Authentication

Note

This feature is only available in Ververica Platform Stream Edition and above.

Authentication is the process of verifying who an entity (such as a user) is. In order to enable authentication for Ververica Platform you have to integrate with an external identity provider. Ververica Platform does not actively manage user records (such as names or passwords).

The following identity providers are supported:

OpenID Connect (OIDC)

Ververica Platform supports integration with OpenID Connect (OIDC) identity providers for authentication. OIDC is an authentication protocol that is based on the OAuth 2.0 family of specifications.

If your organization uses a different authorization system, such as Lightweight Directory Access Protocol (LDAP), Active Directory, or Security Assertion Markup Language (SAML), you may use an OIDC bridge such as Dex to connect the systems.

Configuration

In order to enable the OIDC integration, you have to configure it in the main configuration file under the vvp.auth.oidc key by providing a registration and provider specification.

The groupsClaim key indicates the OIDC ID token claim that contains a list of a user’s groups. These groups can be referenced in Role Bindings by using the group: prefix. For example, if the ID token for an authenticated user contains the claim groups: ["vvp-editors"], and you configure vvp.oidc.groupsClaim=groups, a role binding assigning the role editor to group:vvp-editors will match this user.

Note that currently this claim must be present in the ID token returned by the OIDC provider. Claims in the access token are not supported because access tokens have no standardized structure and parsing them is implementation-specific.

Example: OIDC configuration template

vvp:
  auth:
    enabled: true
    admins:
    - user:foo@bar.com
    oidc:
      groupsClaim: roles  # The OIDC ID token claim containing a list of a user's groups
      registrationId: my-oidc-provider
      registration:
        clientId: vvp
        clientSecret: secret
        redirectUri: "{baseUrl}/{action}/oauth2/code/{registrationId}"
        clientAuthenticationMethod: basic
        authorizationGrantType: authorization_code
        scope:
        - openid
      provider:
        authorizationUri: http://my-oidc-provider.internal/openid-connect/auth
        tokenUri: http://my-oidc-provider.internal/openid-connect/token
        userInfoUri: http://my-oidc-provider.internal/openid-connect/userinfo
        jwkSetUri: http://my-oidc-provider.internal/openid-connect/certs
        userNameAttribute: email  # Required to correctly identify users
      endSessionEndpoint: http://my-oidc-provider.internal/openid-connect/logout

registration and provider expose Spring Security objects; more information about configuring these objects can be found in the Spring Boot documentation.

Please consult the Configuration section for more specific examples.

Secure clientSecret with Kubernetes Secrets

In a production environment, you may want to secure clientSecret with Kubernetes Secrets. To do so, you first remove it from the configuration above, then create a yaml file containing:

# file: env_secret.yaml
env:
# OIDC authentication:
- name: vvp.auth.oidc.registration.clientSecret
  valueFrom:
    secretKeyRef:
      name: mysecrets  # the name of the Kubernetes Secret
      key: oidc        # the key

Then you can install Ververica Platform with this additional values file:

$ helm install ... --values env_secret.yaml

Use helm upgrade if you are upgrading/modifying an existing installation.