Generic OIDC

This feature requires an Enterprise license. To upgrade, contact Redpanda sales.

If you would like to integrate an OpenID Connect (OIDC) compatible identity provider that is not yet natively supported in Console, you can configure the generic OIDC provider. To do so, you first have to create an OAuth application in your identity provider and then provide this application’s credentials in the configuration:

  • Application type: Web application

  • Authorized redirect URI: https://console.yourcompany.com/login/callbacks/oidc

login:
  enabled: true

  # jwtSecret is a random string of at least 10 characters that must be the same for all Console instances.
  # This string is used to sign and validate the user session JSON Web Tokens (JWT).
  # If this string changes, logged-in Console users will be logged out and will have to initiate a
  # new session by logging in again.
  jwtSecret: ""

  oidc:
    # Whether or not the OIDC provider should be initialized
    enabled: true

    # OAuth application client id
    clientId: ""

    # OAuth application client secret
    clientSecret: ""

    # IssuerUrl is the identity provider's URL; for example, https://accounts.google.com.
    # Console will send a GET request to `${issuerUrl}/.well-known/openid-configuration`
    # and the `issuer` returned in the response has to match this issuer url.
    issuerUrl: ""

    # DisplayName is the name that shall be shown on the login page for this identity provider
    displayName: ""

    # UserIdentifyingClaimKey is a relevant property if you want to use a specific claim key
    # to identify users in the role binding. A claim key is part of the identity provider's
    # issued access token payload.
    # By default, we will use the 'sub' claim key, which usually resolves to the unique ID
    # within the identity provider. The value of this claim is compared against what you
    # use in the roleBindings for the `name` property.
    userIdentifyingClaimKey: "sub"
The userIdentifyingClaimKey can only be used for claims that have a string value. You cannot use it for the groups claim in AzureAD, for example, because the claim value is a string array.

Define role-bindings

After you set up the OIDC login configuration, you can bind users to roles. Below is a sample role binding:

roleBindings:
  - metadata:
      name: Developers
    subjects:
        # Kind must always be set to `user` for the OIDC provider, as the claims always belong to
        # an individual user.  This is also true if you match a claim against a group.
      - kind: user
        provider: OIDC
        # Name must match the value of your configured claim key
        name: joe@yourcompany.com
    roleName: editor