Configuring OpenID Connect¶
Configure Gafaelfawr¶
To protect a service that uses OpenID Connect, first set oidcServer.enabled to true in the Helm configuration.
Then, create (or add to, if already existing) an oidc-server-secrets secret for the gafaelfawr Phalanx application.
The value of the secret must be a JSON list, with each list member representing one OpenID Connect client. Each list member must be an object with the following keys:
idThe unique OpenID Connect client ID (the
client_idparameter in the OpenID Connect protocol) that the client will present during authentication.secretA randomly-generated secret that the client will use to authenticate via the
client_secretPOST parameter.return_uriThe acceptable return URL for this client. The actual return URL (the
redirect_uriparameter) of any authentication must exactly match this return URL except for query parameters and fragments. The path portion of this URL may not contain semicolons (;) to avoid potentially confusing parsing as either part of the path or as path parameters.
Configure the OpenID client¶
Gafaelfawr exposes the standard OpenID Connect configuration information at /.well-known/openid-configuration.
Clients that can auto-discover their configuration from that may only need to be configured with the client ID and secret matching the Gafaelfawr configuration.
For clients that require more manual configuration, the OpenID Connect routes are:
Authorization endpoint:
/auth/openid/login.Token endpoint:
/auth/openid/token.userinfo endpoint:
/auth/openid/userinfo.JWKS endpoint:
/.well-known/jwks.json.
As with any other protected service, the client must run on the same URL host as Gafaelfawr.
These endpoints are all at that shared host (and should be specified using https).
The client must use the authentication code OpenID Connect flow (see OpenID Connect Core 1.0 section 3.1). The other authentication flows are not supported.
OpenID scopes¶
The following OpenID Connect scopes are supported and influence what claims are included in the ID token:
openidRequired, per the OpenID Connect specification. The standard OAuth 2.0 and OpenID Connect claims will be included, as well as
scopeandsub. For the Gafaelfawr OpenID Connect provider,subwill always be the user’s username.profileAdds
preferred_username, with the same value assub, and, if this information is available,name. Gafaelfawr by design does not support attempting to break the name into components such as given name or family name.emailAdds the
emailclaim if the user’s email address is known.rubinAdds the
data_rightsclaim with a space-separated list of data releases the user has access to, if there are any. See OpenID Connect server for details on how to configure a mapping from group memberships to data releases. For more information about how this scope is used, see DMTN-253.
Examples¶
Chronograf¶
Assuming that Gafaelfawr and Chronograf are deployed on the host example.com and Chronograf is at the URL /chronograf, here are the environment variables required to configure Chronograf:
GENERIC_CLIENT_ID:chronograf-client-idGENERIC_CLIENT_SECRET:fb7518beb61d27aaf20675d62778dea9GENERIC_AUTH_URL:https://example.com/auth/openid/loginGENERIC_TOKEN_URL:https://example.com/auth/openid/tokenUSE_ID_TOKEN: 1JWKS_URL:https://example.com/.well-known/jwks.jsonGENERIC_API_URL:https://example.com/auth/openid/userinfoGENERIC_API_KEY:subGENERIC_SCOPES:openidPUBLIC_URL:https://example.com/chronografTOKEN_SECRET:pCY29u3qMTdWCNetOUD3OShsqwPm+pYKDNt6dqy01qw=
GENERIC_CLIENT_ID and GENERIC_CLIENT_SECRET should match a client ID and secret configured in the oidc-server-secrets Vault key.
The return_uri value for this entry in the oidc-server-secrets Vault key should be set to the PUBLIC_URL value above with /oauth/OIDC/callback appended.
Be aware that this uses the sub token claim, which corresponds to the user’s username, for authentication, rather than the default of the user’s email address.
Gafaelfawr does not always have an email address for a user.