|
| 1 | +--- |
| 2 | +title: Use Ory Hydra as OIDC (OpenID Connect) provider |
| 3 | +--- |
| 4 | + |
| 5 | +A requirement to run your own Chainloop instance is to configure an OIDC provider to authenticate users who interact with the control plane. |
| 6 | + |
| 7 | +## Pre-requisites |
| 8 | + |
| 9 | +To configure your Chainloop instance with Ory Hydra you'll need the following information: |
| 10 | + |
| 11 | +- Ory Hydra instance running |
| 12 | +- Access to your OIDC provider configuration |
| 13 | + |
| 14 | +## Configure Ory Hydra |
| 15 | + |
| 16 | +First, you'll need to have an Ory Hydra instance running. You can follow the [official documentation](https://www.ory.sh/hydra/docs/) to set up your own instance. |
| 17 | +Then simply create a new OAuth2 client in your Ory Hydra instance. You can do this by running the following command: |
| 18 | + |
| 19 | +```bash |
| 20 | +$ hydra create oauth2-client --name "ACME Solutions" --grant-type authorization_code,refresh_token --response-type code --scope openid,email,profile --redirect-uri http://CHAINLOOP_INSTANCE_URL/auth/callback --endpoint https://ORY_HYDRA_URL |
| 21 | +``` |
| 22 | + |
| 23 | +Chainloop client will only request `openid`, `email` and `profile` scopes. |
| 24 | + |
| 25 | +Relevant information that can be noted from the command signature is: |
| 26 | +- `name`: The name of the OAuth2 client |
| 27 | +- `grant-type`: The grant type of the client it needs to be set `authorization_code` and `refresh_token` |
| 28 | +- `response-type`: The response type of the client: `code` |
| 29 | +- `scope`: The scopes that the client will request: `openid`, `email`, `profile` |
| 30 | +- `redirect-uri`: The redirect URI of the client: Whenever is the Chainloop instance URL plus `/auth/callback` |
| 31 | +- `endpoint`: The endpoint of the Ory Hydra instance |
| 32 | + |
| 33 | +Once the command is run, it will give back something similar to the following: |
| 34 | + |
| 35 | +```bash |
| 36 | +CLIENT ID b028840e-8c54-4d01-91b9-eb2c4aa6fc0e |
| 37 | +CLIENT SECRET REDACTED |
| 38 | +GRANT TYPES authorization_code, refresh_token |
| 39 | +RESPONSE TYPES code |
| 40 | +SCOPE openid email profile |
| 41 | +AUDIENCE |
| 42 | +REDIRECT URIS http://0.0.0.0:8000/auth/callback, http://localhost:8000/auth/callback |
| 43 | +``` |
| 44 | + |
| 45 | +## Configure Chainloop deployment |
| 46 | + |
| 47 | +As explained in the [deployment guide](../k8s), you can configure the ODIC configuration `oidc` section of the `values.yaml` file. |
| 48 | + |
| 49 | +Just put the information we gathered from the previous steps like this. |
| 50 | + |
| 51 | +```yaml |
| 52 | +controlplane: |
| 53 | + oidc: |
| 54 | + url: "" # Ory Hydra URL |
| 55 | + clientID: "" # Ory Hydra OAuth2 client ID |
| 56 | + clientSecret: "" # Ory Hydra OAuth2 client secret |
| 57 | +``` |
| 58 | +
|
| 59 | +And deploy your Chainloop Control Plane with the update values to take effect. |
| 60 | +
|
| 61 | +Now your Chainloop instance will automatically authenticating users using the Ory Hydra instance you just configured. |
0 commit comments