Identity Provider Configuration

OpenChoreo supports standard OAuth2/OIDC compliant identity providers for user management and authentication. This guide covers the default identity provider setup and how to integrate your own OAuth2/OIDC compliant identity provider.

Overview

OpenChoreo's authentication system supports:

• Flexible OAuth2/OIDC compliant identity provider configuration for secure authentication
• User and service account identity management for different access patterns
• JWT-based token validation with audience claim verification
• Multi-plane authentication with consistent identity management across different OpenChoreo planes

The identity provider configuration is managed through helm chart values during installation.

Default Identity Provider

OpenChoreo ships with Asgardeo Thunder as the default identity provider. Thunder is a lightweight, OAuth2/OIDC compliant identity management platform that enables quick setup for development and testing environments.

Features

Thunder provides out-of-the-box:

• OAuth2 and OIDC compliant authentication flows
• User and service account identity management
• JWT token issuance and validation
• Pre-configured OAuth applications for OpenChoreo components

Trying Out Thunder

Thunder includes a developer portal where you can manage users, applications, and OAuth clients. After deploying OpenChoreo, access the Thunder admin portal to configure additional identity settings:

Access Thunder Developer Portal:

• URL: <your-thunder-url>/console
• Default credentials:
  • Username: admin
  • Password: admin

note

The default Thunder deployment is intended for development and testing. For production deployments, configure your own OAuth2/OIDC-compliant identity provider as described in the next section.

Integrating Your Identity Provider

OpenChoreo allows you to integrate your own OAuth2/OIDC compliant identity provider for production environments. This enables you to leverage your organization's existing identity management infrastructure for user authentication and service account management.

note

If you installed Thunder during your initial OpenChoreo installation, you can uninstall its Helm release once you have configured and verified your external identity provider.

Prerequisites

Before integrating your identity provider, ensure you have:

1. An OAuth2/OIDC compliant identity provider accessible from your cluster
2. The following endpoints from your identity provider:
   • OIDC Discovery endpoint (.well-known/openid-configuration)
   • Authorization endpoint
   • Token endpoint
   • JWKS (JSON Web Key Set) endpoint
3. Knowledge of your provider's issuer and audience claim values

Configuration Steps

OpenChoreo requires identity provider configuration across multiple planes. The following sections describe how to configure each plane during installation.

Control Plane Configuration

The Control Plane requires identity provider configuration for authenticating API requests and managing user sessions. Configure your identity provider's OIDC settings:

helm upgrade --install openchoreo-control-plane oci://ghcr.io/openchoreo/helm-charts/openchoreo-control-plane \
--version 1.0.0 \
--namespace openchoreo-control-plane \
--create-namespace \
--reuse-values \
--set security.oidc.issuer="https://your-idp.example.com" \
--set security.oidc.wellKnownEndpoint="https://your-idp.example.com/.well-known/openid-configuration" \
--set security.oidc.jwksUrl="https://your-idp.example.com/.well-known/jwks.json" \
--set security.oidc.authorizationUrl="https://your-idp.example.com/oauth2/authorize" \
--set security.oidc.tokenUrl="https://your-idp.example.com/oauth2/token"

Configuration Parameters:

• security.oidc.issuer: OIDC issuer URL (must match the iss claim in JWT tokens)
• security.oidc.wellKnownEndpoint: URL to OIDC provider's well-known configuration endpoint
• security.oidc.jwksUrl: URL to provider's JWKS endpoint for token signature verification
• security.oidc.authorizationUrl: Authorization endpoint for initiating login flow
• security.oidc.tokenUrl: Token exchange endpoint for obtaining access tokens
• security.jwt.audience: (Optional) Expected audience claim value in JWT tokens. When configured, audience validation is enabled.

Optional: JWT Audience Validation

If your identity provider includes an audience claim in JWT tokens, you can enable audience validation:

--set security.jwt.audience="your-audience-value"

note

Audience validation is only performed when security.jwt.audience is configured. The value must match the audience claim (aud) in the JWT tokens issued by your identity provider.

Observability Plane Configuration

The Observability Plane validates JWT tokens when querying logs and metrics through the Observer API. Configure your identity provider's OIDC settings:

helm upgrade --install openchoreo-observability-plane oci://ghcr.io/openchoreo/helm-charts/openchoreo-observability-plane \
--version 1.0.0 \
--namespace openchoreo-observability-plane \
--create-namespace \
--reuse-values \
--set security.oidc.issuer="https://your-idp.example.com" \
--set security.oidc.jwksUrl="https://your-idp.example.com/.well-known/jwks.json"

Configuration Parameters:

• security.oidc.issuer: OIDC issuer URL (must match the iss claim in JWT tokens)
• security.oidc.jwksUrl: URL to provider's JWKS endpoint for token signature verification
• security.jwt.audience: (Optional) Expected audience claim value in JWT tokens. When configured, audience validation is enabled.
• security.oidc.jwksUrlTlsInsecureSkipVerify: (Optional) Skip TLS certificate verification for JWKS endpoint

Optional: JWT Audience Validation

If your identity provider includes an audience claim in JWT tokens, you can enable audience validation:

--set security.jwt.audience="your-audience-value"

Optional: Skip TLS Verification

For development or testing environments where your identity provider uses self-signed certificates, you can skip TLS verification:

--set security.oidc.jwksUrlTlsInsecureSkipVerify="true"

warning

Only use jwksUrlTlsInsecureSkipVerify="true" in development or testing environments. For production deployments, ensure your identity provider uses valid TLS certificates.

note

Different identity providers use different JWT claim names (for example, roles instead of groups for user groups). After configuring your identity provider, review the Subject Types configuration in the Authorization guide to ensure the claim mappings match the tokens your identity provider issues.

OAuth Client Configurations

After integrating your identity provider, configure OAuth applications/clients for OpenChoreo components that require authentication. Each component needs specific redirect URIs and scopes configured in your identity provider.

The following components require OAuth client configuration:

Backstage (Developer Portal):

• For configuration steps, refer to the Backstage Configuration guide

RCA Agent:

• For configuration steps, refer to the RCA Agent Configuration guide

CLI (occ):

• For configuration steps, refer to the CLI Configuration guide

Workload Publisher (CI Workflows):

• For configuration steps, see the Workload Publishing Credentials guide

tip

Store sensitive values like client secrets using Kubernetes secrets rather than directly in helm values. Refer to the Secret Management guide for best practices.

Obtaining Identity Provider Configuration

Most OAuth2/OIDC compliant identity providers expose their configuration through a well-known endpoint. You can typically find all required URLs by accessing:

https://your-idp.example.com/.well-known/openid-configuration

This endpoint returns a JSON document containing:

• issuer: The issuer identifier
• authorization_endpoint: Authorization URL
• token_endpoint: Token URL
• jwks_uri: JWKS URL

Refer to your identity provider's documentation for specific instructions on:

• Obtaining the well-known configuration endpoint
• Creating OAuth applications/clients
• Configuring redirect URIs
• Managing client credentials
• Setting up user groups and roles

Verification

After configuring your identity provider, verify the setup:

1. Check Control Plane logs for any authentication configuration errors:

   kubectl logs <openchoreo-api-pod>  -n openchoreo-control-plane --tail=50

2. Test authentication flow by accessing the Backstage UI and verifying you're redirected to your identity provider's login page

3. Verify token validation by making authenticated API requests and checking that tokens are properly validated

Troubleshooting

Common Issues

Login redirect fails:

• Verify redirect URIs in your OAuth application match exactly (including protocol and port)
• Check that authorization and token URLs are accessible from the cluster
• Ensure DNS resolution works for your identity provider endpoints

Token validation errors:

• Ensure the issuer value matches the iss claim in JWT tokens
• Verify the JWKS URL is accessible and returns valid public keys
• Confirm the audience claim in tokens matches the configured value

Connection timeouts:

• Verify network connectivity from the cluster to your identity provider
• Check firewall rules and network policies
• Ensure TLS certificates are valid and trusted

For additional support, refer to the OpenChoreo GitHub issues or join the CNCF Slack (#openchoreo).

Next Steps

After configuring your identity provider:

• Configure Authorization to set up roles, role bindings, and subject types that map JWT claims to OpenChoreo's authorization system
• Configure Backstage OAuth client for the Backstage Portal
• Set up Secret Management for secure credential storage
• Review the Control Plane and Observability Plane Helm references for all available configuration options