About #
The OIDC section of the helm chart enables you to set up authentication through upstream IDPs. To use authentication, you must have an Enterprise license.
We recommend setting up this section alongside the Enterprise Server section of your Helm chart so that you can easily scale multiple clusters using the same authentication configurations.
Values #
The following section contains a series of tabs for commonly used configurations for this section of your values.yml Helm chart.
Options:
oidc:
issuerURI: "" # inferred if running locally or using proxy
requireVerifiedEmail: false # if true, email verification is required to authenticate
IDTokenExpiry: 24h # if set, specifies the duration where OIDC ID Tokens are valid; parsed into golang's time.Duration: https://pkg.go.dev/time#example-ParseDuration
RotationTokenExpiry: 48h # If set, enables OIDC rotation tokens, and specifies the duration where they are valid.
userAccessibleOauthIssuerHost: "" # (Optional) Only set in cases where the issuerURI is not user accessible (ie. localhost install)
mockIDP: true # if true, ignores upstreamIDPs in favor of a placeholder IDP with the username/password of "admin"/"password"
oidc:
issuerURI: "" # inferred if running locally or using proxy
requireVerifiedEmail: false # if true, email verification is required to authenticate
IDTokenExpiry: 24h # if set, specifies the duration where OIDC ID Tokens are valid; parsed into golang's time.Duration: https://pkg.go.dev/time#example-ParseDuration
RotationTokenExpiry: 48h # If set, enables OIDC rotation tokens, and specifies the duration where they are valid.
userAccessibleOauthIssuerHost: "" # (Optional) Only set in cases where the issuerURI is not user accessible (ie. localhost install)
upstreamIDPs: # defines a list of Identity Providers to use for authentication. https://dexidp.io/docs/connectors/
- id: idpConnector
config:
issuer: ""
clientID: ""
clientSecret: ""
redirectURI: "http://localhost:30658/callback"
insecureEnableGroups: true
insecureSkipEmailVerified: true
insecureSkipIssuerCallbackDomainCheck: true
forwardedLoginParams:
- login_hint
name: idpConnector
type: oidc
- id: okta
config:
issuer: "https://dev-84362674.okta.com"
clientID: "client_id"
clientSecret: "notsecret"
redirectURI: "http://localhost:30658/callback"
insecureEnableGroups: true
insecureSkipEmailVerified: true
insecureSkipIssuerCallbackDomainCheck: true
forwardedLoginParams:
- login_hint
name: okta
type: oidc
upstreamIDPsSecretName: "" # passes the upstreamIDPs value via an existing k8s secret (key: `upstream-idps`)
dexCredentialSecretName: "" # mounts a credential file to the pachd pod at /dexcreds/ (e.g., serviceAccountFilePath: /dexcreds/googleAuth.json); required for some dex configs like Google.
mockIDP: false # if true, ignores upstreamIDPs in favor of a placeholder IDP with the username/password of "admin"/"password"oidc:
issuerURI: "" # inferred if running locally or using proxy
requireVerifiedEmail: false # if true, email verification is required to authenticate
IDTokenExpiry: 24h # if set, specifies the duration where OIDC ID Tokens are valid; parsed into golang's time.Duration: https://pkg.go.dev/time#example-ParseDuration
RotationTokenExpiry: 48h # If set, enables OIDC rotation tokens, and specifies the duration where they are valid.
userAccessibleOauthIssuerHost: "" # (Optional) Only set in cases where the issuerURI is not user accessible (ie. localhost install)
upstreamIDPs: # defines a list of Identity Providers to use for authentication. https://dexidp.io/docs/connectors/
- id: idpConnector
config:
issuer: ""
clientID: ""
clientSecret: ""
redirectURI: "http://localhost:30658/callback"
insecureEnableGroups: true
insecureSkipEmailVerified: true
insecureSkipIssuerCallbackDomainCheck: true
forwardedLoginParams:
- login_hint
name: idpConnector
type: oidc
- id: okta
config:
issuer: "https://dev-84362674.okta.com"
clientID: "client_id"
clientSecret: "notsecret"
redirectURI: "http://localhost:30658/callback"
insecureEnableGroups: true
insecureSkipEmailVerified: true
insecureSkipIssuerCallbackDomainCheck: true
forwardedLoginParams:
- login_hint
name: okta
type: oidc
upstreamIDPsSecretName: "" # passes the upstreamIDPs value via an existing k8s secret (key: `upstream-idps`)
dexCredentialSecretName: "" # mounts a credential file to the pachd pod at /dexcreds/ (e.g., serviceAccountFilePath: /dexcreds/googleAuth.json); required for some dex configs like Google.
mockIDP: false # if true, ignores upstreamIDPs in favor of a placeholder IDP with the username/password of "admin"/"password"
additionalOIDCClient:
- id: example-app
secret: example-app-secret
name: 'Example App'
redirectURIs:
- 'http://127.0.0.1:5555/callback'
additionalClientsSecretName: ""