From 7ade514530dfe50e6c64bceb6ecd163328fdb411 Mon Sep 17 00:00:00 2001 From: hrod Date: Thu, 10 Oct 2024 00:31:07 +0300 Subject: [PATCH 1/3] Add OAuth2/OIDC authentication setup with Authentic and group-to-role mapping for RBAC --- configuration/authentication/oauth2.md | 23 +++++++++++++++++++ .../supported-identity-providers.md | 15 ++++++++++++ 2 files changed, 38 insertions(+) diff --git a/configuration/authentication/oauth2.md b/configuration/authentication/oauth2.md index 8aaf658..033044c 100644 --- a/configuration/authentication/oauth2.md +++ b/configuration/authentication/oauth2.md @@ -210,3 +210,26 @@ auth: custom-params: type: keycloak ``` + +### Authentic + +```yaml +auth: + type: OAUTH2 + oauth2: + client: + authentic: + provider: authentic + clientId: xxx + clientSecret: yyy + scope: [ 'openid', 'profile', 'email' ] + client-name: authentic + issuer-uri: https:///application/o// + user-name-attribute: nickname # OR "name", "given_name", "email", "preferred_username" + redirect-uri: http://localhost:8080/login/oauth2/code/oauth2 + authorization-grant-type: authorization_code + custom-params: + type: oauth + roles-field: groups + logoutUrl: https:///application/o//end-session/ +``` \ No newline at end of file diff --git a/configuration/rbac-role-based-access-control/supported-identity-providers.md b/configuration/rbac-role-based-access-control/supported-identity-providers.md index b6fdf84..5478a8a 100644 --- a/configuration/rbac-role-based-access-control/supported-identity-providers.md +++ b/configuration/rbac-role-based-access-control/supported-identity-providers.md @@ -92,3 +92,18 @@ Configure the role mapping to the okta group via generic provider mentioned abov type: role value: "" ``` + +### Authentic + +You can map Authentic Groups to roles. First, confirm that your Authentic administrator has included the `profile` claim or the groups will not be passed in the auth token. + +Ensure `roles-field` in the auth config is set to `groups` and that `profile` is included in the `scope`, as groups are passed by default in the profile scope. See [here](../authentication/oauth2.md###Authentic) for more details. + +Configure the role mapping to the Authentic group via generic provider mentioned above: + +```yaml + subjects: + - provider: oauth + type: role + value: "" +``` \ No newline at end of file From 426c422812ebeb16747972168180f3c25f56587c Mon Sep 17 00:00:00 2001 From: hrod Date: Thu, 10 Oct 2024 00:48:58 +0300 Subject: [PATCH 2/3] Fix the naming of the GoAuthentic provider to simplify search and understanding. --- configuration/authentication/oauth2.md | 12 ++++++------ .../supported-identity-providers.md | 10 +++++----- 2 files changed, 11 insertions(+), 11 deletions(-) diff --git a/configuration/authentication/oauth2.md b/configuration/authentication/oauth2.md index 033044c..307c6f0 100644 --- a/configuration/authentication/oauth2.md +++ b/configuration/authentication/oauth2.md @@ -211,25 +211,25 @@ auth: type: keycloak ``` -### Authentic +### GoAuthentic ```yaml auth: type: OAUTH2 oauth2: client: - authentic: - provider: authentic + goauthentic: + provider: goauthentic clientId: xxx clientSecret: yyy scope: [ 'openid', 'profile', 'email' ] - client-name: authentic - issuer-uri: https:///application/o// + client-name: goauthentic + issuer-uri: https:///application/o// user-name-attribute: nickname # OR "name", "given_name", "email", "preferred_username" redirect-uri: http://localhost:8080/login/oauth2/code/oauth2 authorization-grant-type: authorization_code custom-params: type: oauth roles-field: groups - logoutUrl: https:///application/o//end-session/ + logoutUrl: https:///application/o//end-session/ ``` \ No newline at end of file diff --git a/configuration/rbac-role-based-access-control/supported-identity-providers.md b/configuration/rbac-role-based-access-control/supported-identity-providers.md index 5478a8a..f85a9c8 100644 --- a/configuration/rbac-role-based-access-control/supported-identity-providers.md +++ b/configuration/rbac-role-based-access-control/supported-identity-providers.md @@ -93,17 +93,17 @@ Configure the role mapping to the okta group via generic provider mentioned abov value: "" ``` -### Authentic +### GoAuthentic -You can map Authentic Groups to roles. First, confirm that your Authentic administrator has included the `profile` claim or the groups will not be passed in the auth token. +You can map GoAuthentic Groups to roles. First, confirm that your GoAuthentic administrator has included the `profile` claim or the groups will not be passed in the auth token. -Ensure `roles-field` in the auth config is set to `groups` and that `profile` is included in the `scope`, as groups are passed by default in the profile scope. See [here](../authentication/oauth2.md###Authentic) for more details. +Ensure `roles-field` in the auth config is set to `groups` and that `profile` is included in the `scope`, as groups are passed by default in the profile scope. See [here](../authentication/oauth2.md###GoAuthentic) for more details. -Configure the role mapping to the Authentic group via generic provider mentioned above: +Configure the role mapping to the GoAuthentic group via generic provider mentioned above: ```yaml subjects: - provider: oauth type: role - value: "" + value: "" ``` \ No newline at end of file From 6e83a73c3239709954e6daf5e671d6e430e3a67b Mon Sep 17 00:00:00 2001 From: hrod Date: Thu, 10 Oct 2024 00:56:17 +0300 Subject: [PATCH 3/3] fix links --- .../supported-identity-providers.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/configuration/rbac-role-based-access-control/supported-identity-providers.md b/configuration/rbac-role-based-access-control/supported-identity-providers.md index f85a9c8..35fef5d 100644 --- a/configuration/rbac-role-based-access-control/supported-identity-providers.md +++ b/configuration/rbac-role-based-access-control/supported-identity-providers.md @@ -82,7 +82,7 @@ Not yet supported, see [Issue 3741](https://github.com/provectus/kafka-ui/issues You can map Okta Groups to roles. First, confirm that your okta administrator has included the `group` claim or the groups will not be passed in the auth token. -Ensure `roles-field` in the auth config is set to `groups` and that `groups` is included in the `scope`, see [here](../authentication/oauth2.md###Okta) for more details. +Ensure `roles-field` in the auth config is set to `groups` and that `groups` is included in the `scope`, see [here](../authentication/oauth2.md#okta) for more details. Configure the role mapping to the okta group via generic provider mentioned above: @@ -97,7 +97,7 @@ Configure the role mapping to the okta group via generic provider mentioned abov You can map GoAuthentic Groups to roles. First, confirm that your GoAuthentic administrator has included the `profile` claim or the groups will not be passed in the auth token. -Ensure `roles-field` in the auth config is set to `groups` and that `profile` is included in the `scope`, as groups are passed by default in the profile scope. See [here](../authentication/oauth2.md###GoAuthentic) for more details. +Ensure `roles-field` in the auth config is set to `groups` and that `profile` is included in the `scope`, as groups are passed by default in the profile scope. See [here](../authentication/oauth2.md#goauthentic) for more details. Configure the role mapping to the GoAuthentic group via generic provider mentioned above: