auth0 인증 추가(oauth,OIDC)

검색하니 잘 안나와서 정리해봅니다.

auth0 설정

  1. 가입

  2. application 생성

  3. application type: SPA

  4. clientId 및 clientSecret 값 을 기록해 둡니다.

  5. Register login url as https://your.argoingress.address/login

  6. Set allowed callback url to https://your.argoingress.address/auth/callback

  7. Under connections, select the user-registries you want to use with argo

  8. add rules 

    function (user, context, callback) {
   const namespace =http://aaa.com'; <- 중요
   const assignedRoles = (context.authorization || {}).roles;

   let idTokenClaims = context.idToken || {};
   let accessTokenClaims = context.accessToken || {};

   idTokenClaims[`${namespace}/groups`] = assignedRoles; <- 중요
   accessTokenClaims[`${namespace}/groups`] = assignedRoles; <- 중요

   context.idToken = idTokenClaims;
   context.accessToken = accessTokenClaims;

   callback(null, user, context);
 }

    이렇게 하면 토큰에 roles 정보가 들어가게 됩니다.

    {
  "http://aaa.com/groups": ["netops"],
  "nickname": "smiley",
  "name": "smiley@aaa.com",
  "picture": "aaa.png",
  "updated_at": "2023-02-04T00:45:12.831Z",
  "email": "smiley@aaa.com",
  "email_verified": true,
  "iss": "https://dev.us.auth0.com/",
  "aud": "zzz",
  "iat": 1675634411,
  "exp": 1675670411,
  "sub": "auth0|xxx",
  "sid": "ggg"
}

  9. create role

  10. assign role to user

update argocd

argocd-cm.yaml

apiVersion: v1
kind: ConfigMap
metadata:
  labels:
    app.kubernetes.io/name: argocd-cm
    app.kubernetes.io/part-of: argocd
  name: argocd-cm
  namespace: argocd
data:
  application.instanceLabelKey: argocd.argoproj.io/instance
  url: https://argocd.aaa.com
  oidc.config: |
    name: Auth0
    issuer: https://dev.us.auth0.com/
    clientID: OzF3npfPuxjxBn
    clientSecret: LSbBj88xocuog2qlxxx
    requestedIDTokenClaims:
      groups:
        essential: true
    requestedScopes:
      - openid
      - profile
      - email
      -http://aaa.com/groups' <- 중요

argocd-rbac-cm.yaml

apiVersion: v1
kind: ConfigMap
metadata:
  labels:
    app.kubernetes.io/name: argocd-rbac-cm
    app.kubernetes.io/part-of: argocd
  name: argocd-rbac-cm
  namespace: argocd
data:
  policy.csv: |
    g, netops, role:admin
  scopes: http://aaa.com/groups, email]' <- 중요

sync

sync하고 pod를 재시작한후 로그인하면 된다.

그룹별로 다른 권한

  • web 이라는 그룹을 만들고 유저를 그룹에 넣는다.

  • argocd-rbac-cm에 다음을 추가한다. (argocd-cm.yaml)

    p, role:web, applications, get, *, allow  # webteam
p, role:web, applications, sync, *, allow # webteam
g, web, role:web                          # webteam

이제 웹 그룹은 get/sync만 할수 있다.

logout

https://auth0.com/docs/api/authentication#logout

  • edit argocd-cm.yaml

logoutURL: https://your-auth0-domain/v2/logout?client_id=your-client-key&returnTo=your-argo-url

please add your return url on auth0

sync / restart pod

auth0에서 회원가입을 막는다

PreviousServer ConfigNextExtension

Last updated

Was this helpful?