Run Commands

Auth0

Learn how to enable authentication through Auth0 as an Identity Provider.

Before You Start #

  • You must have the following enabled on your cluster:
  • You must have an Auth0 account
  • You should know the value of your proxy.host setting in your Helm values.yaml file

How to Enable Auth0 as an IdP #

⚠ī¸

The following guide does not cover how to create user pools in Auth0; once initially configured, any user with a Gmail account can log in to your Pachyderm instance. Refer to the official Auth0 documentation on how to manage users.

1. Create an App on Auth0 #

  1. Log in to your Auth0 account.
  2. In Applications, click Create Application.
  3. Type the name of your application, such as Pachyderm.
  4. In the application type, select Regular Web Application.
  5. Click Create.
  6. Go to the application settings.
  7. Scroll down to Application URIs.
  8. In the Allowed Callback URLs, add the Pachyderm callback link in the following format:
https://<your.proxy.host.value>/dex/callback
  1. Scroll down to Show Advanced Settings.
  2. Select Grant Types.
  3. Verify that Authorization Code and Refresh Token are selected.

Auth0 Grant Settings

2. Define Helm Config #

The following steps add the OIDC section to your Helm chart. When an upstream IdP is successfully added to the list, Pachyderm’s default MockIdP is disabled automatically. You can add multiple IdPs to upstreamIDPs.

  1. Navigate to your values.yaml file or obtain your current Helm values.yaml overrides:
    helm get values pachyderm  > values.yaml
  2. Add the following section:
Syntax:
  1. Update the following attributes:
FieldDescription
issuerThe Auth0 App’s domain URL, found under Settings > Basic Information; must have https:// and a trailing slash /.
clientIDThe Auth0 App’s client ID, found under Settings > Basic Information.
clientSecretThe Auth0 App’s client secret, found under Settings > Basic Information.
redirectURIA combination of your proxy host value and /dex/callback. For example, https://console.pachdemo.com/dex/callback.
  1. Save your changes and upgrade your cluster:
    helm upgrade pachyderm pachyderm/pachyderm -f values.yaml
💡

Alternatively, you can create a secret containing your dex connectors (Key: upstream-idps) and reference its name in the field oidc.upstreamIDPsSecretName.

3. Login #

The users registered with your IdP are now ready to Log in to Pachyderm

Troubleshooting #

PachD CrashLoopBackOff #

If you encounter a CrashLoopBackOff error after running the kubectl get pods command, it’s likely that one of the following needs to be fixed:

  • your issuer value is incorrect (it must have https:// and a trailing slash /).
  • you have an unexpected field such as version in the config section oidc.updstreamIDPs entry.

Example Error in PachD Pod logs #

You can obtain your pod logs by running: kubectl logs <pachd-pod-name> > logs.txt

create connector with ID: "auth0": unable to open connector: failed to get provider: oidc: issuer did not match the issuer returned by provider, expected "https://<auth0.app.domain.url>/" got "https://<auth0.app.domain.url>"