Details

      Description

      Users frequently ask for generic OpenID Connect support, as in this email to the users mailing list:

      On 08/16/2017 04:26 PM, Mclain, Warren wrote:
      > After working through the Beta 1.10 install and trying to configure
      > OpenId, we have run into a brick wall.
      >
      > The documentation if pretty much nonexistent on how to configure for
      > OpenId. In addition, we want to authenticate against our own
      > Oauth2/OpenId system, not a 3^rd party source. From what we can see,
      > there needs to be around 6 parameters passed to the OpenId system and so
      > far I have only found 4.
      >
      > Looking for anyone who has successfully configured DCOS open version to
      > an internal OpenId server.
      >
      > thanks

      Note: "OpenID" and "OpenID Connect" are two different standards. OpenID Connect is actually a rather lightweight authentication protocol on top of the OAuth2 standard (OAuth2 is in fact not intended to be used for authentication whereas OpenID Connect precisely is meant to be used for authentication).

      In my answer below I assume that when you say "OpenId" you actually mean OpenID Connect.

      In versions 1.7 through 1.10, DC/OS only supports the OpenID Connect 'implicit flow' [1, 2] for single sign-on authentication, limited to a single proxy-like identity provider: Auth0 (which is configured to allow proxying to Google, GitHub, and others). The sequence of events in this flow is actually pretty interesting; I have previously elaborated on those details in a StackOverflow answer [3]. With those details in mind, it will be obvious why you have had the "we have run into a brick wall" experience .

      The feature request above effectively asks for generic OpenID Connect support in DC/OS, which especially means adding support for the OpenID Connect 'authorization code flow' [4], and enabling to pair the DC/OS cluster with arbitrary OpenID Connect identity providers (e.g. organization-internal ones). So far, this feature is only available in Enterprise DC/OS (there, we have built it so and confirmed that it works against Google Accounts, Azure, ADFS, Dex, pyoidc, and other identity providers).

      [1] http://openid.net/specs/openid-connect-core-1_0.html#Authentication
      [2] http://openid.net/specs/openid-connect-core-1_0.html#ImplicitFlowAuth
      [3] https://stackoverflow.com/a/39580254/145400
      [4] http://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth

      This ticket is intended to track said feature request. If you are interested in this feature, please leave a comment here in this ticket. I would also appreciate if you could describe your particular motivation.

        Attachments

          Activity

            People

            • Assignee:
              jp Jan-Philip Gehrcke (Inactive)
              Reporter:
              jp Jan-Philip Gehrcke (Inactive)
              Team:
              Mesosphere
              Watchers:
              Jan-Philip Gehrcke (Inactive), Jonathan Giddy, Sebastien Pahl (Inactive)
            • Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated: