auth0 인증 추가(oauth,OIDC)
검색하니 잘 안나와서 정리해봅니다.
auth0 설정
가입
application 생성
application type: SPA
clientId 및 clientSecret 값 을 기록해 둡니다.
Register login url as https://your.argoingress.address/login
Set allowed callback url to https://your.argoingress.address/auth/callback
Under connections, select the user-registries you want to use with argo
add rules
function (user, context, callback) { const namespace =http://aaa.com'; <- 중요 const assignedRoles = (context.authorization || {}).roles; let idTokenClaims = context.idToken || {}; let accessTokenClaims = context.accessToken || {}; idTokenClaims[`${namespace}/groups`] = assignedRoles; <- 중요 accessTokenClaims[`${namespace}/groups`] = assignedRoles; <- 중요 context.idToken = idTokenClaims; context.accessToken = accessTokenClaims; callback(null, user, context); }
이렇게 하면 토큰에 roles 정보가 들어가게 됩니다.
{ "http://aaa.com/groups": ["netops"], "nickname": "smiley", "name": "smiley@aaa.com", "picture": "aaa.png", "updated_at": "2023-02-04T00:45:12.831Z", "email": "smiley@aaa.com", "email_verified": true, "iss": "https://dev.us.auth0.com/", "aud": "zzz", "iat": 1675634411, "exp": 1675670411, "sub": "auth0|xxx", "sid": "ggg" }
create role
assign role to user
update argocd
argocd-cm.yaml
apiVersion: v1
kind: ConfigMap
metadata:
labels:
app.kubernetes.io/name: argocd-cm
app.kubernetes.io/part-of: argocd
name: argocd-cm
namespace: argocd
data:
application.instanceLabelKey: argocd.argoproj.io/instance
url: https://argocd.aaa.com
oidc.config: |
name: Auth0
issuer: https://dev.us.auth0.com/
clientID: OzF3npfPuxjxBn
clientSecret: LSbBj88xocuog2qlxxx
requestedIDTokenClaims:
groups:
essential: true
requestedScopes:
- openid
- profile
- email
-http://aaa.com/groups' <- 중요
argocd-rbac-cm.yaml
apiVersion: v1
kind: ConfigMap
metadata:
labels:
app.kubernetes.io/name: argocd-rbac-cm
app.kubernetes.io/part-of: argocd
name: argocd-rbac-cm
namespace: argocd
data:
policy.csv: |
g, netops, role:admin
scopes: http://aaa.com/groups, email]' <- 중요
sync
sync하고 pod를 재시작한후 로그인하면 된다.

그룹별로 다른 권한
web 이라는 그룹을 만들고 유저를 그룹에 넣는다.
argocd-rbac-cm에 다음을 추가한다. (argocd-cm.yaml)
p, role:web, applications, get, *, allow # webteam p, role:web, applications, sync, *, allow # webteam g, web, role:web # webteam
이제 웹 그룹은 get/sync만 할수 있다.
logout
https://auth0.com/docs/api/authentication#logout
edit argocd-cm.yaml
logoutURL: https://your-auth0-domain/v2/logout?client_id=your-client-key&returnTo=your-argo-url
please add your return url on auth0

sync / restart pod
auth0에서 회원가입을 막는다

Last updated
Was this helpful?