Configuring OIDC and OAuth authentication (non-OCP Install)

Configure OAuth2 or OpenID Connect (OIDC) authentication to secure your IBM Transformation Advisor instance for non-OpenShift Container Platform (non-OCP) installations.

The configuration methods and available automation capabilities differ depending on the version of the accelerator that you are running.

Version 5.0.0 and later
The product supports automatic OAuth endpoint discovery by using OIDC standards, which significantly reduces the number of environment variables that you need to define manually. If your provider is not OIDC-compliant, a manual fallback is still supported. For more information, see Configuring authentication (Version 5.0.0 and later).

Versions earlier than 5.0.0
The product requires full manual configuration of all OAuth identity endpoints, paths, and token paths within the security configuration scripts. For more information, see Configuring authentication (Versions earlier than 5.0.0).

Supported features

Capability Version 5.0.0 and later Versions earlier than 5.0.0
Primary setup method OIDC auto-discovery (recommended) Manual configuration
Required variables 3 variables (TA_AUTH_OIDC_ISSUER, TA_AUTH_OIDC_CLIENT_ID, TA_AUTH_OIDC_CLIENT_SECRET) 10 or more variables (all endpoints, paths, and scopes)
IdP compliance required OIDC-compliant (Keycloak, Azure AD, Okta, and others) Standard OAuth2 or specific provider API
Post-logout redirect (/revoked) Supported automatically Not explicitly handled in older configuration
Important: Regardless of your product version, Multi-Factor Authentication (MFA) cannot be configured inside the accelerator configuration files. MFA must be enabled and enforced directly at your Identity Provider (IdP) level.