OpenID Connect Authentication
You can set up OpenID authentication for users to log in to Control Center with their OpenID accounts.
Get OpenID Credentials
First, set up OpenID credentials for your chosen OpenID provider. Specify the following parameters in your configuration:
Scopes
Specify openid, profile, and email scopes in OpenID provider configuration.
Redirect URI
Redirect URI is required for your OpenID provider to know where to send responses to user authentication requests. The URI for Control Center uses the http://{host}:{port}/api/v1/oauth2/login/{providerName}, where providerName is the name you specify in the configuration file on the following step.
For example, if you use Google as a provider and run Control Center on localhost:3100, your redirect URI is:
http://localhost:3100/api/v1/oauth2/login/googleIf frontend and backend have different hosts or ports, set a control.base-url value equal to frontend URI, for example https://example.com:1234.
Client ID and Secret
OpenID provider generates ID and secret, which should then be specified in the configuration file.
Add OpenID to Configuration
To connect Control Center to your OpenID provider, add OpenID configuration to the Configuration file.
The following configuration sets up a connection to Google’s OAuth 2.0 API:
spring.security.oauth2.client:
# Define client credentials.
registration:
# You can specify any name as long as it is consistent
# with the name in the provider section and redirect URI.
google:
client-id: {your-ID}
client-secret: {your-secret}
# Define your OpenID provider endpoints.
# Most services provide this information on a .well-known page.
# For this example we use Google endpoints,
# taken from the https://accounts.google.com/.well-known/openid-configuration page.
provider:
google:
authorization-uri: https://accounts.google.com/o/oauth2/v2/auth # authorization_endpoint
token-uri: https://oauth2.googleapis.com/token # token_endpoint
jwk-set-uri: https://www.googleapis.com/oauth2/v3/certs # jwks_uriAfter the configuration is set up, restart Control Center. Users can now log in by using their OpenID credentials.
Communications Between Control Center and OIDC Provider
According to the OIDC specification, during the Authorization Code Flow, Control Center must exchange authorization code for a token pair via an HTTP POST request (from the Control Center backend to the OIDC provider’s token endpoint). Make sure that the Control Center backend is allowed to perform such requests.
Possible reasons for the above failure are:
-
Firewall blocks the outgoing requests - verify firewall settings and adjust them as required.
-
Connectivity issues between Control Center and the remote OIDC provider - verify network settings and adjust them as required. You can use the cURL utility to test connectivity between Control Center and the external OIDC provider:
curl -X POST -u $CLIENT_ID:$CLIENT_SECRET --data-urlencode "grant_type=authorization_code" --data-urlencode "code=ignored" $OIDC_PROIVDER_TOKEN_URLYou should get and error response HTTP 4xx with content similar to:
{"error":"invalid_grant","error_description":"Code not valid"} -
The remote OIDC provider uses self-signed SSL certificate - import this certificate to Control Center truststore.
© 2024 GridGain Systems, Inc. All Rights Reserved. Privacy Policy | Legal Notices. GridGain® is a registered trademark of GridGain Systems, Inc.
Apache, Apache Ignite, the Apache feather and the Apache Ignite logo are either registered trademarks or trademarks of The Apache Software Foundation.