Skip to main content
Version: 1.23

Use OpenID Connect (OIDC) as your Authentication Provider

This guide will walk you through the steps necessary to configure OpenID Connect (OIDC) as the authentication provider for Okteto.

note

If you are looking to configure Private Registry credentials from Amazon ECR, please see our guide here.

Okteto supports any identity provider that implements the OpenID Connect standard. We have dedicated guides for the following providers:

For other providers, follow your OpenID Connect service provider's documentation on how to create the required application.

note

Your provider needs to support the UserInfo endpoint in order to be used with Okteto. This authentication option follows the OpenID standard, and it has been validated with Okta, PingIdentity, and GitLab.

Prerequisites

  • A working installation of Okteto
  • Helm 3.0+ installed in your local machine

Create the OpenID Connect Application

When creating the application, you'll need to provide the following values:

  • Start SSO URL: https://okteto.DOMAIN
  • Redirect URIs: https://okteto.DOMAIN, https://okteto.DOMAIN/auth/callback
  • Scopes: openid, email, profile
  • Response Type: code
  • Grant Type: authorization code

Configure Okteto

Once you have the OpenID Connect Application ready, update the auth section of your Helm configuration file with the following values:

config.yaml
  openid:
enabled: true
clientId: "REPLACE_ME_WITH_YOUR_APPLICATION_CLIENT_ID"
clientSecret: "REPLACE_ME_WITH_YOUR_APPLICATION_CLIENT_SECRET"
group: "REPLACE_ME_WITH_YOUR_GROUP"
endpoints:
issuer: "REPLACE_ME_WITH_YOUR_ISSUER_URL"
authorization: "REPLACE_ME_WITH_YOUR_AUTHORIZATION_URL"
mapping:
externalIDKey: nickname
nameKey: name
emailKey: email
pictureKey: picture
groupsKey: groups

You can also use a secret to store the sensitive part of these credentials.

Upgrade your Okteto instance for the new configuration to be applied. We recommend that you upgrade to the same version that you already have to minimize the changes and help you troubleshoot any issues.

The group field is optional. Only members of the group will be allowed to log in into your Okteto instance. An empty group field permits any user to log in.

The issuer and authorization endpoints must match the value returned in the provider config discovery.

The mapping fields are optional. Use them to configure the mapping between Okteto's user attributes and the claim coming from your authentication provider.