|
1 | | -# Auth0 Example for OpenFaaS IAM |
| 1 | +# Example for OpenFaaS IAM |
2 | 2 |
|
3 | | -In order to access the OpenFaaS API, a JWT Issuer must first be registered with the system. |
| 3 | +In order to access the OpenFaaS API, a JWT Issuer must first be registered with the system. In this example we will be using Auth0 as the identity provider for OpenFaaS. |
4 | 4 |
|
5 | 5 | Create an application on Auth0 for the OpenFaaS gateway, you'll need to obtain the corresponding "client_id". |
6 | 6 |
|
7 | | -## Register the Issuer for Auth0 |
| 7 | +> For more details on how to register different providers see: [Single Sign-On (SSO) for the OpenFaaS](/openfaas-pro/sso/overview/) |
| 8 | +
|
| 9 | +## Register the Issuer |
8 | 10 |
|
9 | 11 | An Issuer for `https://alexellis.eu.auth0.com/` might look like this: |
10 | 12 |
|
@@ -55,7 +57,7 @@ The principal field is optional, however if it is given, both the principal and |
55 | 57 |
|
56 | 58 | ### Match on group membership |
57 | 59 |
|
58 | | -If you configure Auth0 to emit a "group" claim such as "openfaas-dev", you could match this with a condition, instead of specifying individual "sub" fields. |
| 60 | +If you configure your identity provider to emit a "group" claim such as "openfaas-dev", you could match this with a condition, instead of specifying individual "sub" fields. |
59 | 61 |
|
60 | 62 | Groups are often represented as a list in the JWT so the `ForAnyValue` set operator can be used for this: |
61 | 63 |
|
@@ -129,6 +131,8 @@ spec: |
129 | 131 |
|
130 | 132 | The JwtIssuer, Role and Policy resources are Kubernetes Custom Resources, and must be created within the `openfaas` namespace. |
131 | 133 |
|
| 134 | +See [Permissions](/openfaas-pro/iam/overview/#permissions) for an overview of all supported actions. |
| 135 | + |
132 | 136 | ## Authenticate as the user |
133 | 137 |
|
134 | 138 | The `faas-cli` needs to be used to obtain a token from Auth0, and then exchange it for an OpenFaaS Access token. |
|
0 commit comments