Rechercher
SupportConsoleDéveloppeursCommencer un essaiContact

Ce contenu n'est pas disponible dans la langue sélectionnée.

Chapter 4. Enabling authentication in Red Hat Developer Hub

download PDF

Authentication within Red Hat Developer Hub facilitates user sign-in, identification, and access to external resources. It supports multiple authentication providers.

Authentication providers are typically used in the following ways:

  • One provider for sign-in and identification.
  • Additional providers for accessing external resources.

The Red Hat Developer Hub supports the following authentication providers:

Microsoft Azure
microsoft
GitHub
github
Keycloak
oidc

For each provider that you want to use, follow the dedicated procedure to complete the following tasks:

  1. Set up the shared secret that the authentication provider and Red Hat Developer Hub require to communicate.
  2. Configure Red Hat Developer Hub to use the authentication provider.

4.1. Enabling the Microsoft Azure authentication provider

Red Hat Developer Hub includes a Microsoft Azure authentication provider that can authenticate users by using OAuth.

Procedure

  1. To allow Developer Hub to authenticate with Microsoft Azure, create an OAuth Application in Microsoft Azure.

    1. Go to Azure Portal > App registrations, and create an App Registration for Developer Hub.

    2. On your App registration overview page, add a new Web platform configuration, with the configuration:

      Redirect URI
      Enter the backend authentication URI set in Developer Hub: https://<APP_FQDN>/api/auth/microsoft/handler/frame
      Front-channel logout URL
      Leave blank.
      Implicit grant and hybrid flows
      Leave all checkboxes cleared.

    3. On the API permissions tab, click Add Permission, then add the following Delegated permission for the Microsoft Graph API:

      email, offline_access, openid, profile, User.Read, (Optional)
      Optional custom scopes of the Microsoft Graph API that you define both here and in the Developer Hub configuration (app-config-rhdh.yaml).
Note

Your company might require you to grant admin consent for these permissions. Even if your company does not require admin consent, you might do so as it means users do not need to individually consent the first time they access backstage. To grant admin consent, a directory admin must go to the admin consent page and click Grant admin consent for COMPANY NAME.

  1. Go to the Certificates & Secrets page, then the Client secrets tab, and create a new client secret. Save the Client secret for the next step.

    1. Add your Microsoft Azure credentials in your Developer Hub secrets.
  2. Edit your Developer Hub secrets, such as secrets-rhdh.

  3. Add the following key/value pairs:

    • AUTH_AZURE_CLIENT_ID: Enter the Application ID that you generated on Microsoft Azure.
    • AUTH_AZURE_CLIENT_SECRET: Enter the Client secret that you generated on Microsoft Azure.

    • AUTH_AZURE_TENANT_ID: Enter your Tenant ID on Microsoft Azure.

      1. Set up the Microsoft Azure authentication provider in your Developer Hub custom configuration.

        Edit your custom Developer Hub config map, such as app-config-rhdh.

        In the app-config-rhdh.yaml content, add the microsoft provider configuration under the root auth configuration, and enable the microsoft provider for sign-in:

        app-config-rhdh.yaml fragment

        auth:
  environment: production
  providers:
    microsoft:
      production:
        clientId: ${AUTH_AZURE_CLIENT_ID}
        clientSecret: ${AUTH_AZURE_CLIENT_SECRET}
        tenantId: ${AUTH_AZURE_TENANT_ID}
        # domainHint: ${AUTH_AZURE_TENANT_ID} 1
        # additionalScopes: 2
          # - Mail.Send
signInPage: microsoft 3

        1
        Optional for single-tenant applications. You can reduce login friction for users with accounts in multiple tenants by automatically filtering out accounts from other tenants. If you want to use this parameter for a single-tenant application, uncomment and enter the tenant ID. If your application registration is multi-tenant, leave this parameter blank. For more information, see Home Realm Discovery.
        2
        Optional for additional scopes. To add scopes for the application registration, uncomment and enter the list of scopes that you want to add. The default and mandatory value is ['user.read'].
        3
        To enable the Microsoft Azure provider as default sign-in provider.
Note

Optional for environments with restrictions on outgoing access, such as firewall rules. If your environment has outgoing access restrictions make sure your Backstage backend has access to the following hosts:

  • login.microsoftonline.com: To get and exchange authorization codes and access tokens.
  • graph.microsoft.com: To fetch user profile information (as seen in this source code). If this host is unreachable, users might see an Authentication failed, failed to fetch user profile error when they attempt to log in.

4.2. Enabling the GitLab OAuth authentication provider

Red Hat Developer Hub includes a GitLab authentication provider that can authenticate users by using GitLab OAuth.

Prerequistes

  • You configured Developer Hub with a custom config map and secret.

Procedure

  1. To allow Developer Hub to authenticate with Gitlab, create an OAuth Application in Gitlab.

    Go to GitLab User settings > Applications, and click the Add new application button.

    Name
    Enter your application name, such as Developer Hub.
    Redirect URI
    Enter the backend authentication URI set in Developer Hub, such as http://<APP_FQDN>/api/auth/gitlab/handler/frame. Due to a peculiarity with GitLab OAuth, ensure the URL has no trailing / after 'frame'.
    Scopes

    Select the following scopes from the list and click Save application:

    read_user
    Grants read-only access to the authenticated user’s profile through the /user API endpoint, which includes username, public email, and full name. Also grants access to read-only API endpoints under /users.
    read_repository
    Grants read-only access to the authenticated user’s profile through the /user API endpoint, which includes username, public email, and full name. Also grants access to read-only API endpoints under /users.
    write_repository
    Grants read/write access to repositories on private projects using Git-over-HTTP (not using the API).
    openid
    Grants permission to authenticate with GitLab using OpenID Connect. Also gives read-only access to the user’s profile and group memberships.
    profile
    Grants read-only access to the user’s profile data using OpenID Connect.
    email

    Grants read-only access to the user’s primary email address using OpenID Connect.

    Save the Application ID and Secret for the next step.

  2. Add your Gitlab credentials in your Developer Hub secrets.

    1. Edit your Developer Hub secrets, such as secrets-rhdh.

    2. Add the following key/value pairs:

      AUTH_GITLAB_CLIENT_ID
      Enter the Application ID that you generated on GitLab, such as 4928c033ab3d592845c044a653bc20583baf84f2e67b954c6fdb32a532ab76c9.
      AUTH_GITLAB_CLIENT_SECRET
      Enter the Secret that you generated on Gitlab, such as gloas-f2c9c350759cc08346fbf94a476ae83c579c76dd629fc5eeef9dc21eedfe0475.

  3. Set up the Gitlab authentication provider in your Developer Hub custom configuration.

    1. Edit your custom Developer Hub config map, such as app-config-rhdh.

    2. In the app-config-rhdh.yaml content, add the gitlab provider configuration under the root auth configuration, and enable the gitlab provider for sign-in:

      app-config-rhdh.yaml fragment

      auth:
  environment: production
  providers:
    gitlab:
      production:
        clientId: ${AUTH_GITLAB_CLIENT_ID}
        clientSecret: ${AUTH_GITLAB_CLIENT_SECRET}
        # audience: https://gitlab.company.com 1
        # callbackUrl: https://<APP_FQDN>/api/auth/gitlab/handler/frame 2
signInPage: gitlab 3

      1
      Optionally, when using a self-hosted Gitlab: uncomment, and enter your GitLab instance base URL, such as https://gitlab.company.com.
      2
      Optionally, when using a custom redirect URI: uncomment, and enter the URL matching the Redirect URI registered when creating your GitLab OAuth App, such as http://<APP_FQDN>/api/auth/gitlab/handler/frame. Due to a peculiarity with GitLab OAuth, ensure the URL has no trailing / after 'frame'.
      3
      To enable the Gitlab provider as default sign-in provider.

Verification

  1. The backstage-developer-hub deployment starts a pod with the updated configuration.
  2. Your Developer Hub sign-in page displays Sign in using GitLab.
Red Hat logoGithubRedditYoutubeTwitter

Apprendre

Essayez, achetez et vendez

Communautés

À propos de la documentation Red Hat

Nous aidons les utilisateurs de Red Hat à innover et à atteindre leurs objectifs grâce à nos produits et services avec un contenu auquel ils peuvent faire confiance.

Rendre l’open source plus inclusif

Red Hat s'engage à remplacer le langage problématique dans notre code, notre documentation et nos propriétés Web. Pour plus de détails, consultez leBlog Red Hat.

À propos de Red Hat

Nous proposons des solutions renforcées qui facilitent le travail des entreprises sur plusieurs plates-formes et environnements, du centre de données central à la périphérie du réseau.

© 2024 Red Hat, Inc.