Authentication¶

Note

This feature is only available in Ververica Platform Stream Edition and above.

Authentication is the process of verifying who an entity (such as a user) is. In order to enable authentication for Ververica Platform you have to integrate with an external identity provider. Ververica Platform does not actively manage user records (such as names or passwords).

The following identity providers are supported:

OpenID Connect (OIDC)
- Configuration

OpenID Connect (OIDC)¶

Ververica Platform supports integration with OpenID Connect (OIDC) identity providers for authentication. OIDC is an authentication protocol that is based on the OAuth 2.0 family of specifications.

If your organization uses a different authorization system, such as Lightweight Directory Access Protocol (LDAP), Active Directory, or Security Assertion Markup Language (SAML), you may use an OIDC bridge such as Dex to connect the systems.

Configuration ¶

In order to enable the OIDC integration, you have to configure it in the main configuration file under the vvp.auth.oidc key by providing a registration and provider specification.

The groupsClaim key indicates the OIDC ID token claim that contains a list of a user’s groups. These groups can be referenced in Role Bindings by using the group: prefix. For example, if the ID token for an authenticated user contains the claim groups: ["vvp-editors"], and you configure vvp.oidc.groupsClaim=groups, a role binding assigning the role editor to group:vvp-editors will match this user.

Note that currently this claim must be present in the ID token returned by the OIDC provider. Claims in the access token are not supported because access tokens have no standardized structure and parsing them is implementation-specific.

Example: OIDC configuration template

vvp:
  auth:
    enabled: true
    admins:
    - user:foo@bar.com
    oidc:
      groupsClaim: roles  # The OIDC ID token claim containing a list of a user's groups
      registrationId: my-oidc-provider
      registration:
        clientId: vvp
        clientSecret: secret
        redirectUri: "{baseUrl}/{action}/oauth2/code/{registrationId}"
        clientAuthenticationMethod: basic
        authorizationGrantType: authorization_code
        scope:
        - openid
      provider:
        authorizationUri: http://my-oidc-provider.internal/openid-connect/auth
        tokenUri: http://my-oidc-provider.internal/openid-connect/token
        userInfoUri: http://my-oidc-provider.internal/openid-connect/userinfo
        jwkSetUri: http://my-oidc-provider.internal/openid-connect/certs
        userNameAttribute: email  # Required to correctly identify users
      endSessionEndpoint: http://my-oidc-provider.internal/openid-connect/logout

registration and provider expose Spring Security objects; more information about configuring these objects can be found in the Spring Boot documentation.

Please consult the Configuration section for more specific examples.

Authentication¶

OpenID Connect (OIDC)¶

Configuration¶

Configuration ¶