Skip to main content
Version: v4.4 Stable

OpenID Connect

OIDC authentication​

OpenID Connect Specification is an authentication layer built on top of OAuth 2.0, providing secure and standardized user authentication for applications. Implementing OIDC in the platform offers several benefits:

  • Enhanced security through token-based authentication
  • Simplified user management with centralized identity providers
  • Improved user experience with single sign-on (SSO) capabilities

  1. Create platform config for OIDC

    To configure OIDC for SSO, follow these steps:

    • Navigate to Admin > Config in the platform.
    • Adjust your configuration as shown in the example below.
    Platform OIDC configuration
    auth:
      # Tell vCluster Platform to allow OIDC for authentication
      oidc:
        #
        #
        # REQUIRED CONFIGURATION
        #
        #
        # IssuerURL is the URL the provider signs ID Tokens as.
        # If using Keycloak provide the realm as well, only providing the base URL will return a 404. Ex. https://your-keycloak/realms/YOUR-REALM
        issuerUrl: https://accounts.google.com
        # ClientID the JWT must be issued for, the "sub" field. Can be string literal or pulled from the environment.
        clientId: $CLIENTID
        # ClientSecret to issue tokens from the OIDC provider. Can be string literal or pulled from the environment.
        clientSecret: $CLIENTSECRET
        # Callback URL in the form of https://your-loft-domain/auth/oidc/callback
        redirectURI: https://vcluster-platform.my.domain/auth/oidc/callback
        #
        #
        # OPTIONAL CONFIGURATION
        #
        #
        # (Optional) Path to a PEM encoded root certificate of the provider.
        caFile: /tmp/ca-file.crt
        # (Optional) Specify whether to communicate without validating SSL certificates
        insecureCa: false
        # (Optional) UsernameClaim is the JWT field to use as the user's username.
        # If not set defaults to email.
        usernameClaim: email
        # (Optional) If specified, causes claims mapping to username to be prefix with
        # the provided value.
        usernamePrefix: my-prefix-
        # (Optional) If specified, causes the OIDCAuthenticator to try to populate the user's
        # groups with an ID Token field.
        groupsClaim: groups
        # (Optional) If specified, causes claims mapping to group names to be prefixed with the
        # value.
        groupsPrefix: group-prefix-
        # (Optional) If groups is non empty, access is denied if the user is not part of at least one
        # of the specified groups. This requires groupsClaim to be set!
        groups: ["my-oidc-group"]
        # (Optional) If specified, tells the OIDCAuthenticator to try to populate the user's
        # information from the UserInfo. This might be necessary for slim tokens such as used
        # by Okta
        getUserInfo: false
        # (Optional) Scopes that should be sent to the server. If empty, defaults to "email" and "profile".
        scopes: ["profile", "email"]
        # (Optional) EmailClaim is the JWT field to use as the user's email.
        emailClaim: "email"
        # (Optional) vCluster PlatformUsernameClaim is the JWT field to use as the user's ID (Kubernetes name) and username
        loftUsernameClaim: "name"
        # (Optional) PreferredUsername is the JWT field to use as the user's display name
        preferredUsername: "preferred_username"
        # (Optional) AllowedExtraClaims are claims of interest that are provided by the OIDC provider but may not already be
        # covered by a User field. These additional claims of interest will be copied to User.Spec.ExtraClaims.
        # Like other claims, User.Spec.ExtraClaims is only updated when the User logs in using the OIDC provider. A user must
        # login after changes to AllowedExtraClaims for them to be reflected in a User's User.Spec.ExtraClaims.
        allowedExtraClaims: ["department"]
    Obtaining OIDC credentials

    To obtain the required clientId and clientSecret, refer to your OIDC provider's documentation. Common providers include:

  2. Authenticate via OIDC

    After saving the new configuration, the platform should restart. You should then be able to log in via your OIDC provider.

  3. Disable Username + Password Authentication (optional)

    To turn off password-based authentication, navigate to Admin > Config add these two lines to your config:

    Disable password-based authentication
    auth:
      oidc: ...             # This is your SSO configuration (make sure this is working!)
      password:
        disabled: true      # Disable password-based authentication