auth0 인증 추가(oauth,OIDC)

검색하니 잘 안나와서 정리해봅니다.

auth0 설정

  1. 가입

  2. application 생성

  3. application type: SPA

  4. clientId 및 clientSecret 값 을 기록해 둡니다.

  5. Register login url as https://your.argoingress.address/login

  6. Set allowed callback url to https://your.argoingress.address/auth/callback

  7. Under connections, select the user-registries you want to use with argo

  8. add rules

    function (user, context, callback) {
       const namespace =http://aaa.com'; <- 중요
       const assignedRoles = (context.authorization || {}).roles;
    
       let idTokenClaims = context.idToken || {};
       let accessTokenClaims = context.accessToken || {};
    
       idTokenClaims[`${namespace}/groups`] = assignedRoles; <- 중요
       accessTokenClaims[`${namespace}/groups`] = assignedRoles; <- 중요
    
       context.idToken = idTokenClaims;
       context.accessToken = accessTokenClaims;
    
       callback(null, user, context);
     }

    이렇게 하면 토큰에 roles 정보가 들어가게 됩니다.

    {
      "http://aaa.com/groups": ["netops"],
      "nickname": "smiley",
      "name": "smiley@aaa.com",
      "picture": "aaa.png",
      "updated_at": "2023-02-04T00:45:12.831Z",
      "email": "smiley@aaa.com",
      "email_verified": true,
      "iss": "https://dev.us.auth0.com/",
      "aud": "zzz",
      "iat": 1675634411,
      "exp": 1675670411,
      "sub": "auth0|xxx",
      "sid": "ggg"
    }
  9. create role

  10. assign role to user

update argocd

argocd-cm.yaml

apiVersion: v1
kind: ConfigMap
metadata:
  labels:
    app.kubernetes.io/name: argocd-cm
    app.kubernetes.io/part-of: argocd
  name: argocd-cm
  namespace: argocd
data:
  application.instanceLabelKey: argocd.argoproj.io/instance
  url: https://argocd.aaa.com
  oidc.config: |
    name: Auth0
    issuer: https://dev.us.auth0.com/
    clientID: OzF3npfPuxjxBn
    clientSecret: LSbBj88xocuog2qlxxx
    requestedIDTokenClaims:
      groups:
        essential: true
    requestedScopes:
      - openid
      - profile
      - email
      -http://aaa.com/groups' <- 중요

argocd-rbac-cm.yaml

apiVersion: v1
kind: ConfigMap
metadata:
  labels:
    app.kubernetes.io/name: argocd-rbac-cm
    app.kubernetes.io/part-of: argocd
  name: argocd-rbac-cm
  namespace: argocd
data:
  policy.csv: |
    g, netops, role:admin
  scopes: http://aaa.com/groups, email]' <- 중요

sync

sync하고 pod를 재시작한후 로그인하면 된다.

그룹별로 다른 권한

  • web 이라는 그룹을 만들고 유저를 그룹에 넣는다.

  • argocd-rbac-cm에 다음을 추가한다. (argocd-cm.yaml)

    p, role:web, applications, get, *, allow  # webteam
    p, role:web, applications, sync, *, allow # webteam
    g, web, role:web                          # webteam

이제 웹 그룹은 get/sync만 할수 있다.

logout

https://auth0.com/docs/api/authentication#logout

  • edit argocd-cm.yaml

logoutURL: https://your-auth0-domain/v2/logout?client_id=your-client-key&returnTo=your-argo-url

please add your return url on auth0

sync / restart pod

auth0에서 회원가입을 막는다

Last updated

Was this helpful?