OIDC Integration
The Emporium OIDC integration allows apps to smoothly integrate into the built-in identity provider of Emporium. Users can select which user group can log into an app (all authenticated users, only admins or everyone).
Available Variables
The following variables are available to use within the values.emporium.yaml
file.
Variable | Description |
---|---|
.Emporium.Integrations.OIDC.ClientID | OIDC client id |
.Emporium.Integrations.OIDC.ClientSecret | OIDC client secret |
.Emporium.Integrations.OIDC.ConfigurationEndpoint | OIDC configuration endpoint (/.well-known/openid-configuration ) |
.Emporium.Integrations.OIDC.Issuer | OIDC issuer |
Configuration Flow
During the installation of a OIDC enabled app, Emporium will:
- Create a new OIDC client in the identity provider for the app.
- Build the redirect URLs of the app. These consist of all publicly available hostnames of the app combined with the path(s) in the
oidcRedirectPaths
annotation. Learn more. - Configure the OIDC client with the redirect URLs.
- Pass variables like
ClientID
andClientSecret
to thevalues.emporium.yaml
file.
TIP
The OIDC client created is the same that is used by the DNS integration.
Define Redirect Paths
OIDC compatible applications always have a specific path where they want the user to be redirected after having authenticated with the identity provider.
Since this path is specific for every app, it can be specified in the oidcRedirectPaths
annotation of the Helm chart of the app. See the example below. This is the job of the publisher of an Emporium app. Users usually don't have to worry about it.
Example
The publisher of an Emporium app specifies the redirect path in the Chart.yaml
of the Helm chart.
# ...
annotations:
# ...
# A list of paths, comma separated
oidcRedirectPaths: /users/auth/openid_connect/callback
Then they can use it in values.emporium.yaml
.
# ...
auth:
oidc:
clientId: {{ .Emporium.Integrations.OIDC.ClientID }}
issuer: {{ .Emporium.Integrations.OIDC.Issuer }}