Configuring OIDC and OAuth authentication (non-OCP Install)
Configure OAuth2 or OpenID Connect (OIDC) authentication to secure your IBM Transformation Advisor instance for non-OpenShift Container Platform (non-OCP) installations.
The configuration methods and available automation capabilities differ depending on the version of the accelerator that you are running.
- Version 5.0.0 and later
- The product supports automatic OAuth endpoint discovery by using OIDC standards, which significantly reduces the number of environment variables that you need to define manually. If your provider is not OIDC-compliant, a manual fallback is still supported. For more information, see Configuring authentication (Version 5.0.0 and later).
- Versions earlier than 5.0.0
- The product requires full manual configuration of all OAuth identity endpoints, paths, and token paths within the security configuration scripts. For more information, see Configuring authentication (Versions earlier than 5.0.0).
Supported features
| Capability | Version 5.0.0 and later | Versions earlier than 5.0.0 |
|---|---|---|
| Primary setup method | OIDC auto-discovery (recommended) | Manual configuration |
| Required variables | 3 variables (TA_AUTH_OIDC_ISSUER, TA_AUTH_OIDC_CLIENT_ID, TA_AUTH_OIDC_CLIENT_SECRET) | 10 or more variables (all endpoints, paths, and scopes) |
| IdP compliance required | OIDC-compliant (Keycloak, Azure AD, Okta, and others) | Standard OAuth2 or specific provider API |
| Post-logout redirect (/revoked) | Supported automatically | Not explicitly handled in older configuration |
Important: Regardless of your product version, Multi-Factor Authentication (MFA) cannot be configured inside the accelerator configuration files. MFA must be enabled and enforced directly at your Identity Provider (IdP) level.