You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
here I'd like the clusters entry could be smart enough to allow any of the existing OIDC-compatible providers (like auth0, gitlab, etc) to be specified.
Overlap with google (i.e. GKE) implementation today
Unfortunately this will collide with the existing google auth provider, which is really intended for GKE only and uses an access token instead of an ID token. If you were to configure your k8s apiserver to treat accounts.google.com as an issuer, the cluster would actually validate your identity based on your ID token, not your access token.
I can see two options at this point:
create a special case for "google as a generic OIDC issuer independent of GKE", like google-oidc
rename the google auth provider to something arguably more descriptive, like gke.
User Experience
When you open the kubernetes tab for a service, you get the login popup; you click the log in button for the configured auth provider, finish up the OAuth2 authorization flow (just like with the existing Google auth provider), and then you see your k8s objects (or not if you're not authorized)!
Context
The kubernetes apiserver generally supports authenticating users via an OIDC token; for a specific example, try an AWS EKS cluster with an associated OIDC identity provider. It would be useful if, on demand, Backstage would negotiate credentials with an OIDC server on the user's behalf, and use those credentials to fetch kubernetes objects with the user's own identity.
The text was updated successfully, but these errors were encountered:
Feature Suggestion
Let's generalize the
google
auth provider to work with any OIDC server!Possible Implementation
Values-file structure
What I can imagine is an app-config a bit like
here I'd like the
clusters
entry could be smart enough to allow any of the existing OIDC-compatible providers (likeauth0
,gitlab
, etc) to be specified.Overlap with
google
(i.e. GKE) implementation todayUnfortunately this will collide with the existing
google
auth provider, which is really intended for GKE only and uses an access token instead of an ID token. If you were to configure your k8s apiserver to treat accounts.google.com as an issuer, the cluster would actually validate your identity based on your ID token, not your access token.I can see two options at this point:
google-oidc
google
auth provider to something arguably more descriptive, likegke
.User Experience
When you open the kubernetes tab for a service, you get the login popup; you click the log in button for the configured auth provider, finish up the OAuth2 authorization flow (just like with the existing Google auth provider), and then you see your k8s objects (or not if you're not authorized)!
Context
The kubernetes apiserver generally supports authenticating users via an OIDC token; for a specific example, try an AWS EKS cluster with an associated OIDC identity provider. It would be useful if, on demand, Backstage would negotiate credentials with an OIDC server on the user's behalf, and use those credentials to fetch kubernetes objects with the user's own identity.
The text was updated successfully, but these errors were encountered: