authenticating.html.md.erb

---
title: Configuring Authentication for Concourse OLM
owner: Concourse / OLM
---

Continuous integration tools can grant considerable visibility into an organization's source code and applications. To protect confidential or sensitive data, Concourse OLM provides options for both authentication and authorization of different users. 

**User authentication** controls who can log in to Concourse OLM servers. 

**User authorization** controls what data a user is allowed to see.

The authentication methods for Concourse OLM teams are determined by flags passed to [set-team](http://concourse.ci/fly-set-team.html). The exception to this is [main team](http://concourse.ci/teams.html#main-team), which is the default team for any Concourse OLM instance. <code>Main team</code> is configured as part of the initial deployment.

You can enable multiple authentication methods simultaneously. If you use multiple authentication methods, users are given the choice to log in using any of them.

## Configuring Basic Authentication
HTTP Basic authentication is the simplest of the authentication mechanisms. It has good support in both browsers and command line tools. It provides a single set of credentials for all of a team's users to share.

**Important**: Basic authentication is the least secure method of authentication, because shared credentials can be compromised or misused easily. Many highly secure organizations, such as financial institutions, do not allow the use of basic authorization.

<ol>
<li>Open a terminal window.</li>
<li>Enter the following commands:<br/>
<pre class="terminal">
fly set-team -n YOUR-TEAM \
    --basic-auth-username TEAM-USERNAME \
    --basic-auth-password TEAM-PASSWORD
</pre>
</li>
</ol>

## Configuring GitHub OAuth
A Concourse OLM server can authenticate through GitHub to take advantage of their permission model. Using OAuth also saves Concourse OLM users from having to make a unique login for their Concourse OLM team, because they can use a credential set they already have. 

An example GitHub OAuth configuration is below:

<pre class="terminal">
$ fly set-team -n NAME \
    --github-auth-client-id $CLIENT_ID \
    --github-auth-client-secret $CLIENT_SECRET \
    --github-auth-team NAME/TEAM-NAME
</pre>

### Configuring the callback URL
Follow GitHub's instructions to [Create an OAuth application on GitHub](https://github.com/settings/applications/new).

**Tips:** 
<ul>
<li>Use a recognizable name, home page, and description to help your users recognize a trusted source when they log in.</li>
<li>Use the external URL of your Concourse server with <code>/auth/github/callback</code> appended, for the Authorization callback URL. For example: <code>h<span>ttps</span>://ci.concourse.ci/auth/github/callback</code>.</li>
</ul>

### Configuring the Client
GitHub provides a Client ID and a Client Secret for your new application. Use these to set the following flags:

<ol>
<li>Open a terminal window.</li>
<li>Navigate to your Concourse OLM deployment manifest.</li>
<li>Set the following flags:<br/>
<pre class="terminal">
--github-auth-client-id=CLIENT_ID
--github-auth-client-secret=CLIENT_SECRET
</pre><br/>
If you are configuring GitHub Enterprise, set these additional flags as well:
<pre class="terminal">
--github-auth-auth-url=https://github.example.com/login/oauth/authorize
--github-auth-token-url=https://github.example.com/login/oauth/access_token
--github-auth-api-url=https://github.example.com/api/v3/
</pre>
</li>
<p class="note"><strong>Note</strong>: The API URL must end in a forward slash (/).</p>
</ol>

### Authorizing GitHub users, teams, and organizations

You can now allow different organizations, teams, and individual users to access your server. 
<ol>
<li>Open a terminal window.</li>
<li>Navigate to your Concourse OLM deployment manifest.</li>
<li>Set the following flags:<br />

To authorize an individual user:
<pre class="terminal">--github-auth-user=LOGIN</pre>

To authorize an team's members within an organization:
<pre class="terminal">--github-auth-team=ORG/TEAM NAME</pre>

To authorize an entire organization's members:
<pre class="terminal">--github-auth-organization=ORG</pre>
</li>
</ol>

You can use any of these flags multiple times to allow different levels of access.

## Configuring UAA OAuth
If you’re using the User Access and Authentication (UAA) Cloud Foundry component, you can set up OAuth with your Concourse OLM.

The <code>--uaa-auth-*</code> flags allow you to authorize members of a particular space in a Cloud Foundry deployment. 

## Configuring the UAA client
Configure a client for Concourse with your UAA. The callback URL is the external URL of your Concourse server with `/auth/oauth/callback` appended. For example, `https://ci.concourse.ci/auth/oauth/callback`.

An example client is below. This client should be stored under [uaa.clients](http://bosh.io/jobs/uaa?source=github.com/cloudfoundry/uaa-release&version=13#p=uaa.clients):

<pre class="terminal">
concourse:
  id: MY-CLIENT-ID
  secret: MY-CLIENT-SECRET
  scope: cloud_controller.read
  authorities: cloud_controller.admin
  authorized-grant-types: "authorization_code,client_credentials,refresh_token"
  access-token-validity: 3600
  refresh-token-validity: 3600
  autoapprove: true
  override: true
  redirect-uri: https://concourse.EXAMPLE.com/auth/uaa/callback
</pre>

### Configuring the team
An example authorization configuration for a team's space in a PCF installation is below:

<pre class="terminal">
$ fly set-team -n my-cf-team \
    --uaa-auth-client-id $CLIENT_ID \
    --uaa-auth-client-secret $CLIENT_SECRET \
    --uaa-auth-auth-url https://login.my-cf.com/oauth/authorize \
    --uaa-auth-token-url https://login.my-cf.com/oauth/token \
    --uaa-auth-cf-url https://api.my-cf.com \
    --uaa-auth-cf-ca-cert ./path/to/cf-ca-cert.crt \
    --uaa-auth-cf-space GUID-OF-TEAM-SPACE
</pre>