Setup OIDC Authentication for Lyft Amundsen.
1. Okta Integration
if your organization has already using Okta then you can register your application with Okta or if you doing POC and test out okta integration then you can create a free Okta developer account: https://developer.okta.com/signup/
You can follow the page (written by Randall Degges), it gives a very detailed explanation about how to set up an okta account and register your application.
let’s jump to the application setup.
- Under the Application tab, Click on Add application.
2. choose your application type as web application
3. provide information about base URI, Login Redirect URIs
Base URI : http://localhost:5000
Login Redirect URI : http://localhost:5000/authorization-code/callback
Once your application is registered, you will get a client ID and client secret.
Create a client_secrets.json. You need to add your client ID and client secret.
setup these are environment variables.
Install faskoidc module
$PYTHON_LIB -m pip install -r requirements.txt
$PYTHON_LIB setup.py install
Once faskoidc module is installed then start amundsen frontend.
npm run build # or npm run dev-build for un-minified source
#$PYTHON_LIB -m pip install --upgrade pip
#$PYTHON_LIB -m pip install -r requirements.txt
$PYTHON_LIB setup.py install
now when you try to access http://localhost:5000 it will redirect you to the Okta login page.
and on successful authentication, you can see the profile is created.
2. keycloak Integration (https://www.keycloak.org/):
If you want to set up authentication with keyclock then you can follow the step to run docker image of keyclock
Here, we will do the Amundsen application registration in the master realm but you can create a new realm as given in this instruction set https://www.keycloak.org/getting-started/getting-started-docker and register your application in a new realm.
register with your application with a meaningful name. here, I have registered it with amundsen-frontend and keep access type as confidential so it will generate client secret for your application
valid Redirect URIs : http://localhost:5000/*
Base URL : http://localhost:5000/
create a client secret file and save it as a JSON format file. ( Aabha Raut helped to get the correct client secret file for keyclock )
set these environment variables and start the Amundsen metadata service.
create a user in keyclock with instruction provided here but also provide email as well during user creation if you don’t provide email then authentication would not work as Amundsen frontend is going to identify the user with user email id.
set a temporary password which user can reset during the first logon.
set these environment variables and start the Amundsen frontend service.
- Currently, there is a logout option and I haven’t explored logout functionality much and working on it. I will update this page once I figure it out.
2. If you are running your application on a windows machine then start frontend service using PowerShell as in case of git bash you may face error ValueError: URLs must start with a leading slash.
Setting up end-to-end authentication using OIDC is fairly simple and can be done using a Flask wrapper i.e., flaskoidc…