Skip to Content
Access & User ManagementUser ManagementOIDC

OIDC

Authentication Setup

  1. Create a Web Application Integration: In your OIDC provider, set up an integration for a Web Application using the code flow method.

  2. Configure Callback URL:

    • For ingress setup: Use your ScaleOps domain followed by /auth/callback (e.g., https://scaleops.yourdomain.com/auth/callback).
    • For port forwarding without ingress: Use http://localhost:8080/auth/callback.

  3. Save Credentials: Record the generated client ID and client secret for later use in ScaleOps configuration.

  4. Add the following helm values to your helm values.yml file:

    authProvider:
  provider: oauth2
  oauth2:
    issuerUrl: <ISSUER-URL>
    clientID: <CLIENT-ID>
    clientSecret: <CLIENT-SECRET>

Groups Setup

Define a group in your OIDC integration. Assign a role to this group. ScaleOps determines the group based on the claims in your JWT access token.

authProvider:
  provider: oauth2
  authorization:
    enabled: true
  oauth2:
    clientID: <CLIENT-ID>
    issuerUrl: <ISSUER-URL>
    clientSecret: <CLIENT-SECRET>
    groupsClaim: <JWT-CLAIM-NAME-TO-USE>

Advanced Configuration

ScaleOps supports additional configuration options for OIDC integrations. You can add the following configuration to your values.yaml file:

authProvider:
  provider: oauth2
  oauth2:
    issuerUrl: <ISSUER-URL>
    clientID: <CLIENT-ID>
    clientSecret: <CLIENT-SECRET>
    # Optionally specify a list of allowed audience claims. Defaults to clientID if omitted.
    # Token verification succeeds if any audience in the token matches this list.
    audiences:
      - api://default
    # Optional set of OIDC scopes to request in the ID token.
    scopes:
      - openid
      - profile
      - email
      - offline_access
OpenShiftLDAP