auth0 인증 추가(oauth,OIDC)

검색하니 잘 안나와서 정리해봅니다.

auth0 설정

1. 가입

2. application 생성

3. application type: SPA

4. clientId 및 clientSecret 값 을 기록해 둡니다.

5. Register login url as https://your.argoingress.address/login

6. Set allowed callback url to https://your.argoingress.address/auth/callback

7. Under connections, select the user-registries you want to use with argo

8. add rules

   function (user, context, callback) {
      const namespace =http://aaa.com'; <- 중요
      const assignedRoles = (context.authorization || {}).roles;
   
      let idTokenClaims = context.idToken || {};
      let accessTokenClaims = context.accessToken || {};
   
      idTokenClaims[`${namespace}/groups`] = assignedRoles; <- 중요
      accessTokenClaims[`${namespace}/groups`] = assignedRoles; <- 중요
   
      context.idToken = idTokenClaims;
      context.accessToken = accessTokenClaims;
   
      callback(null, user, context);
    }

   이렇게 하면 토큰에 roles 정보가 들어가게 됩니다.

   {
     "http://aaa.com/groups": ["netops"],
     "nickname": "smiley",
     "name": "smiley@aaa.com",
     "picture": "aaa.png",
     "updated_at": "2023-02-04T00:45:12.831Z",
     "email": "smiley@aaa.com",
     "email_verified": true,
     "iss": "https://dev.us.auth0.com/",
     "aud": "zzz",
     "iat": 1675634411,
     "exp": 1675670411,
     "sub": "auth0|xxx",
     "sid": "ggg"
   }

9. create role

10. assign role to user

update argocd

argocd-cm.yaml

apiVersion: v1
kind: ConfigMap
metadata:
  labels:
    app.kubernetes.io/name: argocd-cm
    app.kubernetes.io/part-of: argocd
  name: argocd-cm
  namespace: argocd
data:
  application.instanceLabelKey: argocd.argoproj.io/instance
  url: https://argocd.aaa.com
  oidc.config: |
    name: Auth0
    issuer: https://dev.us.auth0.com/
    clientID: OzF3npfPuxjxBn
    clientSecret: LSbBj88xocuog2qlxxx
    requestedIDTokenClaims:
      groups:
        essential: true
    requestedScopes:
      - openid
      - profile
      - email
      -http://aaa.com/groups' <- 중요

argocd-rbac-cm.yaml

apiVersion: v1
kind: ConfigMap
metadata:
  labels:
    app.kubernetes.io/name: argocd-rbac-cm
    app.kubernetes.io/part-of: argocd
  name: argocd-rbac-cm
  namespace: argocd
data:
  policy.csv: |
    g, netops, role:admin
  scopes: http://aaa.com/groups, email]' <- 중요

sync

sync하고 pod를 재시작한후 로그인하면 된다.

그룹별로 다른 권한

• web 이라는 그룹을 만들고 유저를 그룹에 넣는다.

• argocd-rbac-cm에 다음을 추가한다. (argocd-cm.yaml)

  p, role:web, applications, get, *, allow  # webteam
  p, role:web, applications, sync, *, allow # webteam
  g, web, role:web                          # webteam

이제 웹 그룹은 get/sync만 할수 있다.

logout

https://auth0.com/docs/api/authentication#logout

• edit argocd-cm.yaml

logoutURL: https://your-auth0-domain/v2/logout?client_id=your-client-key&returnTo=your-argo-url

please add your return url on auth0

sync / restart pod

auth0에서 회원가입을 막는다