Skip to content

Latest commit

 

History

History
82 lines (67 loc) · 3.38 KB

auth.md

File metadata and controls

82 lines (67 loc) · 3.38 KB
Raw

Setting up a Tanzu Application Platform GUI authentication provider

Tanzu Application Platform GUI extends the current Backstage's authentication plug-in so that you can see a login page based on the authentication providers configured at install time. This feature is a work in progress, and at the moment it should support the following authentication providers out-of-the-box:

Follow the Backstage authentication docs to configure a supported authentication provider.

We also support a custom OpenID Connect (OIDC) provider shown here:

  • Edit your tap-values.yaml (or your custom configuration file) to include an OIDC authentication provider. Configure the OIDC provider with your OAuth App values. Example:
tap_gui:
  service_type: ClusterIP
  ingressEnabled: "true"
  ingressDomain: "INGRESS-DOMAIN"
  app_config:
    app:
      baseUrl: http://tap-gui.INGRESS-DOMAIN
    catalog:
      locations:
        - type: url
          target: https://GIT-CATALOG-URL/catalog-info.yaml
    backend:
      baseUrl: http://tap-gui.INGRESS-DOMAIN
      cors:
        origin: http://tap-gui.INGRESS-DOMAIN
#Existing values file above
    auth:
      environment: development
      session:
        secret: custom session secret
      providers:
        oidc:
          development:
            metadataUrl: ${AUTH_OIDC_METADATA_URL}
            clientId: ${AUTH_OIDC_CLIENT_ID}
            clientSecret: ${AUTH_OIDC_CLIENT_SECRET}
            tokenSignedResponseAlg: ${AUTH_OIDC_TOKEN_SIGNED_RESPONSE_ALG} # default='RS256'
            scope: ${AUTH_OIDC_SCOPE} # default='openid profile email'
            prompt: auto # default=none (allowed values: auto, none, consent, login)

metadataUrl is a JSON file with generic OIDC provider configuration. It contains authorizationUrl and tokenUrl. These values are read from the metadataUrl file by Tanzu Application Platform GUI, and so they do not need to be specified explicitly in your authentication configuration above.

For more information, see this example in Github.

Allow guest access

If you want to enable guest access along with other providers, you can do it by providing the following flag under your authentication configuration:

auth:
  allowGuestAccess: true

Customize the login page

You can change the card's title and/or description for a specific provider with the following configuration:

auth:
  environment: development
  providers:
    ... # auth providers config
  loginPage:
    github:
      title: Github Login
      message: Enter with your GitHub account

For a provider to show in the login page, it has to be properly configured under the auth.providers section of your values file.