DO380 - ch01s06

Bookmark this page

OIDC Authentication and Group Claims

Objectives

Configure an OIDC identity provider and automate group synchronization between OpenShift OAuth and an OIDC server.

OpenID Connect

You can use OpenShift to configure OpenID Connect (OIDC) identity providers (IdPs) for synchronizing users and groups.

OIDC is a set of standards for delegating the authentication of a user who accesses a protected resource. OIDC provides a way for applications to verify the identity of users and to obtain user profile information.

OIDC is the standard for cloud authentication, social authentication, single sign-on (SSO), and two-factor authentication (2FA). OIDC removes the responsibility of setting, storing, and managing passwords locally, which is often associated with credential-based data breaches, and which needs administration resources.

Examples of OIDC providers that are tested and supported on OpenShift include Google, Microsoft identity platform, and Keycloak. Red Hat provides Red Hat Single Sign-On (SSO) to extend the capabilities of the OpenShift internal OAuth, and to serve as the solution for an OIDC identity infrastructure. Red Hat SSO can run on bare metal or virtualized environments, or as pods on OpenShift.

Note

For more information about Red Hat SSO, refer to the Product Documentation for Red Hat Single Sign-On 7.6 at https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.6

To see the full list of supported OIDC providers on OpenShift, you can refer to https://access.redhat.com/documentation/en-us/openshift_container_platform/4.14/html-single/authentication_and_authorization/index#identity-provider-oidc-supported_configuring-oidc-identity-provider

OIDC Tokens

OIDC relies on the JavaScript Object Signing and Encryption (JOSE) set of standards. The primary standard within JOSE is JSON Web Token (JWT), which serves as a standardized format for representing information in a readable piece of text data. The following list shows some JWT advantages:

Can parse in many programming languages
Can propagate across networks
Validates message integrity without relying on external validators or resource-intensive checks

Three parts, which are separated by a period, form the JWT token: the header, the payload, and the hash signature.

The header contains the type of the token and the signing algorithm.

The payload contains the user claims. User claims are attributes for the user with details about their identity, profile, privileges, and group membership. Examples of user claims are the sub, iat, exp, or iss parameters, which are the identity for the user, the issue date, the expiration date, and the token issuer, respectively.

Finally, the signature is composed of the concatenation of the encoded header, the encoded payload, and the result of applying a signing algorithm.

OIDC in OpenShift

An identity broker is a service that connects clients with IdPs. The identity broker delegates the authentication of the user to the external IdP. OpenShift includes a built-in OAuth server that you can configure to determine the user's identity from the configured IdPs. Thus, the OpenShift built-in OAuth server acts as an identity broker.

When a user tries to log in to OpenShift, the OpenShift built-in OAuth server redirects the user to a login screen to choose from the configured IdPs. For OIDC IdPs, you must previously configure the OIDC client in the IdP that authenticates the user to OpenShift. Then, use the connection parameters and credentials from the OIDC client to configure the OIDC IdP in the OpenShift built-in OAuth server. After authenticating the user in the configured IdP, the internal OAuth server creates an access token for the request and returns the token. The built-in OAuth server, as for any other IdP, also creates or updates the user resources. If you define OIDC group claims, then the OAuth server also creates or updates the groups.

OIDC Claims

OIDC claims are key/value pairs that contain information about the user. OpenShift reads user claims from the JWT token that the IdP issues, and uses these user claims to populate the user, identity, and group resources. You must configure one claim to use as the user's identity. The default identity claim is sub, which stands for subject identifier.

You can configure additional user parameters in other standard claims, such as the preferred username, display name, or email address. For any of those user parameters, you can specify multiple claims. OpenShift uses the first claim with a non-empty value.

The following table lists some standard claims that are defined in OIDC:

Claim	Description
`sub`	The remote identity for the user at the IdP
`preferred_username`	The preferred username when provisioning a user, which typically corresponds to the username in the authentication system for the user
`email`	Email address
`name`	Display name

Note

To see the full list of standard claims that are defined in OIDC, refer to https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims

OIDC Group Claims

You can also define additional claims for parameters that OIDC does not define as standard claims. One important additional claim for users is the group claim. OpenShift uses the group claim to map the group membership of a user in the IdP to a group object. Then, you can use role-based access control (RBAC) objects in OpenShift to assign permissions to that group, instead of assigning permissions to individual users.

Note

The Red Hat Communities of Practice Group Sync Operator GitHub repository provides an unsupported operator for synchronizing OIDC groups with external providers that cannot provide group claims as part of their tokens. You can find more information in https://github.com/redhat-cop/group-sync-operator

Configuring OIDC IdP

Follow the next steps to integrate an OIDC IdP into the OpenShift cluster:

Obtain the client ID and the client secret from the OIDC IdP client for the OpenShift integration.
Create an OpenShift secret object, which contains the client secret that is obtained from the OIDC client configuration, in the openshift-config namespace.
Create an OpenShift configuration map object, which contains the certificate authority bundle in the ca.crt file parameter, in the openshift-config namespace (required only if the CA certificate is not configured as a system-wide CA).
Create the OAuth CR YAML file to include the OIDC IdP.
Apply the configuration file to the OAuth CR.

Create the OAuth CR YAML File

After creating the OpenShift secret object that contains the client secret, and the configuration object that contains the certificate authority bundle (if necessary), you can create the OAuth CR YAML file that contains the information to configure the OIDC IdP. If you add an OIDC IdP to the OAuth CR, then you must include the OIDC IdP information in the identityProviders array. You can add multiple OIDC IdPs to the OAuth CR YAML file.

Important

The identityProviders array in the OAuth CR might not be empty. If you remove other IdPs when adding your OIDC IdP, then you cannot log in to the cluster through those IdPs.

The following example shows a minimal configuration file for Red Hat SSO integration to OpenShift. The settings might differ for other OIDC providers, and you must work with your vendor or identity administrator to get all the necessary attributes for your specific setup.

apiVersion: config.openshift.io/v1
kind: OAuth
metadata:
  name: cluster
spec:
  identityProviders:
  - name: oidc_provider_name 
    mappingMethod: claim
    type: OpenID
    openID:
      clientID: oidc_clientid 
      clientSecret: 
        name: secret_name
      ca: 
        name: config_map_name
      claims: 
        preferredUsername:
        - preferred_username
        - email
        name:
        - nickname
        - given_name
        - name
        email:
        - custom_email_claim
        - email
        groups:
        - groups
      issuer: https://external_idp_url.com

	OpenShift prefixes the value of the identity claim with the provider name to form an identity name, and uses the identity name to build the redirect URL.
	The client ID for the existing client in the IdP. You must enable the client to redirect to https://oauth-openshift.apps.cluster_name.cluster_domain/oauth2callback/idp_provider_name.
	The name for the OpenShift secret object that contains the client secret.
	(Optional) The name for the OpenShift configuration map object that contains the certificate authority bundle.
	The list of claims to use as the identity, such as the preferred username, email address, or groups.
	The URL for the IdP. OpenShift accepts only HTTPS URLs.

Log in to the Cluster Through the OIDC IdP

After adding the OIDC IdP to the cluster, you can log in through the IdP by using the OpenShift web console, and providing the username and the password.

If your OIDC IdP supports the grant flow for resource owner password credentials (ROPC), then you can also log in through the IdP by using the oc login command with the username and the password.

If your OIDC IdP does not support the ROPC grant flow, then you receive a You must obtain an API token login error when you use the oc login command with the username and the password. Then, you must first get an OAuth access token and use it to log in by using the oc login --token=acces_token command. You can get the OAuth access token by logging in through the OpenShift web console and then clicking Help → Command line tools → Copy login command. You can also request the OAuth access token through the OpenShift REST API.

Note

Requesting an OAuth access token through the OpenShift REST API is out of the scope of this course. For more information about this topic, refer to https://access.redhat.com/solutions/6610781

IdP Mapping Methods

IdP mapping methods apply to any IdP. If you configure the mappingMethod parameter for the OIDC IdP as claim or add, then OpenShift establishes mappings between the provider's identity and the User object the first time that a user logs in to the cluster.

OAuth Access Tokens

The first time that a user logs in to the cluster, the OpenShift built-in OAuth server creates an OAuth token to authenticate to the API. OAuth access tokens are common to any IdP. OpenShift renews the token to authenticate to the API every time that the user logs in to the cluster. As a user, you can list all your user-owned OAuth access tokens by using the following command. This command lists all the user-owned OAuth access tokens from any IdP that is configured in the OpenShift built-in OAuth server.

[user@host ~]$ oc get useroauthaccesstokens
NAME            CLIENT NAME    CREATED   EXPIRES                        ...
sha256~9BZ3...  openshift-...  69m       2023-06-14 13:24:42 +0000 UTC  ...
sha256~lm1O...  console        75m       2023-06-14 13:19:20 +0000 UTC  ...
sha256~xmpC...  openshift-...  83m       2023-06-14 13:11:24 +0000 UTC  ...

If you modify a user parameter in the OIDC IdP, then the OIDC IdP does not automatically synchronize to OpenShift. For example, if you remove a user account from the OIDC IdP and the user is logged in to OpenShift, then the user can still perform tasks in OpenShift until they log out, because they still have a valid token that the OpenShift built-in OAuth server emits.

For this reason, after you modify a parameter in the OIDC IdP, you must manually remove all the user access tokens from OpenShift to force a user logout. Then, after the user logs in again, OpenShift synchronizes the new user parameters.

You can use the following command to remove all the user access tokens from OpenShift:

[user@host ~]$ oc delete oauthaccesstoken $(oc get oauthaccesstoken -o \
  jsonpath='{.items[?(@.userName=="username")].metadata.name}')

References

For more information about OIDC, refer to the OpenID specifications web page at https://openid.net/developers/specs/

For more information about how to configure OIDC IdPs on OpenShift, refer to the Configuring an OpenID Connect Identity Provider section in the Red Hat OpenShift Container Platform 4.14 Authentication and Authorization documentation at https://access.redhat.com/documentation/en-us/openshift_container_platform/4.14/html-single/authentication_and_authorization/index#identity-provider-oidc-about_configuring-oidc-identity-provider

For more information about how to configure a GitHub or GitHub Enterprise IdP on OpenShift, refer to the Configuring a GitHub or GitHub Enterprise Identity Provider section in the Red Hat OpenShift Container Platform 4.14 Authentication and Authorization documentation at https://access.redhat.com/documentation/en-us/openshift_container_platform/4.14/html-single/authentication_and_authorization/index#identity-provider-overview_configuring-github-identity-provider

For more information about how to configure Azure Active Directory authentication on OpenShift, refer to the Configure Azure Active Directory Authentication for an Azure Red Hat OpenShift 4 Cluster (CLI) section in the Azure Red Hat OpenShift documentation at https://learn.microsoft.com/en-us/azure/openshift/configure-azure-ad-ui

Discuss Red Hat OpenShift Administration III: Scaling Deployments in the Enterprise

Go to community

Welcome to Red Hat OpenShift Administration III: Scaling Kubernetes Deployments in the Enterprise!

Syed

12 wrz 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat OpenShift Administration III: Scaling Kubernetes Deployments in the Enterprise! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to DO378.Read more about Red Hat OpenShift Administration III: Scaling Kubernetes Deployments in the Enterprise here.

Revision: do380-4.14-397a507