License Service Reporter authentication with OAuth/OIDC provider

You can configure the License Service Reporter to use the OAuth/OIDC provider with Identity Provider (IDP) as the authentication method to access the console. Learn how to enable the License Service Reporter to use the authentication server and examples of configuration for IBMLicenseServiceReporter custom resource instance.

Configuration

You can edit the IBMLicenseServiceReporter custom resource to configure the authentication for the License Service Reporter.

   spec:
     authentication:
         useradmin: 
           enabled: true
     oauth:
       enabled: true
       parameters: [
       ]

OAuth parameters

Option	Type	Description	Default value
--provider	String	OAuth providers such as `oidc` or `keycloak-oidc`
--provider-display-name	String	You can override the name of the provider with the specific string that is used for the sign-in page	Value depends on the provider
--client-id	String	OAuth Client ID
--client-secret-name	String	The name of the K8s secret with the OAuth Client Secret
--oidc-issuer-url	String	OpenID Connect issuer URL
--provider-ca-secret-name	String	The name of the K8s secret with CA certificates that is used when you connect to the provider
--allowed-group	String and list	Restrict logins for the members of this group. This can be given multiple times
--allowed-role	String and list	Restrict logins for the users with this role. This can be given multiple times and works only with the `keycloak-oidc` provider
--email-domain	String and list	Authenticate emails with the specified domain and can be given multiple times. Use `*` to authenticate the email
--scope	String	OAuth scope specification
--skip-oidc-discovery	Boolean	Bypass OIDC endpoint discovery. Configure the `--login-url`, `--redeem-url`, and `--oidc-jwks-url` parameters to use the `--skip-oidc-discovery` parameter	False
--oidc-jwks-url	String	OIDC JWKS URI for token verification. This parameter is required if OIDC discovery is disabled
--redeem-url	String	Token redemption endpoint. This parameter is required if OIDC discovery is disabled
--login-url	String	Authentication endpoint. This parameter is required if OIDC discovery is disabled
--ssl-insecure-skip-verify	Boolean	Skip validation of certificates presented with HTTPS providers. The `provider-ca-secret-name` parameter is ignored when you set the `--ssl-insecure-skip-verify` parameter to `true`	False

Creation of secrets

Create the secrets of the client-secret-name and provider-ca-secret-name in the same namespace where the License Service Reporter is installed.

The secret of the client-secret-name must include the following parameter:
```
 Key: data
 Value: <client-secret-value>
```
The secret of the provider-ca-secret-name must include the following parameter:
```
 Key: ca.crt
 Value: <provider-ca-value>
```

Allowed group or role

The license-administrator role contains the built-in group and role that can access the License Service Reporter. Assign the license-administrator role to the users in the IDP or provide the name of the group or role to allow the users to login to the License Service Reporter.

Examples of configurations

Example 1

The following example includes the set of parameters for IBM Foundational Services Identity and Access Management OIDC provider. The authentication methods for the provider are admin/OCP (icp:default:member allowed group), custom IDP (LDAP with my-ldap-group allowed group), and basic authentications:

   spec:
     authentication:
         useradmin: 
           enabled: true
         oauth:
           enabled: true
           parameters:
             - '--provider=oidc'
             - '--provider-display-name=My IBM IAM'
             - '--oidc-issuer-url=<IAM-cp-console-address>/idprovider/v1/auth'
             - '--client-id=kVuRijY11NadyL8UpEfGxtaXNycTlT4U'
             - '--client-secret-name=lsr-auth-client-secret'
             - '--provider-ca-secret-name=lsr-auth-provider-ca-secret'
             - '--allowed-group=icp:default:member'
             - '--allowed-group=my-ldap-group'

Example 2

The following example includes the set of parameters for IBM Foundational Services Identity Management OIDC provider with cpadmin/OCP and basic authentications:

   spec:
     authentication:
         useradmin: 
           enabled: true
         oauth:
           enabled: true
           parameters:
             - '--provider=oidc'
             - '--provider-display-name=My IBM IM'
             - '--oidc-issuer-url=<IAM-cp-console-address>/idprovider/v1/auth'
             - '--client-id=kVuRijY11NadyL8UpEfGxtaXNycTlT4U'
             - '--client-secret-name=lsr-auth-client-secret'
             - '--provider-ca-secret-name=lsr-auth-provider-ca-secret'

Example 3

The following example includes the set of parameters that need to be included in configuration for KeyCloak OIDC provider with one authorized license-administrator role and basic authentication:

   spec:
     authentication:
         useradmin: 
           enabled: true
         oauth:
           enabled: true
           parameters: 
             - '--provider=keycloak-oidc'
             - '--provider-display-name=My KeyCloak'
             - '--oidc-issuer-url=<Keycloak-address>/realms/master'
             - '--client-id=reporter'
             - '--client-secret-name=lsr-auth-client-secret'
             - '--provider-ca-secret-name=lsr-auth-provider-ca-secret'
             - '--scope=openid email profile'

Example 4

The following example includes the set of parameters that need to be included in configuration for KeyCloak OIDC provider with one authorized license-administrator role only:

   spec:
     authentication:
         oauth:
           enabled: true
           parameters:
             - '--provider=keycloak-oidc'
             - '--provider-display-name=My KeyCloak'
             - '--oidc-issuer-url=<Keycloak-addres>/realms/master'
             - '--client-id=reporter'
             - '--client-secret-name=lsr-auth-client-secret'
             - '--provider-ca-secret-name=lsr-auth-provider-ca-secret'
             - '--scope=openid email profile'

Troubleshooting

General

Unauthorized - 403 return code

Make sure that the proper role is assigned for the user with --allowed-group or --allowed-role parameter.
Make sure that the user belongs to the correct email domain with --email-domain parameter.

Error logs

For more details on the authentication issues, check the logs of the authentication container in the License Service Reporter deployment.

IBM IAM configuration

Unable to connect to the IAM IDP `issuer_url` because it points to the localhost

To resolve this issue, complete the following steps:

For the OIDC_ISSUER_URL parameter, change the localhost to the cp-console route address in the IAM platform-auth-idp configuration map.
Restart the IAM auth-idp pod and retry with the configuration.