Configuring OpenID Connect#
To protect a service that uses OpenID Connect, first set
oidc_server.enabled to true in the Helm configuration.
Then, create (or add to, if already existing) an
oidc-server-secrets Vault secret key.
The value of the key must be a JSON list, with each list member representing one OpenID Connect client.
Each list member must be an object with two keys:
id can be anything informative that you want to use to uniquely represent this OpenID Connect client.
secret should be a randomly-generated secret that the client will use to authenticate.
Then, configure the client.
The authorization endpoint is
The token endpoint is
The userinfo endpoint is
The JWKS endpoing is
As with any other protected service, the client must run on the same URL host as Gafaelfawr, and these endpoints are all at that shared host (and should be specified using
The OpenID Connect client should be configured to request only the
No other scope is supported.
The client must be able to authenticate by sending a
client_secret parameter in the request to the token endpoint.
The JWT returned by the Gafaelfawr OpenID Connect server will include the authenticated username in the
preferred_username claims, and the numeric UID in the
Assuming that Gafaelfawr and Chronograf are deployed on the host
example.com and Chronograf is at the URL
/chronograf, here are the environment variables required to configure Chronograf:
GENERIC_CLIENT_SECRET should match a client ID and secret configured in the
oidc-server-secrets Vault key.
Be aware that this uses the
sub token claim, which corresponds to the user’s username, for authentication, rather than the default of the user’s email address.
(Gafaelfawr does not always have an email address for a user.)
Open Distro for Elasticsearch#
Assuming that Gafaelfawr and Open Distro for Elasticsearch are deployed on the host
example.com, here are the settings required to configure Open Distro for Elasticsearch: