6m-dXcP[m^D

Note

No authorization has been configured in this example. This will result in any authenticated request to be authorized.