Pinniped Documentation
Configure the Pinniped Supervisor to use Auth0 as an OIDC provider
The Supervisor is an OpenID Connect (OIDC) issuer that supports connecting “upstream” identity providers to many “downstream” cluster clients.
This guide shows you how to configure the Supervisor so that users can authenticate to their Kubernetes cluster using their Auth0 credentials.
Prerequisites
This how-to guide assumes that you have already installed the Pinniped Supervisor with working ingress, and that you have configured a FederationDomain to issue tokens for your downstream clusters.
Create an Auth0 Application
Follow the instructions to create an application.
For example, to create an app:
- In the Auth0 Admin Console, navigate to Applications > Applications.
- Create a new application:
- Click
+ Create Application
. - Provide a name. For
Choose an application type
, selectRegular Web Applications
. - Under
Settings
:- Note the
Client ID
andClient Secret
, which will be provided later to Pinniped. - Update
Allowed Callback URLs
with Pinniped’s issuer URL, appending/callback
to the end. (Example: `https://pinniped.issuer.example.com/callback). - Under
Advanced Settings
:- Choose
Grant Types
and make sure thatAuthorization Code
,Refresh Token
, andPassword
are selected. - Find the Auth0 Issuer URL by loading the URL at
Endpoints
>OAuth
>OpenID Configuration
and finding the"issuer"
field.
- Choose
- Note the
- Click
Configure Auth0 to include user groups in its ID tokens
Auth0 does not have a simple concept of group membership for users. It may be possible to model group membership in Auth0, but the specifics depend on which enterprise connector or database is used to create your users. Please refer to the Auth0 documentation for more information.
Pinniped does not have a specific recommendation for how user groups are defined in Auth0. The examples below are provided as examples to better understand how Auth0 and Pinniped integrate, not how to configure Auth0.
Assuming that you have somehow configured Auth0 to include group membership information about your users, you can expose this to Pinniped by configuring Auth0 to include a custom claim in the Auth0 ID token.
Auth0 recommends using a namespaced format for your custom claim names.
In the following example, replace "https://example.com/pinniped/groups"
with the namespaced claim name of your choice.
Pinniped requires that the value of the group claim is an array of strings.
The following example is intended to show how to add a custom claim, but does not show a realistic example of where the group names should come from. To keep this example simple, the group names shown here are hardcoded. Do not hardcode group names for a production system. Instead, the array of groups should be dynamically provisioned from the appropriate place in the Auth0 user store.
exports.onExecutePostLogin = async (event, api) => {
if (event.authorization) {
api.idToken.setCustomClaim("https://example.com/pinniped/groups", ["auth0-read-only", "other-grouo", "something-else"]);
}
};
To configure your Kubernetes authorization, please see how-to login.
Configure the Supervisor
Create an OIDCIdentityProvider in the same namespace as the Supervisor.
For example, this OIDCIdentityProvider uses Auth0’s email
claim as the Kubernetes username:
apiVersion: idp.supervisor.pinniped.dev/v1alpha1
kind: OIDCIdentityProvider
metadata:
namespace: pinniped-supervisor
name: auth0
spec:
# Change this to be the actual issuer provided by your Auth0 account.
issuer: https://<your-tenant-id>.<your-region>.auth0.com/
authorizationConfig:
# Request any scopes other than "openid" for claims besides
# the default claims in your token. The "openid" scope is always
# included.
additionalScopes:
- offline_access
- email
# If you would also like to allow your end users to authenticate using
# a password grant, then change this to true. Password grants only work
# with applications created in Auth0 with the "Password" grant type enabled.
allowPasswordGrant: false
# Specify how Auth0 claims are mapped to Kubernetes identities.
claims:
# Specify the name of the claim in your Auth0 ID token that will be mapped
# to the "username" claim in downstream tokens minted by the Supervisor.
username: email
# Specify the name of the claim in your Auth0 ID token that represents the
# groups that the user belongs to.
groups: https://example.com/pinniped/groups
# Specify the name of the Kubernetes Secret that contains your Auth0
# application's client credentials (created below).
client:
secretName: auth0-client-credentials
---
apiVersion: v1
kind: Secret
metadata:
namespace: pinniped-supervisor
name: auth0-client-credentials
type: secrets.pinniped.dev/oidc-client
stringData:
# The "Client ID" that you got from Auth0.
clientID: "<your-client-id>"
# The "Client secret" that you got from Auth0.
clientSecret: "<your-client-secret>"
Note that the metadata.name
of the OIDCIdentityProvider resource may be visible to end users at login prompts
if you choose to enable allowPasswordGrant
, so choose a name which will be understood by your end users.
For example, if you work at Acme Corp, choose something like acme-corporate-auth0
over my-idp
.
Once your OIDCIdentityProvider has been created, you can validate your configuration by running:
kubectl describe OIDCIdentityProvider -n pinniped-supervisor auth0
Look at the status
field. If it was configured correctly, you should see phase: Ready
.
Next steps
Next, configure the Concierge to validate JWTs issued by the Supervisor! Then you’ll be able to log into those clusters as any of the users from the Auth0 directory.