Change callback URL to something else than localhost for usage at Auth0

[junoriosity]

When I am using a kubeconfig file like

apiVersion: v1
kind: Config
current-context: pinniped
clusters:
- cluster:
    certificate-authority-data: LS0tLS[...]
    server: https://my-kubernetes-api-endpoint.example.com:59986
  name: pinniped
contexts:
- context:
    cluster: pinniped
    user: pinniped
  name: pinniped
users:
- name: pinniped
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1beta1
      command: /usr/local/bin/pinniped
      args:
      - login
      - oidc
      - --enable-concierge
      - --concierge-api-group-suffix=pinniped.dev
      - --concierge-authenticator-name=my-jwt-authenticator
      - --concierge-authenticator-type=jwt
      - --concierge-endpoint=https://my-kubernetes-api-endpoint.example.com:59986
      - --concierge-ca-bundle-data=LS0tLS[...]
      - --issuer=https://my-oidc-issuer.eu.auth0.com/
      - --client-id=my-client-id
      - --scopes=offline_access,openid,email
      - --listen-port=12345
      - --request-audience=my-client-id

I have to use the callback URI http://127.0.0.1:12345/callback (see here https://pinniped.dev/docs/howto/configure-concierge-jwt/).

However, my OIDC provider Auth0 explicitly requires me not to use such a callback URI at localhost.

Can I change that somehow?

[cfryanr]

Hi @junoriosity,

Sorry for the slow response!

Can you please share some more context about your overall desired setup?

If you use the Pinniped Supervisor, then it could be configured to get user identities from Auth0 by using an OIDCIdentityProvider CR. That would work seamlessly with the CLI. If you'd like to see how to do that you could check out the detailed example at https://pinniped.dev/docs/tutorials/concierge-and-supervisor-demo/ but in your case you would use Auth0 instead of Okta.

Are you trying to avoid using the Supervisor, perhaps?

[tobi-at-cariad]

Hi @cfryanr ,

many thanks for getting back to me. I have to admit I am not very much of an expert in it.

The only thing that matters to me is that I can use a callback URL that differs from localhost. I could use my own domain for it somehow. Is such a thing possible here?

[cfryanr]

Unfortunately not. What's happening here is the Pinniped CLI needs to open a local HTTP port to listen for the OIDC authcode flow's callback in order to receive the authcode when your web browser follows the OIDC provider's callback redirect. I'm not an expert in Auth0 but it appears that they allow localhost callbacks according to their docs (see the bullet point called "Allowed Callback URLs" in https://auth0.com/docs/get-started/applications/application-settings).

I should repeat, however, that you would benefit from using the Pinniped Supervisor here. In your kubeconfig from your original question it appears that you are not using the Supervisor because your --issuer flag is pointing straight at Auth0, whereas that usually points at a Pinniped Supervisor. While it is possible to use Pinniped in the way that you showed, there are many benefits to using the Supervisor instead. And, as I mentioned before, you can still use Auth0's OIDC as the actual source of your user identities with the Supervisor.

[junoriosity]

@cfryanr Many thanks for your reply. So, when I am using the supervisor, I can use a custom callback domain for auth0 that is not localhost, right?

[cfryanr]

When you use the Supervisor, then the callback URL that you configure in Auth0 would be the URL for a special path on the Supervisor itself. When you install and configure your Supervisor, you get to set up its ingress, DNS, and TLS certs yourself, which means that you can call the Supervisor whatever you want for a DNS name.

It's a little bit of work to set up the ingress, DNS, and TLS, but once you have a single Supervisor all set up, then you can use it to provide authentication services to lots of Kubernetes clusters.

It depends on your overall use case. If you're trying to provide authentication to lots of Kubernetes clusters, then the Supervisor is the way to go.

[junoriosity]

Hi @cfryanr,

I am sorry for my belated reply, but I was swallowed by so many other things.

I really agree that Supervisor is the way to go for and I found your wonderful tutorial.

However, I also found this Helm chart here and since I like Helm charts quite a lot, I was wondering whether there is a chance, that I could simply set the configurations of the aforementioned tutorial as config values in the Helm chart. Sadly, however, I did not find anything regarding that for this Helm.

Can you help me here?

[cfryanr]

Hi @junoriosity,

The bitnami Helm chart for Pinniped is quite new, and we haven't developed any tutorials around that yet. It should all be possible, but apologies for not have any specific advice here yet.