OIDC Identity Provider (4.0)
OIDC Identity ProviderÂ
It is possible to configure Usage Engine to take on the role of the 'identity provider' (IdP) in the OpenID Connect Authorization Code Flow described in https://openid.net/specs/openid-connect-core-1_0.html.
The diagram below shows the flow.
Configuring OIDC Identity ProviderÂ
To configure Usage Engine to act as an OIDC identity provider, please refer specifically to the auth.oidc.ip values in the Helm chart.
The desktopOnline.baseUrl value is also related to this configuration.Â
OIDC Client Configuration
For an OIDC client to use Usage Engine as an OIDC IdP, it needs some configuration to make it able to find and use the IdP APIs correctly. This can be done either through Endpoint Discovery or through Manually Configured Endpoints.
Endpoint Discovery
If the OIDC client supports Provider Configuration service discovery (https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig), it is enough to configure the issuer URL of the Usage Engine IdP for the client to be able to find the URL of all endpoints. The URL must be reachable from the OIDC client. Refer to the client documentation for details on how to set issuer URL.
Note!
The service discovery support in Usage Engine currently does not include Issuer Discovery ('/.well-known/webfinger'), only Provider Configuration Discovery ('/.well-known/openid-configuration').
Manually Configured Endpoints
If automatic endpoint discovery is not supported by the OIDC client or is not used, all endpoints must be manually configured in the OIDC client configuration.
The endpoints are listed in the table below together with information on whether they are mandatory or optional.
Endpoint path | Description | Mandatory/Optional |
---|---|---|
/authz | Performs Authentication of the End-User, as described in https://openid.net/specs/openid-connect-core-1_0.html#AuthorizationEndpoint | Mandatory |
/token | Provides access and Id tokens in response to valid authentication_code, as described in https://openid.net/specs/openid-connect-core-1_0.html#TokenEndpoint | Mandatory |
/userinfo | Provides additional user information in response to a valid access token, as described in https://openid.net/specs/openid-connect-core-1_0.html#UserInfo | Optional |
/jwks | Provides the public key of the issuer according to the JWK specification https://datatracker.ietf.org/doc/html/rfc7517#section-4 | Optional |
Client Identification Configuration
An OIDC client must be configured with the same identification configuration, that is the Client Id and Client Secret fields, as defined in the OIDC configuration.
Example OIDC Client Configuration - Grafana
Let's say that the Usage Engine OIDC identity provider has been configured using these helm values:
auth: oidc: ip: clients: - clientId: 54f3f432-ef63-4671-b086-5a2e95aba27c clientName: Grafana clientSecret: P2ZuYMV7nmgaXIDia6GQ3Z9Ii714wdWGDQCsPEhTZktQ7QCYnJ11QN4u84taZqZa roles: - Admin - Editor - Viewer enabled: true useHelmGeneratedSecrets: false global: domain: mydomain.com
Here we are using explicit clientId and clientSecret values rather than generated ones simply to show that the OIDC client configuration need to match those values.
If you select to use generated secrets instead (i.e. by setting the auth.oidc.ip.useHelmGeneratedSecrets value to true), then you need obtain the actual values to use on the client side (client_id and client_secret) by looking  in the env-secrets secret.
So, given the configuration above, configuring the Grafana Helm chart with values like these will make it use Usage Engine as identity provider:
grafana: domainName: mydomain.com grafana.ini: auth.generic_oauth: api_url: https://platform.{{ .Values.domainName }}/auth/userinfo auth_url: https://platform.{{ .Values.domainName }}/auth/authz client_id: 54f3f432-ef63-4671-b086-5a2e95aba27c client_secret: P2ZuYMV7nmgaXIDia6GQ3Z9Ii714wdWGDQCsPEhTZktQ7QCYnJ11QN4u84taZqZa enabled: true name: Usage Engine role_attribute_path: contains("roles"[*], 'Admin') && 'Admin' || contains("roles"[*], 'Editor') && 'Editor' || contains("roles"[*], 'Viewer') && 'Viewer' scopes: openid token_url: https://platform.{{ .Values.domainName }}/auth/token