OAuth 2.0 Configuration

Configure your Spinnaker deployment to use OAuth 2.0 for authentication.

Halyard config

The full schema for configuring OAuth 2.0 via Halyard is:

  1. security:
  2.   authn:
  3.     oauth2:
  4.       # Whether OAuth 2.0 is enabled.
  5.       enabled: boolean
  6.       client:
  7.         # The OAuth client ID you have configured with your OAuth 2.0 provider.
  8.         clientId: string
  10.         # The OAuth client secret you have configured with your OAuth provider.
  11.         clientSecret: string 
  13.         # The access token URI for your OAuth provider.
  14.         accessTokenUri: string
  16.         # The user authorization URI for your OAuth 2.0 provider.
  17.         userAuthorizationUri: string
  19.         # The scope to request when obtaining an access token from your
  20.         # OAuth 2.0 provider.
  21.         scope: string
  23.         # The externally accessible URL for Gate. For use with load balancers
  24.         # that do any kind of address manipulation for Gate traffic, such as an
  25.         # SSL terminating load balancer.
  26.         preEstablishedRedirectUri: string
  28.         # The method used to transmit authentication credentials to your
  29.         # OAuth 2.0 provider; defaults to header.
  30.         clientAuthenticationScheme: [header|query|form|none]
  32.         # Whether the current URI in the request should be preferred over the
  33.         # pre-established redirect URI.
  34.         useCurrentUri: boolean
  36.       resource:
  37.         # The user info URI for your OAuth 2.0 provider.
  38.         userInfoUri: string
  40.       # Mapping of user attributes to fields returned by your OAuth 2.0 provider.
  41.       # This field controls how the fields returned from the OAuth 2.0 provider's
  42.       # user info endpoint are translated into a Spinnaker user.
  43.       userInfoMapping:
  44.         email: string
  45.         firstName: string
  46.         lastName: string
  47.         username: string
  49.       # The map of requirements the userInfo request must have. This is used to
  50.       # restrict user login to specific domains or to users having a specific attribute.
  51.       userInfoRequirements: map<string, string>

Halyard CLI commands

There are Halyard CLI commands to edit each field above; these are documented here .

Last modified August 28, 2020: fix ordering to match current site (4ca0bf9)