Skip to main content
Version: 22.2

Generic OIDC

info

This feature requires an Enterprise license. To upgrade, contact Redpanda sales.

If you would like to integrate an OpenID Connect (OIDC) compatible identity provider that is not yet natively supported in Console, you can configure the generic OIDC provider. To do so, you first have to create an OAuth application in your identity provider and then provide this application's credentials in the configuration:

login:
enabled: true

# jwtSecret is a random string of at least 10 characters that must be the same for all Console instances.
# This string is used to sign and validate the user session JSON Web Tokens (JWT).
# If this string changes, logged-in Console users will be logged out and will have to initiate a
# new session by logging in again.
jwtSecret: ""

oidc:
# Whether or not the OIDC provider should be initialized
enabled: true

# OAuth application client id
clientId: ""

# OAuth application client secret
clientSecret: ""

# IssuerUrl is the identity provider's URL; for example, https://accounts.google.com.
# Console will send a GET request to `${issuerUrl}/.well-known/openid-configuration`
# and the `issuer` returned in the response has to match this issuer url.
issuerUrl: ""

# DisplayName is the name that shall be shown on the login page for this identity provider
displayName: ""

# UserIdentifyingClaimKey is a relevant property if you want to use a specific claim key
# to identify users in the role binding. A claim key is part of the identity provider's
# issued access token payload.
# By default, we will use the 'sub' claim key, which usually resolves to the unique ID
# within the identity provider. The value of this claim is compared against what you
# use in the roleBindings for the `name` property.
userIdentifyingClaimKey: "sub"

Define role-bindings

When you have setup the OIDC login configuration, you can now bind users to roles. Below you can find a sample role binding:

roleBindings:
- metadata:
name: Developers
subjects:
- kind: user
provider: OIDC
# Name must match the value of your configured claim key
name: joe@yourcompany.com
roleName: editor