How to configure OpenID Connect for Authentication
Overview
By default, a vFunction Server allows users to authenticate with a built-in OAuth username and password workflow. Take the following steps to change the authentication workflow from this built-in OAuth username and password to integrate with an OpenID Connect identity provider:
- SSH to the vFunction Server
- Open the server-installation.yaml:
vi /etc/sysconfig/vfunction/installation/server-installation.yaml
- Uncomment and modify the server.authentication keys using the samples in the sections below as a guide
- Save and close the file.
- Run the install.sh script if configuring a new vFunction Server or the upgrade.sh script if modifying an existing vFunction Server:
### Installation Workflow
bash /opt/vfunction/server-installation/install.sh
### Upgrade Workflow
bash /opt/vfunction/server-installation/upgrade.sh
Note: Some values for the identity provider, such as the JWKS_URL, can be retrieved from the identity provider’s OpenID Connect Metadata Configuration Endpoint at https://<base_url>/.well-known/openid-configuration.
Azure Active Directory OIDC
Replace the values “tenantID”, “clientId”, and “clientSecret” below with the organization’s unique values.
Please note that, in most circumstances, Azure will not function properly if the clientSecret is added to an external connection like vFunction. Please start without a value in this field and, if required, add the clientSecret on the second attempt if the first attempt generates an error indicating that the clientSecret is missing.
server:
authentication:
authority: 'https://login.microsoftonline.com/tenantId/v2.0'
client_id: 'clientId'
client_secret: 'clientSecret' #If Required
jwks_url: 'https://login.microsoftonline.com/tenantId/discovery/v2.0/keys'
issuer: 'https://login.microsoftonline.com/tenantId/v2.0'
Google OpenID Connect (OIDC)
Note that the values below are an example. The values below are provided by Google.
The client_id and client_secret will be unique to each environment.
server:
authentication:
authority: 'https://accounts.google.com'
client_id: 'clientID-xyz'
client_secret: 'clientSecret-xyz'
jwks_url: 'https://www.googleapis.com/oauth2/v3/certs'
issuer: 'https://accounts.google.com'
Okta OpenID Connect
Create the vFunction App in the Okta Admin Console
In the steps below, replace the values, “yourOktaDomain” and “yourVFunctionServerAddress” with your organization’s values.
- In a browser, open https://${yourOktaDomain}/admin/apps/active
- Click the blue Create App Integration button at the top of the center pane
- Select the OIDC - OpenID Connect radio button for Sign-in method
- Select the Single-Page Application radio button for Application type
- Type vFunction in the text box for App integration name
- Check the boxes for both Authorization Code and Refresh Token for Grant type
- Type ${yourVFunctionServerAddress}/oauth/redirect for Sign-in redirect URIs
- Type ${yourVFunctionServerAddress} for Sign-out redirect URIs
- Set access as desired, e.g. Everyone in the organization
- Save the App
- Copy the Client ID to be able to use it in the vFunction server-installation.yaml
Create the vFunction App in the Okta Admin Console
The Okta examples below are taken from Okta’s documentation. Replace the values “yourOktaDomain”, “clientId” with your organization’s values.
server:
authentication:
authority: 'https://yourOktaDomain'
client_id: 'clientId'
### Do not add the Client Secret. This field can be left blank
client_secret: ''
jwks_url: 'https://yourOktaDomain/oauth2/v1/keys'
issuer: 'https://yourOktaDomain'
PingFederate OpenID Connect (OIDC)
Note that the values below are an example. The values below are provided by PingIdentity
The client_id and client_secret will be unique to each environment.
server:
authentication:
authority: 'https://<base_url>'
client_id: 'clientID-xyz'
client_secret: 'clientSecret-xyz'
jwks_url: 'https://<base_url>/pf/JWKS'
issuer: 'https://<base_url>'