Skip to content

Commit

Permalink
Add additional documentation for IdP Flow (#2185)
Browse files Browse the repository at this point in the history
  • Loading branch information
cniackz authored Jul 2, 2024
1 parent e23f91d commit 9e040a0
Showing 1 changed file with 16 additions and 0 deletions.
16 changes: 16 additions & 0 deletions examples/kustomization/operator-external-idp-oid/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -93,3 +93,19 @@ Make sure the `CONSOLE_IDP_CALLBACK` URL contains the correct path, for example

The default OpenID login token duration is 3600 seconds (1 hour). You can set a longer duration with the
`CONSOLE_IDP_TOKEN_EXPIRATION` environment variable.

### In addition

A new authentication mechanism is being used for Operator version 6, as observed in PR https://github.com/minio/operator/pull/2166. This is for security reasons, and you must properly configure your k8s API Server to support it with the flags below:

```
--oidc-issuer-url=https://dev-xqm5ioqlmy7qyjvl.us.auth0.com/
--oidc-client-id=rMVc40T7fwgbEez1svp8wmjBtSaoKIOJ
--oidc-groups-claim=group
```

Official Kubernetes documentation can be found at https://kubernetes.io/docs/reference/access-authn-authz/authentication/#openid-connect-tokens.

Additionally, IdP configuration is required to provide the groups via `id_token` so that Kubernetes can validate access via RBAC, determining whether a user can access certain resources. We suggest reading articles like https://developer.okta.com/blog/2021/11/08/k8s-api-server-oidc for a better understanding.

If properly configured, the SSO experience for the end user remains the same, but this time MinIO will no longer provide the Service Account.

0 comments on commit 9e040a0

Please sign in to comment.