OpenID Connect
Create Loft Config For OIDC
Loft is able to use an OIDC provider as an authentication source.
To tell Loft to use OIDC for SSO, navigate to
Admin > Config
in Loft and adjust your config as shown below:auth:
# Tell loft to allow OIDC for authentication
oidc:
#
#
# REQUIRED CONFIGURATION
#
#
# IssuerURL is the URL the provider signs ID Tokens as.
issuerUrl: https://accounts.google.com
# ClientID the JWT must be issued for, the "sub" field. Can be string literal or pulled from the environment.
clientId: $CLIENTID
# ClientSecret to issue tokens from the OIDC provider. Can be string literal or pulled from the environment.
clientSecret: $CLIENTSECRET
# Callback URL in the form of https://your-loft-domain/auth/oidc/callback
redirectURI: https://loft.my.domain/auth/oidc/callback
#
#
# OPTIONAL CONFIGURATION
#
#
# (Optional) Path to a PEM encoded root certificate of the provider.
caFile: /tmp/ca-file.crt
# (Optional) Specify whether to communicate without validating SSL certificates
insecureCa: false
# (Optional) UsernameClaim is the JWT field to use as the user's username.
# If not set defaults to email.
usernameClaim: email
# (Optional) If specified, causes claims mapping to username to be prefix with
# the provided value.
usernamePrefix: my-prefix-
# (Optional) If specified, causes the OIDCAuthenticator to try to populate the user's
# groups with an ID Token field.
groupsClaim: groups
# (Optional) If specified, causes claims mapping to group names to be prefixed with the
# value.
groupsPrefix: group-prefix-
# (Optional) If groups is non empty, access is denied if the user is not part of at least one
# of the specified groups. This requires groupsClaim to be set!
groups: ["my-oidc-group"]
# (Optional) If specified, tells the OIDCAuthenticator to try to populate the user's
# information from the UserInfo. This might be necessary for slim tokens such as used
# by Okta
getUserInfo: false
# (Optional) Scopes that should be sent to the server. If empty, defaults to "email" and "profile".
scopes: ["profile", "email"]
# (Optional) EmailClaim is the JWT field to use as the user's email.
emailClaim: "email"
# (Optional) LoftUsernameClaim is the JWT field to use as the user's ID (Kubernetes name) and username
loftUsernameClaim: "name"
# (Optional) PreferredUsername is the JWT field to use as the user's display name
preferredUsername: "preferred_username"Authenticate via OIDC
After saving the new Loft configuration, Loft will restart itself and you should be able to log in via your OIDC provider.
Disable Username + Password Authentication (optional)
To disable password-based authentication, navigate to
Admin > Config
add these two lines to your config:auth:
oidc: ... # This is your SSO configuration (make sure this is working!)
password:
disabled: true # Disable password-based authentication