Setup OIDC Authentication for Lyft Amundsen.

Nirav Langaliya
4 min readDec 28, 2020

1. Okta Integration

if your organization has already using Okta then you can register your application with Okta or if you doing POC and test out okta integration then you can create a free Okta developer account:

You can follow the page (written by Randall Degges), it gives a very detailed explanation about how to set up an okta account and register your application.

let’s jump to the application setup.

  1. Under the Application tab, Click on Add application.

2. choose your application type as web application

3. provide information about base URI, Login Redirect URIs

Base URI :  http://localhost:5000
Login Redirect URI : http://localhost:5000/authorization-code/callback

Once your application is registered, you will get a client ID and client secret.

Create a client_secrets.json. You need to add your client ID and client secret.

setup these are environment variables.

Install faskoidc module

$PYTHON_LIB -m pip install -r requirements.txt
$PYTHON_LIB install

Once faskoidc module is installed then start amundsen frontend.

cd ./amundsenfrontendlibrary/amundsen_application/static
npm install
npm run build # or npm run dev-build for un-minified source
cd ./amundsenfrontendlibrary
#$PYTHON_LIB -m pip install --upgrade pip
#$PYTHON_LIB -m pip install -r requirements.txt
$PYTHON_LIB install
$PYTHON_LIB amundsen_application/

now when you try to access http://localhost:5000 it will redirect you to the Okta login page.

and on successful authentication, you can see the profile is created.

2. keycloak Integration (

If you want to set up authentication with keyclock then you can follow the step to run docker image of keyclock

Here, we will do the Amundsen application registration in the master realm but you can create a new realm as given in this instruction set and register your application in a new realm.

register with your application with a meaningful name. here, I have registered it with amundsen-frontend and keep access type as confidential so it will generate client secret for your application

Application registration in keyclock

valid Redirect URIs : http://localhost:5000/*
Base URL : http://localhost:5000/

setup URL
capture secret for your application

create a client secret file and save it as a JSON format file. ( Aabha Raut helped to get the correct client secret file for keyclock )

set these environment variables and start the Amundsen metadata service.

create a user in keyclock with instruction provided here but also provide email as well during user creation if you don’t provide email then authentication would not work as Amundsen frontend is going to identify the user with user email id.

set a temporary password which user can reset during the first logon.

set these environment variables and start the Amundsen frontend service.


  1. Currently, there is a logout option and I haven’t explored logout functionality much and working on it. I will update this page once I figure it out.

2. If you are running your application on a windows machine then start frontend service using PowerShell as in case of git bash you may face error ValueError: URLs must start with a leading slash.

Reference Documents: