Skip to content

docs: Add OpenID Connect to the Authentication concepts page #537

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Jan 29, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 16 additions & 0 deletions modules/concepts/examples/authenticationclass-keycloak.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
apiVersion: authentication.stackable.tech/v1alpha1
kind: AuthenticationClass
metadata:
name: keycloak
spec:
provider:
oidc:
hostname: my.keycloak.server # <1>
port: 8080 # <2>
rootPath: /realms/master # <3>
scopes: # <4>
- email
- openid
- profile
principalClaim: preferred_username # <5>
providerHint: Keycloak # <6>
20 changes: 20 additions & 0 deletions modules/concepts/pages/authentication.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ Multiple operators use this CRD as a way to express and configure the authentica
The following authentication providers are supported:

* <<LDAP>>: Authenticate users using an LDAP server.
* <<OIDC>>: Authenticate users using an OpenID connect provider.
* <<TLS>>: Authenticate users with client TLS certificates.
* <<Static>>: Authenticate users against a static list of users and passwords in a simple Kubernetes Secret.

Expand All @@ -36,6 +37,25 @@ image::image$authentication-overview.drawio.svg[]

NOTE: Learn more in the xref:tutorials:authentication_with_openldap.adoc[OpenLDAP tutorial] and get a full overview of all the properties in the {crd-docs}/authentication.stackable.tech/authenticationclass/v1alpha1/#spec-provider-ldap[AuthenticationClass LDAP provider CRD reference].

[#OIDC]
=== OpenID Connect

An OIDC provider like https://www.keycloak.org/[Keycloak {external-link-icon}^] could be configured as follows:

[source,yaml]
----
include::example$authenticationclass-keycloak.yaml[]
----

<1> Hostname of the identity provider.
<2> Port of the identity provider. If TLS is used defaults to 443, otherwise to 80.
<3> Root HTTP path of the identity provider. Defaults to `/`.
<4> Scopes to request from your identity provider. It is recommended to request the `openid`, `email`, and `profile` scopes.
<5> If a product extracts some sort of "effective user" that is represented by a string internally, this config determines which claim is used to extract that string.
<6> This is a hint about which identity provider is used by the AuthenticationClass.

NOTE: Get a full overview of all the properties in the {crd-docs}/authentication.stackable.tech/authenticationclass/v1alpha1/#spec-provider-oidc[AuthenticationClass OIDC provider CRD reference].

[#tls]
=== TLS
The `TLS` provider configures a product to authenticate users using TLS certificates.
Expand Down