License Service Reporter authentication with OAuth/OIDC provider

You can configure the License Service Reporter to use the OAuth/OIDC provider with Identity Provider (IDP) as the authentication method to access the console. Learn how to enable the License Service Reporter to use the authentication server and examples of configuration for IBMLicenseServiceReporter custom resource instance.

Configuration

You can edit the IBMLicenseServiceReporter custom resource to configure the authentication for the License Service Reporter.

spec:
  authentication:
      useradmin: 
        enabled: true
  oauth:
    enabled: true
    parameters: [
    ]

OAuth parameters

Option Type Description Default value
--provider String OAuth providers such as oidc or keycloak-oidc
--provider-display-name String You can override the name of the provider with the specific string that is used for the sign-in page Value depends on the provider
--client-id String OAuth Client ID
--client-secret-name String The name of the K8s secret with the OAuth Client Secret
--oidc-issuer-url String OpenID Connect issuer URL
--provider-ca-secret-name String The name of the K8s secret with CA certificates that is used when you connect to the provider
--allowed-group String and list Restrict logins for the members of this group. This can be given multiple times
--allowed-role String and list Restrict logins for the users with this role. This can be given multiple times and works only with the keycloak-oidc provider
--email-domain String and list Authenticate emails with the specified domain and can be given multiple times. Use * to authenticate the email
--scope String OAuth scope specification
--skip-oidc-discovery Boolean Bypass OIDC endpoint discovery. Configure the --login-url, --redeem-url, and --oidc-jwks-url parameters to use the --skip-oidc-discovery parameter False
--oidc-jwks-url String OIDC JWKS URI for token verification. This parameter is required if OIDC discovery is disabled
--redeem-url String Token redemption endpoint. This parameter is required if OIDC discovery is disabled
--login-url String Authentication endpoint. This parameter is required if OIDC discovery is disabled
--ssl-insecure-skip-verify Boolean Skip validation of certificates presented with HTTPS providers. The provider-ca-secret-name parameter is ignored when you set the --ssl-insecure-skip-verify parameter to true False

Creation of secrets

Create the secrets of the client-secret-name and provider-ca-secret-name in the same namespace where the License Service Reporter is installed.

Allowed group or role

It is recommended to set the role and group parameters with license-administrator to access to the License Service Reporter. You can assign the license-administrator role to the users in the IDP or provide the name of the group or role to allow the users to login to the License Service Reporter.

The following is an example of the Custom Resource:

spec:
 authentication:
    useradmin: 
      enabled: true
    oauth:
       enabled: true
       parameters:
         '--allowed-group=license-administrator'
         '--allowed-role=license-administrator'

Examples of configurations

Example for Identity and Access Management (IAM v3.x)

The steps in the following example show how to configure License Service Reporter authentication by using IAM v3.x.

  1. Make sure that you have IAM installed as a part of an IBM Cloud Pak®. For more information, see the IBM Cloud Pak foundational services Installer documentation.
  2. Create the new IAM client. For more information, see Automated client registration method 3.

    An example of a yaml file with the new client definition:

     apiVersion: oidc.security.ibm.com/v1
     kind: Client
     metadata:
         name: <CLIENT_NAME>
         namespace: <COMMON_SERVICES_NAMESPACE>  # You must create the secret in the namespace where IAM is installed.
     spec:
         secret: <CLIENT_SECRET_NAME>
         oidcLibertyClient:
             post_logout_redirect_uris:
             - <CLUSTER_DOMAIN>/license-service-reporter
             redirect_uris:
             - <CLUSTER_DOMAIN>/license-service-reporter/oauth2/callback
             trusted_uri_prefixes:
             - <CLUSTER_DOMAIN>/license-service-reporter
    

    Where:

    CLIENT_NAME

    The name of the new IAM client that is created for License Service Reporter authentication.

    CLIENT_SECRET_NAME

    The name of the secret that is created for the new IAM client.

    CLUSTER_DOMAIN

    The domain of the cluster provider.

    Secret that is named CLIENT_SECRET_NAME is created in the COMMON_SERVICES_NAMESPACE namespace. This secret has two fields: CLIENT_ID and CLIENT_SECRET. The values of these fields are used in further configuration.

  3. Create the client secret in the License Service Reporter namespace.

     apiVersion: v1
     kind: Secret
     metadata:
       name: <LSR_CLIENT_SECRET_NAME>
       namespace: <LSR_NAMESPACE>
     data:
       data: <CLIENT_SECRET> # The conent of the <CLIENT_SECRET_NAME> from <COMMON_SERVICES_NAMESPACE> namespace.
    

    Where:

    LSR_CLIENT_SECRET_NAME

    The name of the client secret that is created in License Service Reporter namespace.

    LSR_NAMESPACE

    The namespace where License Service Reporter is installed.

    CLIENT_SECRET

    The content of the CLIENT_SECRET field from CLIENT_SECRET_NAME secret from COMMON_SERVICES_NAMESPACE namespace.

  4. Set up License Service Reporter by the License Service Reporter custom resource (CR).

    Note: You must create the lsr-auth-provider-ca-secret secret and base this secret on the cs-ca-certificate that is located in the COMMON_SERVICES_NAMESPACE namespace.

     spec:
       authentication:
           useradmin: 
             enabled: true
           oauth:
             enabled: true
             parameters:
                 - '--provider=oidc'
                 - '--provider-display-name=My IBM IAM'
                 - '--login-url=<IAM-cp-console-address>/idprovider/v1/auth/authorize'
                 - '--oidc-issuer-url=<IAM-cp-console-address>/idprovider/v1/auth'
                 - '--oidc-jwks-url=<IAM-cp-console-address>/idprovider/v1/auth/jwk'
                 - '--redeem-url=<IAM-cp-console-address>/idprovider/v1/auth/token'
                 - '--client-id=<CLIENT_ID>' # Taken from <CLIENT_SECRET_NAME> from <COMMON_SERVICES_NAMESPACE> namespace.
                 - '--client-secret-name=<LSR_CLIENT_SECRET_NAME>'
                 - '--ssl-insecure-skip-verify=true'
                 - '--allowed-group=icp:default:member'
                 - '--htpasswd-user-group=icp:default:member' # The best practice is to set the same group for the basic authentication to get both methods of authentication to work simultaneously.
                 - '--skip-oidc-discovery=true'
    

    Where:

    IAM-cp-console-address

    The address of the IAM IBM Cloud Pak console.

    CLIENT_ID.

    Client ID from the CLIENT_ID field in the CLIENT_SECRET_NAME secret from COMMON_SERVICES_NAMESPACE namespace.

    LSR_CLIENT_SECRET_NAME

    The name of the client secret that is created in the COMMON_SERVICES_NAMESPACE namespace.

Example for Identity Management (IM v4.x)

The steps in the following example show how to configure License Service Reporter authentication by using IM v4.x.

  1. Make sure that you have IM installed as a part of an IBM Cloud Pak. For more information, see the IBM Cloud Pak foundational services Installer documentation.
  2. Create the new IM client. For more information, see OIDC registration with the client custom resource.

    An example of a yaml file with the new client definition:

     apiVersion: oidc.security.ibm.com/v1
     kind: Client
     metadata:
         name: <CLIENT_NAME>
         namespace: <COMMON_SERVICES_NAMESPACE>  # You must create the secret in the namespace where IM is installed.
     spec:
         secret: <CLIENT_SECRET_NAME>
         oidcLibertyClient:
             post_logout_redirect_uris:
             - <CLUSTER_DOMAIN>/license-service-reporter
             redirect_uris:
             - <CLUSTER_DOMAIN>/license-service-reporter/oauth2/callback
             trusted_uri_prefixes:
             - <CLUSTER_DOMAIN>/license-service-reporter
    

    Where:

    CLIENT_NAME

    The name of the new IM client that is created for License Service Reporter authentication.

    CLIENT_SECRET_NAME

    The name of the secret that is created for the new IM client.

    CLUSTER_DOMAIN

    The domain of the cluster provider.

    Secret that is named CLIENT_SECRET_NAME is created in the COMMON_SERVICES_NAMESPACE namespace. This secret has two fields: CLIENT_ID and CLIENT_SECRET. The values of these fields are used in further configuration.

  3. Create the client secret in the License Service Reporter namespace.

     apiVersion: v1
     kind: Secret
     metadata:
       name: <LSR_CLIENT_SECRET_NAME>
       namespace: <LSR_NAMESPACE>
     data:
       data: <CLIENT_SECRET> # The conent of the <CLIENT_SECRET_NAME> from <COMMON_SERVICES_NAMESPACE> namespace.
    

    Where:

    LSR_CLIENT_SECRET_NAME

    The name of the client secret that is created in License Service Reporter namespace.

    LSR_NAMESPACE

    The namespace where License Service Reporter is installed.

    CLIENT_SECRET

    The content of the CLIENT_SECRET field from CLIENT_SECRET_NAME secret from COMMON_SERVICES_NAMESPACE namespace.

  4. Set up License Service Reporter by the License Service Reporter CR.

    Note: You must create the lsr-auth-provider-ca-secret secret and base this secret on the router-certs-default that is located in the openshift-ingress namespace.

     spec:
       authentication:
           useradmin: 
             enabled: true
           oauth:
             enabled: true
             parameters:
                 - '--provider=oidc'
                 - '--provider-display-name=My IBM IM'
                 - '--login-url=<IM-cp-console-address>/idprovider/v1/auth/authorize'
                 - '--oidc-issuer-url=<IM-cp-console-address>/idprovider/v1/auth'
                 - '--oidc-jwks-url=<IM-cp-console-address>/idprovider/v1/auth/jwk'
                 - '--redeem-url=<IM-cp-console-address>/idprovider/v1/auth/token'
                 - '--client-id=<CLIENT_ID>' # Taken from <CLIENT_SECRET_NAME> from <COMMON_SERVICES_NAMESPACE> namespace.
                 - '--client-secret-name=<LSR_CLIENT_SECRET_NAME>'
                 - '--ssl-insecure-skip-verify=true'
                 - '--allowed-group=icp:default:member'
                 - '--htpasswd-user-group=icp:default:member' # The best practice is to set the same group for the basic authentication to get both methods of authentication to work simultaneously.
                 - '--skip-oidc-discovery=true'
    

    Where:

    IM-cp-console-address

    The address of the IM IBM Cloud Pak console.

    CLIENT_ID

    Client ID from the CLIENT_ID field in the CLIENT_SECRET_NAME secret from COMMON_SERVICES_NAMESPACE namespace.

    LSR_CLIENT_SECRET_NAME

    The name of the client secret that is created in the COMMON_SERVICES_NAMESPACE namespace.

Example for KeyCloak OIDC provider with one authorized role and basic authentication

The following example includes the set of parameters that need to be included in configuration for KeyCloak OIDC provider with one authorized license-administrator role and basic authentication:

spec:
  authentication:
      useradmin: 
        enabled: true
      oauth:
        enabled: true
        parameters: 
          - '--provider=keycloak-oidc'
          - '--provider-display-name=My KeyCloak'
          - '--oidc-issuer-url=<Keycloak-address>/realms/master'
          - '--client-id=reporter'
          - '--client-secret-name=lsr-auth-client-secret'
          - '--provider-ca-secret-name=lsr-auth-provider-ca-secret'
          - '--scope=openid email profile'
          - '--allowed-group=license-administrator'
          - '--allowed-role=license-administrator'

Example for KeyCloak OIDC provider with one authorized role only

The following example includes the set of parameters that need to be included in configuration for KeyCloak OIDC provider with one authorized license-administrator role only:

spec:
  authentication:
      oauth:
        enabled: true
        parameters:
          - '--provider=keycloak-oidc'
          - '--provider-display-name=My KeyCloak'
          - '--oidc-issuer-url=<Keycloak-addres>/realms/master'
          - '--client-id=reporter'
          - '--client-secret-name=lsr-auth-client-secret'
          - '--provider-ca-secret-name=lsr-auth-provider-ca-secret'
          - '--scope=openid email profile'
          - '--allowed-group=license-administrator'
          - '--allowed-role=license-administrator'