Auth0

Before You Start #

• You must have the following enabled on your cluster:
  • Enterprise
  • TLS
• You must have an Auth0 account
• You should know the value of your proxy.host setting in your Helm values.yaml file

How to Enable Auth0 as an IdP #

⚠️

The following guide does not cover how to create user pools in Auth0; once initially configured, any user with a Gmail account can log in to your Pachyderm instance. Refer to the official Auth0 documentation on how to manage users.

1. Create an App on Auth0 #

1. Log in to your Auth0 account.
2. In Applications, click Create Application.
3. Type the name of your application, such as Pachyderm.
4. In the application type, select Regular Web Application.
5. Click Create.
6. Go to the application settings.
7. Scroll down to Application URIs.
8. In the Allowed Callback URLs, add the Pachyderm callback link in the following format:

https://<your.proxy.host.value>/dex/callback

9. Scroll down to Show Advanced Settings.
10. Select Grant Types.
11. Verify that Authorization Code and Refresh Token are selected.

2. Define Helm Config #

The following steps add the OIDC section to your Helm chart. When an upstream IdP is successfully added to the list, Pachyderm’s default MockIdP is disabled automatically. You can add multiple IdPs to upstreamIDPs.

1. Navigate to your values.yamls file or obtain your current Helm values.yaml overrides:

   helm get values pachyderm  > values.yaml

   
2. Add the following section:

Syntax:

json

yaml

{
  "oidc": {
    "upstreamIDPs": [
      {
        "type": "oidc",
        "id": "auth0",
        "name": "Auth0",
        "config": {
          "issuer": "https://<auth0.app.domain.url>/",
          "clientID": "FbTzaVdABC9TbX07pXqxHwofuEOux004",
          "clientSecret": "1kbxtx22DLLMNOrjJgV-RaaUsmTzGoQ3h4UEeQ2hmduP1qPLK5yTOsrmwwVNXP9U",
          "redirectURI": "https://<proxy.host.value.com>/dex/callback",
          "insecureEnableGroups": true,
          "insecureSkipEmailVerified": true,
          "insecureSkipIssuerCallbackDomainCheck": false
        }
      }
    ]
  }
}

oidc:
  upstreamIDPs:
  - type: oidc
    id: auth0
    name: Auth0
    config:
        issuer: https://<auth0.app.domain.url>/
        clientID: FbTzaVdFCB9TbX07pXqxBwofuEOux004
        clientSecret: 1kbxtx22DLGSULrjJgV-TaaUsmTzGoQ3h4UZeQ2hmduP1qPLK5yTOsrmwwVNXP9U
        redirectURI: https://<proxy.host.value.com>/dex/callback 
        insecureEnableGroups: true
        insecureSkipEmailVerified: true
        insecureSkipIssuerCallbackDomainCheck: false

ℹ️

Note that Pachyderm’s YAML format is a simplified version of Dex’s sample config.

3. Update the following attributes:

4. Save your changes and upgrade your cluster:

   helm upgrade pachyderm pachyderm/pachyderm -f values.yaml

   

💡

Alternatively, you can create a secret containing your dex connectors (Key: upstream-idps) and reference its name in the field oidc.upstreamIDPsSecretName.

3. Login #

The users registered with your IdP are now ready to Log in to Pachyderm

Troubleshooting #

PachD CrashLoopBackOff #

If you encounter a CrashLoopBackOff error after running the kubectl get pods command, it’s likely that one of the following needs to be fixed:

• your issuer value is incorrect (it must have https:// and a trailing slash /).
• you have an unexpected field such as version in the config section oidc.updstreamIDPs entry.

Example Error in PachD Pod logs

You can obtain your pod logs by running: kubectl logs <pachd-pod-name> > logs.txt

create connector with ID: "auth0": unable to open connector: failed to get provider: oidc: issuer did not match the issuer returned by provider, expected "https://<auth0.app.domain.url>/" got "https://<auth0.app.domain.url>"