Untitled :: Platform Engineering Workshop

Activity: Configure OpenID Connect Authentication

Red Hat Developer Hub supports four authentication providers:

Guest (suitable for experimentation and demos only)
OpenID Connect
GitHub
Microsoft Azure

In this activity you’ll configure an OpenID Connect authentication provider - this will enable developers within your organization to login using their single-sign on credentials.

High-Level Workflow

A complete set of documentation for configuring OpenID Connect authentication using Red Hat Single-Sign On is available in the Red Hat Developer Hub documentation.

Don’t worry if some of the following bullet points are hard to understand upon first reading them. You’ll be guided through each step-by-step.

The high-level steps involve:

Creating a Realm and Client in Red Hat Single-Sign On. These have been pre-configured for you. View the backstage Realm using the following URL and credentials:
- URL: https://sso.{openshift_cluster_ingress_domain}/admin/master/console/#/backstage
- Credentials: View on OpenShift
Configuring the Red Hat Developer Hub Keycloak plugin to synchronize users from Red Hat Single-Sign On to Red Hat Developer Hub.
Configuring the oidc Red Hat Developer Hub authentication provider with the Realm details.
Setting oidc as signInPage page type for Red Hat Developer Hub.
Enabling session support on Red Hat Developer Hub.

Configure the OpenID Connect Authentication Provider

Visit your rhdh/developer-hub-config repository on GitLab.
Open the values.yaml file, then select Edit > Edit single file.
Locate the appConfig.auth object in the YAML. You can search for --- AUTHENTICATION --- in this file to locate this section.
Delete the existing auth configuration that contains the guest provider.
Uncomment the entire auth configuration containing the oidc provider, and the signInPage setting below it.
The end result will look similar to:
```
auth:
  session:
    secret: ${BACKEND_SECRET}
  environment: production
    providers:
      oidc:
        production:
          prompt: auto
          metadataUrl: https://sso.{openshift_cluster_ingress_domain}/realms/backstage/.well-known/openid-configuration
          clientId: ${OAUTH_CLIENT_ID}
          clientSecret: ${OAUTH_CLIENT_SECRET}
          signIn:
            resolvers:
              - resolver: preferredUsernameMatchingUserEntityName
signInPage: oidc
```
This is an example standard Backstage auth configuration.
Click to view a summary of what this configuration specifies
1. Enable sessions, and use the BACKEND_SECRET environment variable to sign sessions.
2. Set the authentication environment to production. Environments can have any arbitrary name.
3. Enable the OpenID Connect provider (providers.oidc) with the following configuration:
  
  Provide a production configuration (corresponding to the environment defined previously).
  
  Use the backstage Realm (metadataUrl).
  
  Load the clientId and clientSecret from environment variables (loaded from the precreated oauth-client Secret, specified in extraEnvVarsSecrets in the values.yaml)
  
  Map any signing in user identity to a User Entity in Red Hat Developer Hub using the specified resolver.
The signInPage property is specific to Red Hat Developer Hub. It ensures the correct sign-in UI is rendered. In upstream Backstage this requires React code changes.
1. Commit the changes with a message similar to feat: enable openid connect
2. Click Refresh on the backstage Application in OpenShift GitOps. If prompte, login as admin/{openshift_gitops_password}.
3. Wait until the Application reports being in a Healthy state.
=== Login using OpenID Connect Authentication
1. Once the latest version of your appConfig has been synchronized and rolled out, visit your Red Hat Developer Hub instance. You will be prompted to sign-in using OpenID Connect.
2. Login using the username pe1 and password {common_password} in the popup that appears. After logging in, visit the Settings page in Red Hat Developer Hub to confirm you’re logged in as the pe1 user.