Setup oidc login

Setup OIDC login

1. Open a free account on https://auth0.com/
   • Can use google login to signup
2. Go to Applications
   • Hit Create application
   • Choose Native type
3. Hit Settings of your new application
   • Enter allowed callback urls https://localhost:8407/oidc/callback
   • Enable Refresh Token Rotation
   • Go to advanced settings > Grant types and Enable Device code
   • Save changes
4. Scroll all the way up copy the Domain and use it as oidc issuer (important to have the https:// prefix and end with the /)
   • lxc config set oidc.issuer=https://dev-abcdef.us.auth0.com/
5. Copy the Client ID and use it as oidc client id
   • lxc config set oidc.client.id=6f6f6f6f6f6f
6. Hit APIs and copy the API Audience, use it as oidc audience
   • lxc config set oidc.audience=https://dev-abcdef.us.auth0.com/api/v2/

Now you can hit https://localhost:8407 with an unauthenticated browser and use SSO login. Use the crendentials for auth0

Setup custom claim for permission group mapping

An admin user may set up multiple users in auth0 and allocate roles to those users. When a specific user logs in using oidc, the allocated roles for that user can be mapped to lxd permission groups by using custom claims set in auth0. This section details steps for setting up roles for an user on auth0 as well as the custom claim so that lxd can map those roles to permission groups.

1. Under User Management -> Users, create a new user, provide an email and password for that user.
2. Under User Management -> Roles, create some roles with suitable names.
3. Go to the user you created in step 1, click on the Roles tab then click Assign Roles. Select the roles you just created in step 2.
4. You will need to setup a custom action on auth0 to set the custom claim on the id_token during the oidc login flow.

• Under Actions -> Library, click on Create Action. Give the action a suitable name like roles-in-id-token, select Login / Post Login for the Trigger and leave the Runtime selection as recommended. Hit Create and you will be redirected to a code editor. Insert the code snippet shown below and hit Deploy:

exports.onExecutePostLogin = async (event, api) => {
  if (event.authorization) {
    api.idToken.setCustomClaim(`lxd-idp-groups`, event.authorization.roles);
    api.accessToken.setCustomClaim(`lxd-idp-groups`, event.authorization.roles);
  }
};

• Once the action is deployed, got to Actions -> Flows -> Login, under the Custom actions tab, drag the action you just created and drop it in between the Start and Complete nodes of the Login flow.

5. Now in LXD, set the server configuration oidc.groups.claim to be the custom claim you have set in step 4. Using the current example, the custom claim is lxd-idp-groups. You can do this with lxc config set oidc.groups.claim=lxd-idp-groups.
6. (experimental) In the UI for lxd, you will need to navigate to Permissions -> IDP groups and create mapping for assigning roles on auth0 to permission groups created on LXD. For each idp group created in LXD, the name of the idp group must match a role you have created in auth0 and it should map to one or more permission groups in LXD.
7. Lastly, you will need to login as an user with roles assigned in auth0. During the oidc flow, lxd will automatically try extract the custom claim from the user's id_token based on the oidc.groups.claim config value. The extracted custom claim would be an array of roles for your user from auth0, those roles will then be mapped to LXD permission groups using the mapping that you created in step 6.