Introduction
Kommander by default deploys Dex for authentication. Dex acts as a shim between the client application and the upstream identity provider. Dex uses "connectors" to authenticate a user against another identity provider.
In Kommander, there are 2 ways to configure a Dex connector.
1. Via the Kommander install.yaml configuration file - discussed on this guide.
2. Through the Administration > Identity Providers section of the Kommander dashboard - discussed here.
This guide will be specifically for using Google as an Identity provider, using the 2nd approach (via the Kommander dashboard). For the list of connectors, please see the list here.
How to
1. In the Kommander Dashboard, under Identity Provider - Click "Add Identity Provider" and choose OIDC.
2. Switch over to https://console.developers.google.com/apis/credentials
3. If there is no existing project, it would require you to create a new one.
4. Click on the Add/Create Credentials and choose OAuth Client ID. It would ask you to fill out the consent form if none exist yet.
a. Consent form is what would appear on the user when authorizing the access. Only the required fields can be filled out for testing purposes.
b. Scopes is the authorized action of the application to your account. You may choose "openid", "profile", and "email" for the purpose of testing.
5. Continuing with the Create OAuth Credentials, fill out the form
a. Application type = Web application
b. Name the application
c. Add an Authorized Redirect URI - this can be copied from the Kommander dashboard you opened earlier.
Note: Google will not accept a URL based on the IP address. You can edit your host file or add a record in your DNS. Others on the internet have used a dns binding service like nip.io for testing purposes.
6. Upon creation, you will be provided with the Client ID and Client secret.
7. Switch back to the Kommander's Identity Provider's page, and fill out the form for the OIDC
a. Name - this is what will appear on the login button.
b. Client ID - retrieved from Google in the previous step
c. Client secret - retrieved from Google in the previous step
d. Issuer - https://accounts.google.com
or accounts.google.com
e. User ID key: email (just the word email)
f. User name key: email (just the word email)
g. Enable "Insecure skip email verified" and "Insecure Enable Groups"
h. Add the scopes
openid
profile
email
i. Save
8. On the same Kommander's Identity provider page, switch on to the Groups, and Create a group
9. Name the group and add users based on the "Identity Provider Users", using the user's email address.
"Using Identity Provider Groups" can be used, but further configuration is required, which is fetching groups from google.
10. After creating the group and adding the users. Go to Administration > Access Control > Cluster Role Bindings.
11. On this page, you should see the group you had previously created. You may proceed with adding roles to this groups. You can add existing preconfigured Roles or you may create new ones under Cluster roles.
Further information regarding Kommander's Access policy can be found here.
12. After adding the user to the appropriate role. You can now logout, and the login page should have an additional button for using the Google OIDC login.
Note: When testing out credentials or logins using Chrome, it would be best to be in Incognito mode, to prevent caching of credentials.