Ce contenu n'est pas disponible dans la langue sélectionnée.
Chapter 4. Enabling authentication in Red Hat Developer Hub
Authentication within Red Hat Developer Hub facilitates user sign-in, identification, and access to external resources. It supports multiple authentication providers.
Authentication providers are typically used in the following ways:
- One provider for sign-in and identification.
- Additional providers for accessing external resources.
The Red Hat Developer Hub supports the following authentication providers:
- Microsoft Azure
-
microsoft
- GitHub
-
github
- Keycloak
-
oidc
For each provider that you want to use, follow the dedicated procedure to complete the following tasks:
- Set up the shared secret that the authentication provider and Red Hat Developer Hub require to communicate.
- Configure Red Hat Developer Hub to use the authentication provider.
4.1. Enabling the Microsoft Azure authentication provider
Red Hat Developer Hub includes a Microsoft Azure authentication provider that can authenticate users by using OAuth.
Procedure
To allow Developer Hub to authenticate with Microsoft Azure, create an OAuth Application in Microsoft Azure.
- Go to Azure Portal > App registrations, and create an App Registration for Developer Hub.
On your App registration overview page, add a new Web platform configuration, with the configuration:
- Redirect URI
-
Enter the backend authentication URI set in Developer Hub:
https://<APP_FQDN>/api/auth/microsoft/handler/frame
- Front-channel logout URL
- Leave blank.
- Implicit grant and hybrid flows
- Leave all checkboxes cleared.
On the API permissions tab, click Add Permission, then add the following Delegated permission for the Microsoft Graph API:
email
,offline_access
,openid
,profile
,User.Read
, (Optional)-
Optional custom scopes of the Microsoft Graph API that you define both here and in the Developer Hub configuration (
app-config-rhdh.yaml
).
Your company might require you to grant admin consent for these permissions. Even if your company does not require admin consent, you might do so as it means users do not need to individually consent the first time they access backstage. To grant admin consent, a directory admin must go to the admin consent page and click Grant admin consent for COMPANY NAME.
Go to the Certificates & Secrets page, then the Client secrets tab, and create a new client secret. Save the Client secret for the next step.
- Add your Microsoft Azure credentials in your Developer Hub secrets.
-
Edit your Developer Hub secrets, such as
secrets-rhdh
. Add the following key/value pairs:
-
AUTH_AZURE_CLIENT_ID
: Enter the Application ID that you generated on Microsoft Azure. -
AUTH_AZURE_CLIENT_SECRET
: Enter the Client secret that you generated on Microsoft Azure. AUTH_AZURE_TENANT_ID
: Enter your Tenant ID on Microsoft Azure.Set up the Microsoft Azure authentication provider in your Developer Hub custom configuration.
Edit your custom Developer Hub config map, such as
app-config-rhdh
.In the
app-config-rhdh.yaml
content, add themicrosoft
provider configuration under the rootauth
configuration, and enable themicrosoft
provider for sign-in:app-config-rhdh.yaml
fragmentauth: environment: production providers: microsoft: production: clientId: ${AUTH_AZURE_CLIENT_ID} clientSecret: ${AUTH_AZURE_CLIENT_SECRET} tenantId: ${AUTH_AZURE_TENANT_ID} # domainHint: ${AUTH_AZURE_TENANT_ID} 1 # additionalScopes: 2 # - Mail.Send signInPage: microsoft 3
- 1
- Optional for single-tenant applications. You can reduce login friction for users with accounts in multiple tenants by automatically filtering out accounts from other tenants. If you want to use this parameter for a single-tenant application, uncomment and enter the tenant ID. If your application registration is multi-tenant, leave this parameter blank. For more information, see Home Realm Discovery.
- 2
- Optional for additional scopes. To add scopes for the application registration, uncomment and enter the list of scopes that you want to add. The default and mandatory value is
['user.read']
. - 3
- To enable the Microsoft Azure provider as default sign-in provider.
-
Optional for environments with restrictions on outgoing access, such as firewall rules. If your environment has outgoing access restrictions make sure your Backstage backend has access to the following hosts:
-
login.microsoftonline.com
: To get and exchange authorization codes and access tokens. -
graph.microsoft.com
: To fetch user profile information (as seen in this source code). If this host is unreachable, users might see an Authentication failed, failed to fetch user profile error when they attempt to log in.
4.2. Enabling the GitLab OAuth authentication provider
Red Hat Developer Hub includes a GitLab authentication provider that can authenticate users by using GitLab OAuth.
Prerequistes
- You configured Developer Hub with a custom config map and secret.
Procedure
To allow Developer Hub to authenticate with Gitlab, create an OAuth Application in Gitlab.
Go to GitLab User settings > Applications, and click the Add new application button.
- Name
-
Enter your application name, such as
Developer Hub
. - Redirect URI
-
Enter the backend authentication URI set in Developer Hub, such as
http://<APP_FQDN>/api/auth/gitlab/handler/frame
. Due to a peculiarity with GitLab OAuth, ensure the URL has no trailing/
after 'frame'. - Scopes
Select the following scopes from the list and click Save application:
read_user
- Grants read-only access to the authenticated user’s profile through the /user API endpoint, which includes username, public email, and full name. Also grants access to read-only API endpoints under /users.
read_repository
- Grants read-only access to the authenticated user’s profile through the /user API endpoint, which includes username, public email, and full name. Also grants access to read-only API endpoints under /users.
write_repository
- Grants read/write access to repositories on private projects using Git-over-HTTP (not using the API).
openid
- Grants permission to authenticate with GitLab using OpenID Connect. Also gives read-only access to the user’s profile and group memberships.
profile
- Grants read-only access to the user’s profile data using OpenID Connect.
email
Grants read-only access to the user’s primary email address using OpenID Connect.
Save the Application ID and Secret for the next step.
Add your Gitlab credentials in your Developer Hub secrets.
-
Edit your Developer Hub secrets, such as
secrets-rhdh
. Add the following key/value pairs:
AUTH_GITLAB_CLIENT_ID
-
Enter the Application ID that you generated on GitLab, such as
4928c033ab3d592845c044a653bc20583baf84f2e67b954c6fdb32a532ab76c9
. AUTH_GITLAB_CLIENT_SECRET
-
Enter the Secret that you generated on Gitlab, such as
gloas-f2c9c350759cc08346fbf94a476ae83c579c76dd629fc5eeef9dc21eedfe0475
.
-
Edit your Developer Hub secrets, such as
Set up the Gitlab authentication provider in your Developer Hub custom configuration.
-
Edit your custom Developer Hub config map, such as
app-config-rhdh
. In the
app-config-rhdh.yaml
content, add thegitlab
provider configuration under the rootauth
configuration, and enable thegitlab
provider for sign-in:app-config-rhdh.yaml
fragmentauth: environment: production providers: gitlab: production: clientId: ${AUTH_GITLAB_CLIENT_ID} clientSecret: ${AUTH_GITLAB_CLIENT_SECRET} # audience: https://gitlab.company.com 1 # callbackUrl: https://<APP_FQDN>/api/auth/gitlab/handler/frame 2 signInPage: gitlab 3
- 1
- Optionally, when using a self-hosted Gitlab: uncomment, and enter your GitLab instance base URL, such as
https://gitlab.company.com
. - 2
- Optionally, when using a custom redirect URI: uncomment, and enter the URL matching the Redirect URI registered when creating your GitLab OAuth App, such as
http://<APP_FQDN>/api/auth/gitlab/handler/frame
. Due to a peculiarity with GitLab OAuth, ensure the URL has no trailing/
after 'frame'. - 3
- To enable the Gitlab provider as default sign-in provider.
-
Edit your custom Developer Hub config map, such as
Verification
-
The
backstage-developer-hub
deployment starts a pod with the updated configuration. - Your Developer Hub sign-in page displays Sign in using GitLab.