Setup OIDC Authentication for Lyft Amundsen.

1. Okta Integration

if your organization has already using Okta then you can register your application with Okta or if you doing POC and test out okta integration then you can create a free Okta developer account:

You can follow the (written by ), it gives a very detailed explanation about how to set up an okta account and register your application.

let’s jump to the application setup.

  1. Under the Application tab, Click on Add application.

2. choose your application type as web application

3. provide information about base URI, Login Redirect URIs

Base URI :  http://localhost:5000
Login Redirect URI : http://localhost:5000/authorization-code/callback

Once your application is registered, you will get a client ID and client secret.

Create a client_secrets.json. You need to add your client ID and client secret.

setup these are environment variables.

Install module

$PYTHON_LIB -m pip install -r requirements.txt
$PYTHON_LIB install

Once faskoidc module is installed then start amundsen frontend.

cd ./amundsenfrontendlibrary/amundsen_application/static
npm install
npm run build # or npm run dev-build for un-minified source
cd ./amundsenfrontendlibrary
#$PYTHON_LIB -m pip install --upgrade pip
#$PYTHON_LIB -m pip install -r requirements.txt
$PYTHON_LIB install
$PYTHON_LIB amundsen_application/

now when you try to access it will redirect you to the Okta login page.

and on successful authentication, you can see the profile is created.

2. keycloak Integration ():

If you want to set up authentication with keyclock then you can follow the step to run

Here, we will do the Amundsen application registration in the master realm but you can create a new realm as given in this instruction set and register your application in a new realm.

register with your application with a meaningful name. here, I have registered it with amundsen-frontend and keep access type as confidential so it will generate client secret for your application

Application registration in keyclock

valid Redirect URIs :
Base URL :

setup URL
capture secret for your application

create a client secret file and save it as a JSON format file. ( helped to get the correct client secret file for keyclock )

set these environment variables and

create a user in keyclock with instruction provided but also provide email as well during user creation if you don’t provide email then authentication would not work as Amundsen frontend is going to identify the user with user email id.

set a temporary password which user can reset during the first logon.

set these environment variables and .


  1. Currently, there is a logout option and I haven’t explored logout functionality much and working on it. I will update this page once I figure it out.

2. If you are running your application on a windows machine then start frontend service using PowerShell as in case of git bash you may face error ValueError: URLs must start with a leading slash.

Reference Documents:



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store