OIDC identity provider
OIDC Identity Provider
OpenID Connect is an interoperable authentication protocol based on the OAuth 2.0 family of specifications. It uses straightforward REST/JSON message flows with a design goal of “making simple things simple and complicated things possible”. It’s uniquely easy for developers to integrate, compared to any preceding Identity protocol, such as Keycloak, Okta, Dex, Auth0, Gluu, and many more.
Example of using Google Identity Platform:
apiVersion: v1
data:
kubesphere.yaml: |
authentication:
authenticateRateLimiterMaxTries: 10
authenticateRateLimiterDuration: 10m0s
jwtSecret: "********"
oauthOptions:
accessTokenMaxAge: 1h
accessTokenInactivityTimeout: 30m
identityProviders:
- name: google
type: OIDCIdentityProvider
mappingMethod: auto
provider:
clientID: '********'
clientSecret: '********'
issuer: https://accounts.google.com
redirectURL: 'https://ks-console/oauth/redirect/google'
kind: ConfigMap
name: kubesphere-config
namespace: kubesphere-system
For the above example:
| Parameter | Description |
|---|---|
| clientID | The OAuth2 client ID. |
| clientSecret | The OAuth2 client secret. |
| redirectURL | The redirected URL to ks-console. |
| issuer | Defines how Clients dynamically discover information about OpenID Providers. |
| preferredUsernameKey | Configurable key which contains the preferred username claims. |
| emailKey | Configurable key which contains the email claims. |
| getUserInfo | GetUserInfo uses the userinfo endpoint to get additional claims for the token. This is especially useful where upstreams return “thin” id tokens. |
| insecureSkipVerify | Used to turn off TLS certificate verify. |
Feedback
Was this page Helpful?
Thanks for the feedback. If you have a specific question about how to use KubeSphere, ask it on Slack. Open an issue in the GitHub repo if you want to report a problem or suggest an improvement.
Previous
What’s on this Page