github.com/pachyderm/pachyderm@v1.13.4/doc/docs/1.11.x/enterprise/auth/oidc/configure-auth0.md (about) 1 # Configure OIDC with OAuth0 2 3 [Auth0](https://auth0.com/) is an online authentication platform that 4 developers can use to log in to various applications. 5 If Auth0 is your preferred choice of the identity provider, 6 you can configure Pachyderm with Auth0 so that your 7 Pachyderm users can log in through Auth0. 8 9 # Prerequisites 10 11 Before you can configure Pachyderm to work with Keycloak, you need to 12 have the following components configured: 13 14 * Pachyderm Enterprise 1.11.x or later. The enterprise token must be 15 activated by running `pachctl enterprise activate`. 16 Check the status of your license by running: 17 18 ```shell 19 pachctl enterprise get-state 20 ``` 21 22 For more information, see [Activate Pachyderm Enterprise Edition](../../../deployment/#activate-pachyderm-enterprise-edition). 23 24 * An account at https://auth0.com . It could be a new or an existing 25 account, either paid or free. 26 27 ## Configure Auth0 28 29 If you do not have an Auth0 account, you need to sign up for one 30 at https://auth0.com . Then, you need to add Pachyderm as an application 31 and configure it to work with Auth0. 32 33 To configure Auth0, complete the following steps: 34 35 1. Log in to your Auth0 account. 36 1. In the **Applications**, click **Create Application**. 37 1. Type the name of your application, such as **Pachyderm**. 38 1. In the application type, select **Regular Web Application**. 39 1. Click **Create**. 40 1. Go to the application settings. 41 1. Scroll down and click **Show Advanced Settings**. 42 1. Select **Grant Types**. 43 1. Verify that **Implicit**, **Authorization Code**, **Refresh Token**, and 44 **Client Credentials** are selected. 45 46  47 48 1. In the **Allowed Callback URLs**, add the Pachyderm callback link in the 49 following format: 50 51 ```shell 52 http://<ip>:30657/authorization-code/callback 53 ``` 54 55 The IP address is the address of your Pachyderm host. For example, 56 if you are running Pachyderm in Minikube, you can find the IP 57 address by running `minikube ip`. 58 59 1. Proceed to [Configure Pachyderm Auth](#configure-pachyderm-auth). 60 61 ## Configure Pachyderm Auth 62 63 After you have configured a Pachyderm application in Auth0, you 64 need to create a Pachyderm OIDC config with the Auth0 parameters. 65 All the required parameters, such as `client_id`, `client_secret`, 66 and othersi, are located on the application settings screen. In addition, OIDC 67 settings are exposed at https://appication-domain/.well-known/openid-configuration. 68 69 To configure Pachyderm Auth, complete the following steps: 70 71 1. Check the status of your license by running: 72 73 ```shell 74 pachctl enterprise get-state 75 ``` 76 77 You must have an active enterprise token to proceed. 78 79 1. Go to the terminal and forward the `pachd` pod to the OIDC port: 80 81 1. Get the `pachd` pod ID: 82 83 ```shell 84 kubectl get pod 85 ``` 86 87 **Example system response:** 88 89 ```shell 90 dash-5768cb7d98-j6cgt 2/2 Running 0 4h2m 91 etcd-56d897697-xzsqr 1/1 Running 0 4h2m 92 keycloak-857c59449b-htg99 1/1 Running 0 4h6m 93 pachd-79f7f68c65-9qs8g 1/1 Running 0 4h2m 94 ``` 95 96 1. Forward the `pachd` pod to the OIDC port: 97 98 **Example:** 99 100 ```shell 101 kubectl port-forward pachd-79f7f68c65-9qs8g 30657 102 ``` 103 104 1. Enable Pachyderm authentication: 105 106 ```shell 107 pachctl auth activate --initial-admin=robot:admin 108 ``` 109 110 Pachyderm returns a token. 111 112 **WARNING!** You must save the token to a secure location 113 to avoid being locked out of your cluster. 114 115 1. Log in as the admin user with the token you received in the previous 116 step: 117 118 1. Log in as the admin user with the token you received in the previous 119 step: 120 121 ```shell 122 pachctl auth use-auth-token 123 ``` 124 125 1. Set up the authentication config: 126 127 ```shell 128 pachctl auth set-config <<EOF 129 { 130 "live_config_version": 1, 131 "id_providers": [{ 132 "name": "auth0", 133 "description": "oidc-based authentication with Auth0", 134 "oidc":{ 135 "issuer": "<domain>", 136 "client_id": "<client-id>", 137 "client_secret": "<client-secret>", 138 "redirect_uri": "http://<ip>:30657/authorization-code/callback" 139 } 140 }] 141 } 142 EOF 143 ``` 144 145 You need to replace the following placeholders with relevant values: 146 147 - `issuer` — The domain of your application in Auth0. For example, 148 `dev-7vllfmvr.us.auth0.com/`. Note the trailing slash. 149 150 - `client_id` — The Pachyderm **Client ID** in Auth0. The client ID 151 consists of alphanumeric characters and can be found on the application 152 settings page. 153 154 - `client_secret` - The Pachyderm client secret in Auth0 located 155 on the application settings page. 156 - `redirect_uri` - This parameter should match what you have added 157 to **Allowed Callback URLs** in the previous step. 158 159 1. Log in as the user you have created in the Pachyderm application 160 or sign in with Google: 161 162 1. Run: 163 164 ```shell 165 pachctl auth login 166 ``` 167 168 You should be prompted to a web-browser. Log in as the user you have 169 previously created in Auth0 or sign in with Google. 170 171 You should see the following message printed out in your browser: 172 173 ``` 174 You are now logged in. Go back to the terminal to use Pachyderm! 175 ``` 176 177 1. In the terminal, check that you are logged in as the Auth0 user: 178 179 ```shell 180 pachctl auth whoami 181 ``` 182 183 **Example of System Response:** 184 185 ```shell 186 You are "auth0:test@pachyderm.com" 187 session expires: 07 Aug 20 14:04 PDT 188 ```