PR review

treeverse · Apr 11, 2024 · 2ffb7dd · 2ffb7dd
1 parent 4eaab0a
commit 2ffb7dd
Showing 1 changed file with 22 additions and 16 deletions.
diff --git a/examples/lakefs/enterprise/values-external-aws.yaml b/examples/lakefs/enterprise/values-external-aws.yaml
@@ -4,6 +4,10 @@ lakefsConfig: |
   blockstore:
     type: local
   auth:
+    oidc:
+      # the claim that's provided by the OIDC provider (e.g Okta) that will be used as the username according to OIDC provider claims provided after successfull authentication
+      friendly_name_claim_name: "<some-oidc-provider-claim-name>"
+      default_initial_groups: ["Developers"]
     authentication_api:
       endpoint: http://localhost:8080/api/v1
       external_principals_enabled: true
@@ -15,6 +19,7 @@ lakefsConfig: |
     ui_config:
       login_cookie_names:
         - internal_auth_session
+        - oidc_auth_session
 ingress:
   enabled: true
   ingressClassName: <class-name>
@@ -42,29 +47,30 @@ fluffy:
       format: "json"
       level: "INFO"
     auth:
-      serve_disable_authentication: true
-      serve_listen_address: localhost:9006
-      encrypt:
-        secret_key: shared-secrey-key
+      logout_redirect_url: https://oidc-provider-url.com/logout/example
+      oidc:
+        enabled: true
+        url: https://oidc-provider-url.com/
+        client_id: <oidc-client-id>
+        callback_base_url: https://<lakefs.ingress.domain>
+        is_default_login: true
+        # the claim name that represents the client identifier in the OIDC provider (e.g Okta)
+        logout_client_id_query_parameter: client_id
+        # the query parameters that will be used to redirect the user to the OIDC provider (e.g Okta) after logout
+        logout_endpoint_query_parameters:
+          - returnTo
+          - https://<lakefs.ingress.domain>/oidc/login
       external:
         aws_auth:
           enabled: true
-          get_caller_identity_max_age: 60
-    
-          # list of headers that are required to be present in the GetCallerIdentity request
-          required_headers:
-            required-key: "custom-value"
-          # list of headers that are optional for the GetCallerIdentity request
-          optional_headers:
-            optional-key: "custom-value"
-          # list of valid STS hosts for the GetCallerIdentity request
-          valid_sts_hosts:
-            - "sts.amazonaws.com"
-            - "sts.us-east-1.amazonaws.com"
   secrets:
     create: true
   sso:
     enabled: true
+  oidc:
+    enabled: true
+    # secret given by the OIDC provider (e.g auth0, Okta, etc)
+    client_secret: <oidc-client-secret>
   rbac:
     enabled: true