Auth0

Learn how to authenticate with Auth0.

March 24, 2023

Before You Start #

You must have an Enterprise Server set up.
This guide assumes you are using the embedded proxy.
This guide uses Auth0 as an example; if you do not have an Auth0 account, sign up for one and create your Pool of Users.

1. Register With Your IdP #

Log in to your Auth0 account.
In Applications, click Create Application.
Type the name of your application, such as Pachyderm.
In the application type, select Regular Web Application.
Click Create.
Go to the application settings.
Scroll down to Application URIs.
In the Allowed Callback URLs, add the Pachyderm callback link in the following format:

# Dex's issuer URL + "/callback"
http(s)://<insert-external-ip-or-dns-name>/dex/callback

Scroll down to Show Advanced Settings.
Select Grant Types.
Verify that Authorization Code and Refresh Token are selected.

Auth0 Grant Settings

2. Set Up Connector #

Create a JSON or YAML connector config file that matches your IdP.

Syntax:

{
"type": "oidc",
"id": "auth0",
"name": "Auth0",
"version": 1,
"config":{
  "issuer": "https://dev-k34x5yjn.us.auth0.com/",
  "clientID": "hegmOc5rTotLPu5ByRDXOvBAzgs3wuw5",
  "clientSecret": "7xk8O71Uhp5T-bJp_aP2Squwlh4zZTJs65URPma-2UT7n1iigDaMUD9ArhUR-2aL",
  "redirectURI": "http(s)://<insert-external-ip-or-dns-name>/dex/callback",
  "insecureEnableGroups": true,
  "insecureSkipEmailVerified": true,
  "insecureSkipIssuerCallbackDomainCheck": false,
  "forwardedLoginParams": ["login_hint"] 
  }
}

  type: oidc
  id: auth0
  name: Auth0
  version: 1
  config:
      issuer: https://dev-k34x5yjn.us.auth0.com/
      clientID: hegmOc5rTotLPu5ByRDXOvBAzgs3wuw5
      clientSecret: 7xk8O71Uhp5T-bJp_aP2Squwlh4zZTJs65URPma-2UT7n1iigDaMUD9ArhUR-2aL
      redirectURI: http(s)://<insert-external-ip-or-dns-name>/dex/callback
      insecureEnableGroups: true
      insecureSkipEmailVerified: true
      insecureSkipIssuerCallbackDomainCheck: false,
      forwardedLoginParams:
      - login_hint

ℹ️

Note that Pachyderm’s YAML format is a simplified version of Dex’s sample config.

Update the following attributes:

Attribute	Description
id	The unique identifier of your connector (string).
name	Its full name (string).
type	The type of connector. (oidc, saml).
version	The version of your connector (integer - default to 0 when creating a new connector)
issuer	The domain of your application (here in Auth0). For example, `https://dev-k34x5yjn.us.auth0.com/`. Note the trailing slash.
client_id	The Pachyderm Client ID (here in Auth0). The client ID consists of alphanumeric characters and can be found on the application
settings page.
client_secret	The Pachyderm client secret (here in Auth0) located on the application settings page.
redirect_uri	This parameter should match what you have added to Allowed Callback URLs when registering Pachyderm on your IdP website.

Open your Helm values.yml file.
Find the oidc.upstreamIDPs section.
Input your connector info; Pachyderm stores this value in the platform secret pachyderm-identity in the key upstream-idps.

stringData:
upstream-idps: |
    - type: github
    id: github
    name: GitHub
    jsonConfig: >-
        {
        "clientID": "xxx",
        "clientSecret": "xxx",
        "redirectURI": "https://pach.pachdemo.cloud/dex/callback",
        "loadAllGroups": true
        }

Alternatively, you can create a secret containing your dex connectors (Key: upstream-idps) and reference its name in the field oidc.upstreamIDPsSecretName.

The users registered with your IdP are now ready to Log in to Pachyderm

Considerations #

Ingress #

When using an ingress:

redirect_uri must be changed to point to https://domain-name/dex/callback. (Note the additional /dex/)
TLS requires all non-localhost redirectURIs to be HTTPS.
AZURE USERS:
- You must use TLS when deploying on Azure.
- When using Azure Active Directory, add the following to the oidc config:
```
"config":{
    "claimMapping": {
        "email": "preferred_username"
    } 
}      
```

Okta 👉