DO380 - ch01s07

Bookmark this page

Guided Exercise: OIDC Authentication and Group Claims

Configure an OIDC identity provider and automate group synchronization between OpenShift OAuth and an OIDC server.

Outcomes

Configure Red Hat Single Sign-On (SSO) as an OIDC identity provider (IdP) for OpenShift.
Synchronize users and groups from Red Hat SSO to OpenShift.

As the student user on the workstation machine, use the lab command to prepare your environment for this exercise, and to ensure that all required resources are available.

[student@workstation ~]$ lab start auth-oidc

Instructions

Your company requires you to configure Red Hat SSO, which is running in the sso machine as an OIDC IdP for OpenShift, to automate user and group synchronization between OpenShift OAuth and the Red Hat SSO OIDC server.

As a use case, the lab script configures Red Hat SSO to include the external_providers realm. The following table provides the details for three users and two groups that are available in this realm.

First name	Last name	Username	Group membership
Abby	Quincy	`abbyquincy`	`contractors`
Fricis	Ritcher	`fricisritcher`	`contractors`
Jaya	Lamont	`jayalamont`	`partners`

The password for the three users is redhat_sso.

The company requests that you give read access to the auth-oidc OpenShift project for users in the partners group. Additionally, users in the contractors group need to be able to edit objects in the auth-oidc OpenShift project.

Finally, inspect the behavior in OpenShift after the deletion of a synchronized user or a group membership from Red Hat SSO.

Important

Red Hat SSO administration is outside the scope of this course. For more information about Red Hat SSO, refer to the Red Hat Single Sign-On Administration (DO313) course at https://learn.spidernet.pl/en/services/training/do313-red-hat-single-sign-on-administration

Assign the edit cluster role in OpenShift to the contractors group, so users in that group can modify most of the objects in the auth-oidc project. Assign the view cluster role in OpenShift to the partners group, so users in that group can view most of the objects in the auth-oidc project but cannot make modifications.
1. Connect to the OpenShift cluster as the admin user with redhatocp as the password.
```
[student@workstation ~]$ oc login -u admin -p redhatocp \
  https://api.ocp4.example.com:6443
Login successful.

You have access to 70 projects, the list has been suppressed. You can list all projects with 'oc projects'

Using project "default".
```
2. Change to the auth-oidc project.
```
[student@workstation ~]$ oc project auth-oidc
Now using project "auth-oidc" on server "https://api.ocp4.example.com:6443".
```
3. Assign the edit cluster role in the auth-oidc project to the contractors group.
  Note
  Ignore the warning message, because OpenShift creates the contractors group after you synchronize the users from Red Hat SSO.
```
[student@workstation ~]$ oc adm policy add-role-to-group edit contractors
Warning: Group 'contractors' not found
clusterrole.rbac.authorization.k8s.io/edit added: "contractors"
```
4. Assign the view cluster role in the auth-oidc project to the partners group.
  Note
  Ignore the warning message, because OpenShift creates the partners group after you synchronize the users from Red Hat SSO.
```
[student@workstation ~]$ oc adm policy add-role-to-group view partners
Warning: Group 'partners' not found
clusterrole.rbac.authorization.k8s.io/view added: "partners"
```

List the users and groups in the external_providers realm in Red Hat SSO. List the group membership for the abbyquincy user.

Connect to the Red Hat SSO machine as the rhsso user.

[student@workstation ~]$ ssh rhsso@sso.ocp4.example.com
[rhsso@sso ~]$

Use the kcadm tool to connect to Red Hat SSO.

[rhsso@sso ~]$ /opt/rh-sso-7.6/bin/kcadm.sh config credentials \
  --server https://sso.ocp4.example.com:8080/auth \
  --user admin --password redhatocp --realm master
Logging into https://sso.ocp4.example.com:8080/auth as user admin of realm master

List the users in the external_providers realm. The user IDs would differ on your system.

[rhsso@sso ~]$ /opt/rh-sso-7.6/bin/kcadm.sh get users -r external_providers \
  --fields 'id,username'
[ {
  "id" : "a175e1b7-6210-40f8-aeda-732021142e84",
  "username" : "abbyquincy"
}, {
  "id" : "958fde0c-360c-48f8-b5e5-942708fbb36e",
  "username" : "fricisritcher"
}, {
  "id" : "64898122-5875-4418-88ac-c9eeeaa0f409",
  "username" : "jayalamont"
} ]

List the groups in the external_providers realm. The group IDs would differ on your system.

[rhsso@sso ~]$ /opt/rh-sso-7.6/bin/kcadm.sh get groups -r external_providers \
  --fields 'id,name'
[ {
  "id" : "e92319be-d5df-4a0c-833a-687fd25ca34c",
  "name" : "contractors",
}, {
  "id" : "3dcc3053-4ebf-4894-969a-f26d8e2bc22f",
  "name" : "partners",
} ]

List the groups for the abbyquincy user. Use the ID for the abbyquincy user from an earlier step.

[rhsso@sso ~]$ /opt/rh-sso-7.6/bin/kcadm.sh get \
  users/a175e1b7-6210-40f8-aeda-732021142e84/groups -r external_providers
[ {
  "id" : "e92319be-d5df-4a0c-833a-687fd25ca34c",
  "name" : "contractors",
  "path" : "/contractors"
} ]

Retrieve the Red Hat SSO client information and note the client secret.
1. List the information for the ocp_rhsso client from Red Hat SSO.
```
[rhsso@sso ~]$ /opt/rh-sso-7.6/bin/kcadm.sh get clients \
  -r external_providers -q clientId=ocp_rhsso
[ {
  "id" : "f57e9ddc-8c60-4b40-8048-ec0120595be2",
  "clientId" : "ocp_rhsso",
  "surrogateAuthRequired" : false,
  "enabled" : true,
  "alwaysDisplayInConsole" : false,
  "clientAuthenticatorType" : "client-secret",
  "redirectUris" : [ "https://oauth-openshift.apps.ocp4.example.com/*" ],
  "webOrigins" : [ "https://oauth-openshift.apps.ocp4.example.com" ],
...output omitted...
```
2. Generate a JSON file with the Red Hat SSO client information, which contains the client ID, the authentication server URL, and the client secret. Use the ocp_rhsso ID from the previous step. The client secret is necessary for configuring the OAuth Custom Resource (CR) in OpenShift, in a later step.
```
[rhsso@sso ~]$ /opt/rh-sso-7.6/bin/kcadm.sh get \
  clients/f57e9ddc-8c60-4b40-8048-ec0120595be2/installation\
/providers/keycloak-oidc-keycloak-json \
  -r external_providers > rhsso.json
```
  Note
  The /providers/… text must come after the …/installation text, without spaces.
3. View the content of the JSON file, which contains the Red Hat SSO client information. You would need some Red Hat SSO client information when configuring the OIDC IdP on OpenShift.
  Note the secret, which you use in a later step. The client secret would differ on your system.
  The JSON file also provides the Red Hat SSO client ID, ocp_rhsso, in the resource parameter. Use this value for the clientID parameter in the IdP configuration file on OpenShift.
  The issuer parameter in the IdP configuration on OpenShift concatenates the value from the auth-server-url parameter, the /realms/ string, and the Red Hat SSO realm name, which in this case is external_providers.
```
[rhsso@sso ~]$ cat rhsso.json
{
  "realm" : "external_providers",
  "auth-server-url" : "https://sso.ocp4.example.com:8080/auth/",
  "ssl-required" : "external",
  "resource" : "ocp_rhsso",
  "credentials" : {
    "secret" : "X4ZTPfDr0b8loqOFArfidhaHq85bHyiy"
  },
  "confidential-port" : 0
```
4. Return to the workstation machine.
```
[rhsso@sso ~]$ exit
logout
Connection to sso.ocp4.example.com closed.
[student@workstation ~]$
```

Configure the OpenShift OAuth CR to synchronize users from the Red Hat SSO OIDC client that was configured in the previous step.

Connect to the OpenShift cluster as the admin user with redhatocp as the password.

[student@workstation ~]$ oc login -u admin -p redhatocp \
  https://api.ocp4.example.com:6443
Login successful.
...output omitted...

Create the rhsso-oidc-client-secret OpenShift secret for the Red Hat SSO client secret by using the client secret from a previous step.

[student@workstation ~]$ oc create secret generic rhsso-oidc-client-secret \
  --from-literal clientSecret=X4ZTPfDr0b8loqOFArfidhaHq85bHyiy \
  -n openshift-config
secret/rhsso-oidc-client-secret created

Create the OAuth CR YAML file. You can find an example for the CR in the /home/student/DO380/labs/auth-oidc/sso_config.yml file. The YAML file includes an LDAP IdP that you must preserve, because it provides the admin and developer users. Do not remove the LDAP IdP, and add the OIDC IdP for Red Hat SSO.

apiVersion: config.openshift.io/v1
kind: OAuth
metadata:
  name: cluster
spec:
  identityProviders:
  - ldap:
...output omitted...
  - openID:
      claims:
        email:
          - email
        name:
          - name
        preferredUsername:
          - preferred_username
        groups:
          - groups
      clientID: ocp_rhsso
      clientSecret:
        name: rhsso-oidc-client-secret
      extraScopes: []
      issuer: >-
        https://sso.ocp4.example.com:8080/auth/realms/external_providers
    mappingMethod: claim
    name: RHSSO_OIDC
    type: OpenID

Apply the configuration to the OAuth CR.

[student@workstation ~]$ oc apply -f ~/DO380/labs/auth-oidc/sso_config.yml
oauth.config.openshift.io/cluster configured

Verify the status for the OAuth pods and wait for the OAuth pods to be redeployed.

[student@workstation ~]$ watch oc get pods -n openshift-authentication
Every 2.0s: oc get pods -n openshift-authentication  workstation: Tue May 30 05:59:57 2023

NAME                               READY   STATUS    RESTARTS   AGE
oauth-openshift-79c7865785-6zxvp   1/1     Running   0          2m10s
oauth-openshift-79c7865785-bbp5w   1/1     Running   0          2m39s
oauth-openshift-79c7865785-jl6th   1/1     Running   0          102s
^C

Verify that you can log in to the cluster as the abbyquincy user with redhat_sso as the password, and create resources in the auth-oidc OpenShift project. The ability to create resources derives from the edit cluster role for the contractors group.

[student@workstation ~]$ oc login -u abbyquincy -p redhat_sso
Login successful.
...output omitted...
Using project "auth-oidc".

Verify that the user can create a pod.

[student@workstation ~]$ oc run ubi9-date --restart 'Never' \
  --image registry.ocp4.example.com:8443/ubi9/ubi -- date
pod/ubi9-date created

Verify that the user can view pod information in the project.

[student@workstation ~]$ oc get pods
NAME        READY   STATUS      RESTARTS   AGE
ubi9-date   0/1     Completed   0          85s

Verify that the user cannot review the user information, because the user is not a cluster administrator.

[student@workstation ~]$ oc get users
Error from server (Forbidden): users.user.openshift.io is forbidden: User "abbyquincy" cannot list resource "users" in API group "user.openshift.io" at the cluster scope

Verify that OpenShift creates the user and group the first time that they log in.

Verify that OpenShift synchronizes the user from Red Hat SSO the first time that they log in, and that the abbyquincy user is a member of the contractors group in OpenShift.

[student@workstation ~]$ oc login -u admin -p redhatocp
...output omitted...
[student@workstation ~]$ oc get users
NAME        UID           FULL NAME      IDENTITIES
abbyquincy  11bc3d49-...  Abby Quincy    RHSSO_OIDC:a175e1b7-...-732021142e84
admin       00fed1ea-...  Administrator  Red Hat Identity Management:dWlk...
[student@workstation ~]$ oc get groups
NAME                USERS
Default SMB Group
admins              admin
contractors         abbyquincy
developer
editors
ocpadmins           admin
ocpdevs             developer

Synchronize the jayalamont user to OpenShift, and verify that the user can view objects in the OpenShift project, but cannot edit them.

[student@workstation ~]$ oc login -u jayalamont -p redhat_sso
Login successful.
...output omitted...
Using project "auth-oidc".

Verify that the user can view pod information in the project.

[student@workstation ~]$ oc get pods
NAME        READY   STATUS      RESTARTS   AGE
ubi9-date   0/1     Completed   0          7m47s

Verify that the user cannot remove the pod in the project.

[student@workstation ~]$ oc delete pod ubi9-date
Error from server (Forbidden): pods "ubi9-date" is forbidden: User "jayalamont" cannot delete resource "pods" in API group "" in the namespace "auth-oidc"

Log in to OpenShift as the fricisritcher user, which is another user in the contractors group, and which can edit resources in the auth-oidc OpenShift project.
1. Log in as the fricisritcher user in the OpenShift web console. To do so, open a Firefox window and navigate to https://console-openshift-console.apps.ocp4.example.com. Click RHSSO_OIDC.
2. Log in as the fricisritcher user with redhat_sso as the password.

Remove the user's membership of the contractors group in Red Hat SSO.

Change to the terminal window. Verify that OpenShift correctly synchronizes the user from Red Hat SSO, and that the user is a member of the contractors group.

[student@workstation ~]$ oc login -u admin -p redhatocp
...output omitted...
[student@workstation ~]$ oc get users
NAME           UID           FULL NAME       IDENTITIES
abbyquincy     11bc3d49-...  Abby Quincy     RHSSO_OIDC:a175e1b7-...-732021142e84
admin          00fed1ea-...  Administrator   Red Hat Identity Management:dWlk...
fricisritcher  af752e5b-...  Fricis Ritcher  RHSSO_OIDC:958fde0c-...-942708fbb36e
jayalamont     e5f74993-...  Jaya Lamont     RHSSO_OIDC:64898122-...-c9eeeaa0f409
[student@workstation ~]$ oc get groups
NAME                USERS
Default SMB Group
admins              admin
contractors         abbyquincy, fricisritcher
developer
editors
ocpadmins           admin
ocpdevs             developer
partners            jayalamont

Connect to the Red Hat SSO machine as the rhsso user. Remove the fricisritcher user's membership of the contractors group in Red Hat SSO, by using the user and group ID from a previous step.

[student@workstation ~]$ ssh rhsso@sso.ocp4.example.com
[rhsso@sso ~]$ /opt/rh-sso-7.6/bin/kcadm.sh config credentials \
  --server https://sso.ocp4.example.com:8080/auth \
  --user admin --password redhatocp --realm master
Logging into https://sso.ocp4.example.com:8080/auth as user admin of realm master
[rhsso@sso ~]$ /opt/rh-sso-7.6/bin/kcadm.sh delete \
  users/958fde0c-360c-48f8-b5e5-942708fbb36e\
/groups/e92319be-d5df-4a0c-833a-687fd25ca34c \
  -r external_providers

Note

The /groups/… text must come after the user ID, without spaces.

Verify that, even though you remove the fricisritcher user's membership of the contractors group in Red Hat SSO, the user is still a member of the contractors group in OpenShift.

[rhsso@sso ~]$ exit
logout
Connection to sso.ocp4.example.com closed.
[student@workstation ~]$ oc get groups
NAME                USERS
Default SMB Group
admins              admin
contractors         abbyquincy, fricisritcher
developer
editors
ocpadmins           admin
ocpdevs             developer
partners            jayalamont

Verify that the fricisritcher user can still edit resources in the auth-oidc OpenShift project. Verify that the changes in the OpenShift user apply only when the user logs out and then logs back in.
1. Try to remove the ubi9-date pod as the fricisritcher user. To do so, change to the Firefox window, and from the perspective switcher select Administrator.
  Then, click Workloads → Pods.
  In the list with the ubi9-date pod, click the icon with three dots and then click Delete Pod.
  Click Delete. The user can still edit objects in OpenShift, because it did not synchronize the group membership for the user.
2. Log out and log back in as the fricisritcher user in the OpenShift web console. Click the username in the upper right corner and click Log out.
  Click RHSSO_OIDC and log in again as the fricisritcher user with redhat_sso as the password.
3. Change to the terminal window. Verify that OpenShift synchronizes the group membership for the user, because the user is not a member of the contractors group.
```
[student@workstation ~]$ oc get groups
NAME                USERS
Default SMB Group
admins              admin
contractors         abbyquincy
developer
editors
ocpadmins           admin
ocpdevs             developer
partners            jayalamont
```

Remove the fricisritcher user from Red Hat SSO, and verify that the user session is still open in the OpenShift web console until the user logs out. Force the user to log out so they cannot reconnect. Verify that the user account is present as a leftover in OpenShift and requires manual removal.

Change to the Firefox window and verify that the session for the fricisritcher user is not expired. If the session expires, then log in again as the fricisritcher user.

Change to the terminal window and remove the fricisritcher user from Red Hat SSO, by using the user ID from an earlier step.

[student@workstation ~]$ ssh rhsso@sso.ocp4.example.com
[rhsso@sso ~]$ /opt/rh-sso-7.6/bin/kcadm.sh config credentials \
  --server https://sso.ocp4.example.com:8080/auth \
  --user admin --password redhatocp --realm master
Logging into https://sso.ocp4.example.com:8080/auth as user admin of realm master
[rhsso@sso ~]$ /opt/rh-sso-7.6/bin/kcadm.sh delete \
  users/958fde0c-360c-48f8-b5e5-942708fbb36e -r external_providers

Change to the Firefox window and try to create a project called fricis-project as the fricisritcher user. To do so, click Create a new project.
In the name field, enter fricis-project, and click Create. The user can create a project even when you remove them from Red Hat SSO.
Create a pod in the fricis-project project as the fricisritcher user. To do so, click Workloads → Pods and then Create Pod.
Change the default YAML definition file as follows:
```
apiVersion: v1
kind: Pod
metadata:
  name: example
  labels:
    name: httpd
  namespace: fricis-project
spec:
...output omitted...
```
Then, click Create.
The user can create a pod even if you remove them from Red Hat SSO.

Change to the terminal window, and verify that the user has active access tokens in OpenShift.

[rhsso@sso ~]$ exit
logout
Connection to sso.ocp4.example.com closed.
[student@workstation ~]$ oc get oauthaccesstoken
NAME            USER NAME       CLIENT NAME    CREATED  EXPIRES     ...
sha256~4v47...  admin           openshift-...  159m     2023-05-31  ...
...output omitted...
sha256~WbOZ...  fricisritcher   console        8m42s    2023-05-31  ...
sha256~Y52j...  admin           openshift-...  159m     2023-05-31  ...
...output omitted...

Remove all the access tokens for the fricisritcher user.

[student@workstation ~]$ oc delete oauthaccesstoken \
  $(oc get oauthaccesstoken \
  -o jsonpath='{.items[?(@.userName=="fricisritcher")].metadata.name}')
oauthaccesstoken.oauth.openshift.io "sha256~WbOZ..." deleted

Change to the Firefox window and wait until OpenShift automatically logs out the user. Verify that you can no longer log in as the fricisritcher user. Close the Firefox window.

Change to the terminal window, and verify that the user and the user identity are still present in OpenShift, and require manual removal.

[student@workstation ~]$ oc get users
NAME           UID           FULL NAME       IDENTITIES
abbyquincy     11bc3d49-...  Abby Quincy     RHSSO_OIDC:a175e1b7-...-732021142e84
admin          00fed1ea-...  Administrator   Red Hat Identity Management:dWlk...
developer      514df291-...  Developer User  Red Hat Identity Management:dWlk...
fricisritcher  af752e5b-...  Fricis Ritcher  RHSSO_OIDC:958fde0c-...-942708fbb36e
jayalamont     e5f74993-...  Jaya Lamont     RHSSO_OIDC:64898122-...-c9eeeaa0f409

Remove the fricisritcher user and identity from OpenShift.

[student@workstation ~]$ oc delete user fricisritcher
user.user.openshift.io "fricisritcher" deleted
[student@workstation ~]$ oc delete identity \
  RHSSO_OIDC:958fde0c-360c-48f8-b5e5-942708fbb36e
identity.user.openshift.io "RHSSO_OIDC:958fde0c-...-942708fbb36e" deleted

Finish

On the workstation machine, use the lab command to complete this exercise. This step is important to ensure that resources from previous exercises do not impact upcoming exercises.

[student@workstation ~]$ lab finish auth-oidc

Discuss Red Hat OpenShift Administration III: Scaling Deployments in the Enterprise

Go to community

Welcome to Red Hat OpenShift Administration III: Scaling Kubernetes Deployments in the Enterprise!

Syed

12 wrz 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat OpenShift Administration III: Scaling Kubernetes Deployments in the Enterprise! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to DO378.Read more about Red Hat OpenShift Administration III: Scaling Kubernetes Deployments in the Enterprise here.

Revision: do380-4.14-397a507