OIDC Identity Provider (4.3)

OIDC Identity Provider 

It is possible to configure Usage Engine to take on the role of the 'identity provider' (IdP) in the OpenID Connect Authorization Code Flow described in https://openid.net/specs/openid-connect-core-1_0.html.

The diagram below shows the flow.

Configuring OIDC Identity Provider 

To configure Usage Engine to act as an OIDC identity provider, please refer specifically to the auth.oidc.ip values in the Helm chart.
The desktopOnline.baseUrl value is also related to this configuration. 

OIDC Client Configuration

For an OIDC client to use Usage Engine as an OIDC IdP, it needs some configuration to make it able to find and use the IdP APIs correctly. This can be done either through Endpoint Discovery or through Manually Configured Endpoints.

Endpoint Discovery

If the OIDC client supports Provider Configuration service discovery (https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig), it is enough to configure the issuer URL of the Usage Engine IdP for the client to be able to find the URL of all endpoints. The URL must be reachable from the OIDC client. Refer to the client documentation for details on how to set issuer URL.

Note!

The service discovery support in Usage Engine currently does not include Issuer Discovery ('/.well-known/webfinger'), only Provider Configuration Discovery ('/.well-known/openid-configuration').

Manually Configured Endpoints

If automatic endpoint discovery is not supported by the OIDC client or is not used, all endpoints must be manually configured in the OIDC client configuration.

The endpoints are listed in the table below together with information on whether they are mandatory or optional.

Endpoint pathDescriptionMandatory/Optional
/authzPerforms Authentication of the End-User, as described in https://openid.net/specs/openid-connect-core-1_0.html#AuthorizationEndpointMandatory
/token

Provides access and Id tokens in response to valid authentication_code, as described in

https://openid.net/specs/openid-connect-core-1_0.html#TokenEndpoint

Mandatory
/userinfo

Provides additional user information in response to a valid access token, as described in

https://openid.net/specs/openid-connect-core-1_0.html#UserInfo

Optional
/jwksProvides the public key of the issuer according to the JWK specification https://datatracker.ietf.org/doc/html/rfc7517#section-4Optional

Client Identification Configuration

An OIDC client must be configured with the same identification configuration, that is the Client Id and Client Secret fields, as defined in the OIDC configuration.

Example OIDC Client Configuration - Grafana

Let's say that the Usage Engine OIDC identity provider has been configured using these helm values:

auth:
  oidc:
    ip:
      clients:
      - clientId: 54f3f432-ef63-4671-b086-5a2e95aba27c
        clientName: Grafana
        clientSecret: P2ZuYMV7nmgaXIDia6GQ3Z9Ii714wdWGDQCsPEhTZktQ7QCYnJ11QN4u84taZqZa
        roles:
        - Admin
        - Editor
        - Viewer
      enabled: true
      useHelmGeneratedSecrets: false
global:
  domain: mydomain.com

Here we are using explicit clientId and clientSecret values rather than generated ones simply to show that the OIDC client configuration need to match those values.

If you select to use generated secrets instead (i.e. by setting the auth.oidc.ip.useHelmGeneratedSecrets value to true), then you need obtain the actual values to use on the client side (client_id and client_secret) by looking  in the env-secrets secret.

So, given the configuration above, configuring the Grafana Helm chart with values like these will make it use Usage Engine as identity provider:

grafana:
  domainName: mydomain.com
  grafana.ini:
    auth.generic_oauth:
      api_url: https://platform.{{ .Values.domainName }}/auth/userinfo
      auth_url: https://platform.{{ .Values.domainName }}/auth/authz
      client_id: 54f3f432-ef63-4671-b086-5a2e95aba27c
      client_secret: P2ZuYMV7nmgaXIDia6GQ3Z9Ii714wdWGDQCsPEhTZktQ7QCYnJ11QN4u84taZqZa
      enabled: true
      name: Usage Engine
      role_attribute_path: contains("roles"[*], 'Admin') && 'Admin' || contains("roles"[*],
        'Editor') && 'Editor' || contains("roles"[*], 'Viewer') && 'Viewer'
      scopes: openid
      token_url: https://platform.{{ .Values.domainName }}/auth/token