-
Notifications
You must be signed in to change notification settings - Fork 15
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #670 from keboola/add-oidc-setup
Add OIDC setup
- Loading branch information
Showing
6 changed files
with
302 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,71 @@ | ||
| --- | ||
| title: Auth0 | ||
| permalink: /components/data-apps/oidc/auth0/ | ||
| --- | ||
|
|
||
| * TOC | ||
| {:toc} | ||
|
|
||
| This document will guide you through the steps needed to set up the OpenID Connect (OIDC) protocol for Keboola data apps, specifically for use on Auth0. | ||
|
|
||
| ## Step 1: Create a New OAuth 2.0 Client ID in Auth0 | ||
| Follow these steps to create a new OAuth 2.0 client ID in Auth0: | ||
|
|
||
| - Go to the Auth0 and log in. | ||
| - Select **Applications** and click **Applications**. | ||
| - Click **+Create Application**. | ||
| - Select **End users authenticate through my application**. | ||
| - Then select **Frontend**. | ||
| - Choose **Other browser technology** as an application technology and give your application a name, for example, "Streamlit OIDC Demo". Then click **Continue**. | ||
| - Choose **Python** as a technology you are using in your web app. | ||
| - You do not have the **Allowed callback URL** yet; you will need to create a data app in Keboola first. | ||
| - Click **Save Changes** to finish. | ||
|
|
||
| ## Step 2: Create a Data App in Keboola | ||
| Follow these steps to configure you data app in Keboola: | ||
|
|
||
| - Go to your Keboola project. | ||
| - Click **Data Apps**. | ||
| - Create a new data app by clicking the green **+** button. | ||
| - Give your app a name and click **Create Data App** to finalize the creation. | ||
|
|
||
| ## Step 3: Set Up the Authentication Method | ||
| Follow these steps to set up the authentication method for your data app: | ||
|
|
||
| - Go to the newly created data app. | ||
| - Click the **Information & Settings** tab. | ||
| - Under **Authentication**, select **OIDC** and then **Generic OIDC**. | ||
| - Copy the client ID from your Auth0 application to the **Client ID** field in Keboola. | ||
| - Copy the client secret from the Auth0 application to the **Client secret** field in Keboola. | ||
| - In the **Issuer URL** field, enter `https://<yourDomain>.us.auth0.com/`, which is the correct issuer URL for Google OAuth 2.0. | ||
| - Click **Save** to apply the changes. | ||
|
|
||
| ## Step 4: Set Up the Auth0 Consent Screen | ||
| Follow these steps to configure your data app's consent screen in Auth0: | ||
|
|
||
| - Go to the Auth0 and open your OIDC application. | ||
| - Go to the **Settings** tab and enter the **Allowed callback URL**. The format of the callback URL is as follows: | ||
| `https://<dataAppId>.hub.<keboolaConnectionHost>/_proxy/callback` | ||
| (e.g., `https://auth0-oidc-data-app-1234567890.hub.keboola.com/_proxy/callback`) | ||
| - Save the changes. | ||
|
|
||
| ## Step 5: Deploy the Data App in Keboola | ||
| Follow these steps to deploy your data app in Keboola: | ||
|
|
||
| - Go back to your data app in Keboola. | ||
| - Click the **Deploy data app** tab. | ||
| - Select **Code** or **GitHub** deployment type and add code of your application. | ||
| - Click the green **Deploy Data App** button to deploy the application. | ||
|
|
||
| ## Step 6: Test your Data App | ||
| Follow these steps to test your new data app: | ||
|
|
||
| - Go to the data app's URL. | ||
| - You should be redirected to the Auth0 consent screen. | ||
| - Log in with your Auth0 account to verify your identity. | ||
| - The Data App should display its content. | ||
|
|
||
|
|
||
|
|
||
|
|
||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,66 @@ | ||
| --- | ||
| title: Google Cloud Platform | ||
| permalink: /components/data-apps/oidc/google-cloud-platform/ | ||
| --- | ||
|
|
||
| * TOC | ||
| {:toc} | ||
|
|
||
| This document will guide you through the steps needed to set up the OpenID Connect (OIDC) protocol for Keboola data apps, specifically for use on Google Cloud Platform (GCP). | ||
|
|
||
| ## Step 1: Create a New OAuth 2.0 Client ID in GCP | ||
| Follow these steps to create a new OAuth 2.0 client ID in GCP: | ||
|
|
||
| - Go to the GCP console. | ||
| - Select **APIs & Services**. | ||
| - Click **Credentials**, then **Create Credentials**. | ||
| - Select **OAuth 2.0 Client ID**. | ||
| - Choose **Web application** as the application type. | ||
| - Give your client ID a name, for example, "Streamlit OIDC Demo". | ||
| - Enter the **Authorized redirect URIs** pointing back to your data app. <br>Make sure to add `/_proxy/callback` to the end of your redirect URL. This is how Keboola will send the authentication response to your app. The format of the redirect URL is as follows: `https://<dataAppId>.hub.<keboolaConnectionHost>/_proxy/callback` (e.g., `https://google-oidc-data-app-1234567890.hub.keboola.com/_proxy/callback`). | ||
| - Click **Create** to finish. | ||
|
|
||
| ## Step 2: Create a New Data App in Keboola | ||
| Follow these steps to start configuring your data app in Keboola: | ||
|
|
||
| - Go to your Keboola project. | ||
| - Select **Data Apps**. | ||
| - Create a new data app by clicking the green **+** button. | ||
| - Give your app a name and click **Create Data App** to finalize the creation. | ||
|
|
||
| ## Step 3: Set Up the Authentication Method | ||
| Follow these steps to set up the authentication method for your data app: | ||
|
|
||
| - Go to the newly created data app. | ||
| - Click the **Information & Settings** tab. | ||
| - Under **Authentication**, select **OIDC** and then **Generic OIDC**. | ||
| - Copy the client ID from your Google Cloud Project to the **Client ID** field in Keboola. | ||
| - Copy the client secret from your Google Cloud Project to the **Client secret** field in Keboola. | ||
| - In the **Issuer URL** field, enter `https://accounts.google.com`, which is the correct issuer URL for Google OAuth 2.0. | ||
| - Click **Save** to apply the changes. | ||
|
|
||
| ## Step 4: Configure the OAuth Consent Screen | ||
| Follow these steps to configure your data app's OAuth consent screen in your Google Cloud project: | ||
|
|
||
| - Go to the OAuth 2.0 client ID you created in the first step. | ||
| - Click the **OAuth consent screen** tab. | ||
| - Update the application details, including the app name, support email, and application homepage link.000 | ||
| - Under **Authorized domains**, add `http://keboola.com`. This ensures that Keboola's domain is recognized as an authorized domain for your OAuth 2.0 app. | ||
| - You do not have the redirect URl yet; you will need to deploy your data app in Keboola first. | ||
| - Click **Save and continue** to proceed. | ||
|
|
||
| ## Step 5: Deploy the Data App | ||
| Follow these steps to deploy your data app in Keboola: | ||
|
|
||
| - Go back to your data app in Keboola. | ||
| - Click the **Deploy Data App** tab. | ||
| - Select **Code** or **GitHub** deployment type and add code of your application. | ||
| - Click the green **Deploy Data App** button to deploy the application. | ||
|
|
||
| ## Step 6: Test the Data App | ||
| Follow these step to test your new data app: | ||
|
|
||
| - Go to the data app's URL. | ||
| - You should be redirected to the Google OAuth consent screen. | ||
| - Log in with your Google account to verify your identity. | ||
| - The data app should display its content. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,17 @@ | ||
| --- | ||
| title: OpenID Connect | ||
| permalink: /components/data-apps/oidc/ | ||
| --- | ||
|
|
||
| OpenID Connect (OIDC) is a protocol that enables secure sharing of user profile information between two unrelated applications | ||
| without exposing the user's credentials. | ||
|
|
||
| See the following articles for step-by-step information on how to configure the OIDC protocol for Keboola data apps: | ||
|
|
||
| - [Auth0](/components/data-apps/oidc/auth0/) | ||
| - [Google Cloud Platform](/components/data-apps/oidc/google-cloud-platform/) | ||
| - [Microsoft Entra ID](/components/data-apps/oidc/microsoft-entra-id/) | ||
| - [OKTA](/components/data-apps/oidc/okta/) | ||
| - GitHub (coming soon) | ||
| - BitBucket (coming soon) | ||
| - LinkedIn (coming soon) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,72 @@ | ||
| --- | ||
| title: Microsoft Entra ID | ||
| permalink: /components/data-apps/oidc/microsoft-entra-id/ | ||
| --- | ||
|
|
||
| * TOC | ||
| {:toc} | ||
|
|
||
| This document will guide you through the steps needed to set up the OpenID Connect (OIDC) protocol for Keboola data apps, specifically for use on Microsoft Entra ID. | ||
|
|
||
| ## Step 1: Create a New OAuth 2.0 Client ID | ||
| Follow these steps to create a new OAuth 2.0 client ID in Microsoft Entra ID: | ||
|
|
||
| - Go to portal.azure.com. | ||
| - Search for **Entra ID** and select **Microsoft Entra ID**. | ||
| - Click **+ Add** and select **App registration**. | ||
| - Provide a human-readable name for the app. | ||
| - Open your app. Go to **Manage → Authentication** and click **Add a platform**. | ||
| - Choose **Web**. | ||
| - You do not know your redirect URL yet; first, you need to create a data app in Keboola. | ||
| - Set up group claim. <br>The app needs to be able to provide all user groups because this will be necessary later to authenticate users based on groups. To enable this, go to **Manage -> Token configuration** and click **Add groups claim**. | ||
| - For large companies, we recommend using the last option to retrieve only the groups assigned to the application. Otherwise, all user roles will be included in the response. | ||
|
|
||
| This step is unnecessary if you selected **All groups** in the previous step: | ||
| - Assign appropriate groups to the application. Go to **Overview** and click the link `Managed application in local directory`. | ||
| - Add groups to your application. | ||
| - Assign groups and click **Assign**. | ||
|
|
||
| Then you will generate app secrets. Go back to app registrations, then continue to **Manage -> Certificates and secrets** and create **New client secret**. | ||
| Provide a human-readable description and click **Add**. Save **Value** because you won’t be able to reveal it. | ||
|
|
||
| ## Step 2: Configure Your Data App in Keboola | ||
| Follow these steps to configure you data app in Keboola: | ||
|
|
||
| - Go to your Keboola project. | ||
| - Click **Data Apps**. | ||
| - Create a new data app by clicking the green **+** button. | ||
| - Give your app a name and click **Create Data App** to create the app. | ||
|
|
||
| ## Step 3: Configure the Authentication Method for Your Data App | ||
| Follow these steps to set up the authentication method for you data app: | ||
|
|
||
| - Go to the newly created data app. | ||
| - Click the **Information & Settings** tab. | ||
| - Under **Authentication**, select **OIDC** and then **Azure OIDC**. | ||
| - Provide credentials from the Azure portal, such as the **Client ID**, **Client Secret**, and **Tenant ID**. | ||
| - Click **Save** to apply the changes. | ||
| - Deploy the data app to get the data app URL, which you will need to specify as the redirect URL. | ||
|
|
||
| ## Step 4: Configure the OAuth Consent Screen | ||
| Follow these steps to set up your data app's OAuth consent screen in the Azure portal. | ||
|
|
||
| - Go to the Azure portal and open your app. | ||
| - Enter the redirect URL. <br>Make sure to add `/_proxy/callback` to the end of your redirect URL. This is how Keboola will send the authentication response to your app. Format of the redirect URL is as follows: | ||
| `https://<dataAppId>.hub.<keboolaConnectionHost>/_proxy/callback` (e.g., `https://123456789.hub.europe-west3.gcp.keboola.com/_proxy/callback`). | ||
| - Save the changes. | ||
|
|
||
| ## Step 5: Deploy Your Data App in Keboola | ||
| Follow these steps to deploy the data app in Keboola: | ||
|
|
||
| - Go back to your data app in Keboola. | ||
| - Click the **Deploy Data App** tab. | ||
| - Select **Code** or **GitHub** deployment type and add code of your application. | ||
| - Click the green **Deploy Data App** button to deploy the application. | ||
|
|
||
| ## Step 6: Test Your Data App | ||
| Follow these steps to test your new data app: | ||
|
|
||
| - Go to the data app's URL. | ||
| - You should be asked to log in using your Entra ID account. | ||
| - After successfully loging in, you will be redirected to the app. | ||
| - The data app should display its content. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,63 @@ | ||
| --- | ||
| title: Okta | ||
| permalink: /components/data-apps/oidc/okta/ | ||
| --- | ||
|
|
||
| * TOC | ||
| {:toc} | ||
|
|
||
| This document will guide you through the steps needed to set up the OpenID Connect (OIDC) protocol for Keboola data apps, specifically for use on Okta. | ||
|
|
||
| ## Step 1: Create a new OAuth 2.0 Client ID in Okta | ||
| Follow these steps to create a new OAuth 2.0 client ID in Okta: | ||
|
|
||
| - Go to the Okta Admin Console. | ||
| - Click **Applications** and then click **Applications** again. | ||
| - Click **Create App Integration**. | ||
| - Select **OIDC - OpenID Connect** as the sign-in method. | ||
| - Choose **Web application** as the application type. | ||
| - Give your web app integration a name, for example, "Streamlit OIDC Demo". | ||
| - You do not have your sign-in redirect URI yet; you'll need to create a data app in Keboola first. | ||
| - Click **Save** to finish. | ||
|
|
||
| ## Step 2: Configure Your Data App in Keboola | ||
| Follow these steps to set up a new data app in Keboola: | ||
|
|
||
| - Go to your Keboola project. | ||
| - Click **Data Apps**. | ||
| - Create a new data app by clicking the green **+** button. | ||
| - Give your app a name and click **Create Data App** to create the app. | ||
|
|
||
| ## Step 3: Configure the Authentication Method for Your Data App | ||
| Follow these steps to set up the authentication method for your data app: | ||
|
|
||
| - Go to the newly created data app. | ||
| - Click the **Information & Settings** tab. | ||
| - Under **Authentication**, select **OIDC** and then **Generic OIDC**. | ||
| - Copy the client ID from your Okta application to the **Client ID** field in Keboola. | ||
| - Copy the client secret from your Okta application to the **Client secret** field in Keboola. | ||
| - In the **Issuer URL** field, enter `https://<yourOktaOrg>.okta.com/oauth2/default`. This is the correct issuer URL for Okta OIDC setup. | ||
| - Click **Save** to apply the changes. | ||
|
|
||
| ## Step 4: Configure Your Data App's Consent Screen in Okta | ||
| Follow these steps to set up your data app's consent screen in Okta: | ||
|
|
||
| - Go to the Okta Admin Console and open your web app integration. | ||
| - Enter the sign-in redirect URIs back to your data app. <br>Make sure to add `/_proxy/callback` to the end of your redirect URL. <br>This is how Keboola will send the authentication response to your app. The format of the redirect URL is as follows: `https://<dataAppId>.hub.<keboolaConnectionHost>/_proxy/callback` | ||
| (e.g., `https://okta-oidc-data-app-1234567890.hub.north-europe.azure.keboola.com/_proxy/callback`). | ||
| - Click **Save** to finish. | ||
|
|
||
| ## Step 5: Deploy Your Data App in Keboola | ||
| Follow these steps to deploy your data app in Keboola: | ||
|
|
||
| - In your data app in Keboola, click the **Deploy Data App** tab. | ||
| - Select **Code** or **GitHub** deployment type and add code of your application. | ||
| - Click the green **Deploy Data App** button to deploy the application. | ||
|
|
||
| ## Step 6: Test Your Data App | ||
| Follow these steps to test your new data app: | ||
|
|
||
| - Go to the data app's URL. | ||
| - You should be redirected to the Okta consent screen. | ||
| - Log in with your Okta account to verify your identity. | ||
| - The data app should display its content. |