OAuth2 Identity Providers

Overview

You can integrate external OAuth2 providers with KubeSphere using the standard OAuth2 protocol. After the account authentication by external OAuth2 servers, accounts can be associated with KubeSphere.

oauth2

GitHubIdentityProvider

KubeSphere provides you with an example of configuring GitHubIdentityProvider for OAuth2 authentication.

Parameter settings

To set IdentityProvider parameters, edit the ConfigMap of kubesphere-config in the namespace of kubesphere-system.

  1. Execute the following command.

    kubectl -n kubesphere-system edit cm kubesphere-config
    
  2. This is an example configuration for your reference.

    apiVersion: v1
    data:
      kubesphere.yaml: |
        authentication:
          authenticateRateLimiterMaxTries: 10
          authenticateRateLimiterDuration: 10m0s
          loginHistoryRetentionPeriod: 7d
          maximumClockSkew: 10s
          multipleLogin: true
          kubectlImage: kubesphere/kubectl:v1.0.0
          jwtSecret: "jwt secret"
          oauthOptions:
            accessTokenMaxAge: 1h
            accessTokenInactivityTimeout: 30m
            identityProviders:
            - name: github
              type: GitHubIdentityProvider
              mappingMethod: auto
              provider:
                clientID: 'Iv1.547165ce1cf2f590'
                clientSecret: 'c53e80ab92d48ab12f4e7f1f6976d1bdc996e0d7'
                endpoint:
                  authURL: 'https://github.com/login/oauth/authorize'
                  tokenURL: 'https://github.com/login/oauth/access_token'
                redirectURL: 'https://ks-console/oauth/redirect'
                scopes:
                - user
        ...    
    
  3. Add the configuration block for GitHubIdentityProvider in authentication.oauthOptions.identityProviders. See the following table for more information about different fields.

    FieldDescription
    nameThe unique name of IdentityProvider.
    typeThe type of IdentityProvider plugin. GitHubIdentityProvider is a default implementation type.
    mappingMethodThe account mapping configuration. You can use different mapping methods, such as:
    - auto: The default value. The user account will be automatically created and mapped if the login is successful.
    - lookup: Using this method requires you to manually provision accounts.
    For more information, see the parameters in GitHub.
    clientIDThe OAuth2 client ID.
    clientSecretThe OAuth2 client secret.
    authURLThe OAuth2 endpoint.
    tokenURLThe OAuth2 endpoint.
    redirectURLThe redirected URL to ks-console.
  4. Restart ks-apiserver to update the configuration.

    kubectl -n kubesphere-system rollout restart deploy ks-apiserver
    
  5. Access the login page of the KubeSphere console and you can see the option Log in with GitHub.

    github-login-page

    github-authentication

    logged-in

  6. After you log in to the console, the account can be invited to a workspace to work in one or more projects.