Skip to main content
Version: 2.5

Authentication

Authentication is the process of verifying who an entity (such as a user) is. In order to enable authentication for Ververica Platform, you have to integrate with an external identity provider. Ververica Platform does not actively manage user records (such as names or passwords).

Ververica Platform supports integration with OpenID Connect (OIDC) for authentication.

OpenID Connect (OIDC)

Ververica Platform supports integration with OpenID Connect (OIDC) identity providers for authentication. OIDC is an authentication protocol that is based on the OAuth 2.0 family of specifications.

If your organization uses a different authorization system, such as Lightweight Directory Access Protocol (LDAP), Active Directory, or Security Assertion Markup Language (SAML), you may use an OIDC bridge such as Dex to connect the systems.

Configuration

In order to enable the OIDC integration, you have to configure it in the main configuration file under the vvp.auth.oidc key by providing a registration and provider specification.

The groupsClaim key indicates the OIDC ID token claim that contains a list of the user's groups. These groups can be referenced in role binding by using the group: prefix. For example, if the ID token for an authenticated user contains the claim groups: ["vvp-editors"], and you configure vvp.oidc.groupsClaim=groups, a role binding assigning the role editor to group:vvp-editors will match this user.

Note that currently this claim must be present in the ID token returned by the OIDC provider. Claims in the access token are not supported because access tokens have no standardized structure and parsing them is implementation-specific.

Example: OIDC configuration template

    vvp:
      auth:
        enabled: true
        admins:
        - user:foo@bar.com
        oidc:
          groupsClaim: roles  # The OIDC ID token claim containing a list of the user's groups
          registrationId: my-oidc-provider
          registration:
            clientId: vvp
            clientSecret: secret
            redirectUri: "{baseUrl}/{action}/oauth2/code/{registrationId}"
            clientAuthenticationMethod: basic
            authorizationGrantType: authorization_code
            scope:
            - openid
          provider:
            authorizationUri: http://my-oidc-provider.internal/openid-connect/auth
            tokenUri: http://my-oidc-provider.internal/openid-connect/token
            userInfoUri: http://my-oidc-provider.internal/openid-connect/userinfo
            jwkSetUri: http://my-oidc-provider.internal/openid-connect/certs
            userNameAttribute: email  # Required to correctly identify users
          endSessionEndpoint: http://my-oidc-provider.internal/openid-connect/logout

registration and provider expose Spring Security objects; more information about configuring these objects can be found in the Spring Boot documentation.

Please consult the Configuration section for more specific examples.

Secure clientSecret with Kubernetes Secrets

In a production environment, you may want to secure clientSecret with Kubernetes Secrets. To do so, you first remove it from the configuration above, then create a yaml file containing:

    # file: env_secret.yaml
    env:
    # OIDC authentication:
    - name: vvp.auth.oidc.registration.clientSecret
      valueFrom:
        secretKeyRef:
          name: mysecrets  # the name of the Kubernetes Secret
          key: oidc        # the key

Then you can install Ververica Platform with this additional values file:

helm install ... --values env_secret.yaml

Use helm upgrade if you are upgrading/modifying an existing installation.

On this page