OIDC身份提供者

OIDC Identity Provider

OpenID Connect is an interoperable authentication protocol based on the OAuth 2.0 family of specifications. It uses straightforward REST/JSON message flows with a design goal of “making simple things simple and complicated things possible”. It’s uniquely easy for developers to integrate, compared to any preceding Identity protocol, such as Keycloak, Okta, Dex, Auth0, Gluu, and many more.

Example of using Google Identity Platform:

apiVersion: v1
data:
 kubesphere.yaml: |
   authentication:
     authenticateRateLimiterMaxTries: 10
     authenticateRateLimiterDuration: 10m0s
     jwtSecret: "********"
     oauthOptions:
       accessTokenMaxAge: 1h
       accessTokenInactivityTimeout: 30m
       identityProviders:
       - name: google
         type: OIDCIdentityProvider
         mappingMethod: auto
         provider:
           clientID: '********'
           clientSecret: '********'
           issuer: https://accounts.google.com
           redirectURL:  'http://ks-console/oauth/redirect/google'   
kind: ConfigMap
name: kubesphere-config
namespace: kubesphere-system

For the above example:

ParameterDescription
clientIDThe OAuth2 client ID.
clientSecretThe OAuth2 client secret.
redirectURLThe redirected URL to ks-console.
issuerDefines how Clients dynamically discover information about OpenID Providers.
preferredUsernameKeyConfigurable key which contains the preferred username claims.
emailKeyConfigurable key which contains the email claims.
getUserInfoGetUserInfo uses the userinfo endpoint to get additional claims for the token. This is especially useful where upstreams return “thin” id tokens.
insecureSkipVerifyUsed to turn off TLS certificate verify.

感谢您的反馈。如果您有关于如何使用 KubeSphere 的具体问题,请在 Slack 上提问。如果您想报告问题或提出改进建议,请在 GitHub 存储库中打开问题。