OIDC and OAuth with Dex
Cloudsoft AMP supports Dex as a way of accessing a broad range of OIDC/OAuth2 identity providers using its supported connectors.
This page assumes you have Dex installed and configured, and covers how to enable AMP to connect with Dex. Conceptually, AMP needs to know the Dex URL, the AMP name assigned in Dex as a client and its secret. For performing the authentication, with the configured connectors, the Dex oauth scopes need to be configured provided too.
The configuration below shows how to allow AMP to use the Dex Security provider.
Note the brooklyn.security.oauth.clientId
and clientSecret
fields;
these should match one of the allowed clients in Dex (e.g. staticClients
).
The brooklyn.security.oauth.callback
must also match one of the redirectURIs
in Dex,
and of course must resolve to AMP.
The configuration below includes commented-out properties which can be used further to configure groups.
# Set up security provider
brooklyn.webconsole.security.provider = io.cloudsoft.amp.security.DexSecurityProviderImpl
## Optional comma-separated list of email addresses authorized to connect to AMP.
## These users will be allowed irrespective of any domains set below.
## Groups may still be used to restrict (or deny) access.
#brooklyn.webconsole.security.oauth.users =
## Optional comma-separated list of email domains authorized to connect to AMP.
## All users from these domains listed here will be allowed to connect.
## Groups may still be used to restrict (or deny) access.
## If omitted, if users are indicated above, only those users will be allowed to access.
## If no users nor domains are specified, then groups must be used to limit access.
## If Dex is configured only to authorize users you trust (e.g. not GitHub or Google!)
## and you really want to enable users from all domains, you can set '*' here.
#brooklyn.webconsole.security.oauth.domains = acme.org
# Callback URL after authentication
brooklyn.webconsole.security.oauth.callback = https://ampsso.acme.org
# Caching duration for avoiding to avoid validating the token externally for every API request. Defaults to 0.
brooklyn.webconsole.security.oauth.cache_duration = 10s
# Dex URL.
brooklyn.webconsole.security.oauth.dexUrl = http://127.0.0.1:5556/dex
## Optionally the parameters below can be set explicitly.
#brooklyn.webconsole.security.oauth.tokenUrl = http://127.0.0.1:5556/dex/token
#brooklyn.webconsole.security.oauth.authenticateUrl = http://127.0.0.1:5556/dex/auth
#brooklyn.webconsole.security.oauth.validateUrl = http://127.0.0.1:5556/dex/userinfo
# Client ID registered in Dex.
brooklyn.webconsole.security.oauth.clientId = amp
brooklyn.webconsole.security.oauth.clientSecret = this_is_the_amp_dex_client_secret
# Scopes to request:
# - `openid` and `email` are required.
# - `groups` needed if using groups.
# - `offline_access` for support token refreshing.
brooklyn.webconsole.security.oauth.scope = openid+email+groups+offline_access
## Set this to make the token available via the UI,
## eg via the Debug Console as `data.user_oauth_bearer_token`.
#brooklyn.webconsole.security.oauth.token_accessible = false
## To use groups to control access (recommended for production usage),
#brooklyn.entitlements.global=io.cloudsoft.amp.entitlements.rbac.PerRoleEntitlementManager
# io.cloudsoft.amp.entitlements.rbac.userToRole = io.cloudsoft.amp.rbac:io.cloudsoft.amp.entitlements.rbac.LdapGroupsResolver
## Set this key to this value and configure the groups in the next section below.
## This key must have this value, as Dex group access piggy-backs on the LDAP code.
## Omit if you do not wish to use groups. In that case, users or domains must be set.
## `PerUserEntitlementManager` or another entitlement manager should normally be used,
## as shown further below.
#brooklyn.webconsole.security.ldap.group_config_keys = io.cloudsoft.amp.entitlements.rbac.perGroupLdapOnly
## Here you may set whatever groups you wish, assigned to known roles in AMP.
## (Replace "testing-*" with the groups you wish to enable.)
## If the group name contains a `:` (e.g. GitHub `org:team`) replace it by a `-` (e.g. `org-team`).
## Users get all entitlements corresponding to any group they are a member of.
## Users with none of these groups get no access to AMP.
# io.cloudsoft.amp.entitlements.rbac.perGroupLdapOnly.testing-sso-admin=root
# io.cloudsoft.amp.entitlements.rbac.perGroupLdapOnly.testing-sso-read-only=readonly
# io.cloudsoft.amp.entitlements.rbac.perGroupLdapOnly.testing-sso-minimal=minimal
# io.cloudsoft.amp.entitlements.rbac.perGroupLdapOnly.testing-sso-user=user
# io.cloudsoft.amp.entitlements.rbac.perGroupLdapOnly.testing-sso-powerUser=powerUser
# io.cloudsoft.amp.entitlements.rbac.perGroupLdapOnly.testing-sso-blueprintAuthor=blueprintAuthor
# io.cloudsoft.amp.entitlements.rbac.perGroupLdapOnly.testing-sso-logViewer=logViewer
## If not using groups, you can set default entitlements and per-user entitlements
## using another entitlement manager, such as PerUserEntitlementManager.
## If neither of these is set, all authenticated users will get full access.
#brooklyn.entitlements.global=org.apache.brooklyn.core.mgmt.entitlement.PerUserEntitlementManager
#brooklyn.entitlements.perUser.default=user
#brooklyn.entitlements.perUser.root@acme.org=root
#brooklyn.entitlements.perUser.reader@acme.org=readonly
#brooklyn.entitlements.perUser.metrics@acme.org=minimal
More details about the LdapGroupsResolver can be found in the Entitlements section.