Chapter 2 - Authenticating with Red Hat Single-Sign On (RHSSO)

S2.1 - Enabling authentication with Red Hat Single-Sign On (RHSSO)

• [DONE] AI: [SME]: OK to focus on “RHSSO” rather than “the OpenID Connect (OIDC) connector” and Keycloak? => Yes. Focus on RHSSO (supported), and open up on other OIDC providers “might use with other third-party services that support the OIDC protocol”.
• [DONE] AI: [SME]: Where goes the “dangerouslyAllowSignInWithoutUserInCatalog” option go? => See same Q above
• AI: [Docs] Refactor https://docs.redhat.com/en/documentation/red_hat_developer_hub/1.2/html/authentication/assembly-auth-provider-oidc  to a single procedure with 3 steps, and substeps. Rewrite the steps for consistency. Use the Azure procedure as a template.

To authenticate users with Red Hat SSO (RHSSO), enable the OpenID Connect (OIDC) authentication provider in RHDH.

You might use this authentication provider to authenticate with other third-party services that support the OIDC protocol.

Prerequisites

• You added a custom RHDH application configuration, and have sufficient permissions to modify it. See https://docs.redhat.com/en/documentation/red_hat_developer_hub/1.2/html/administration_guide_for_red_hat_developer_hub/assembly-add-custom-app-file-openshift_admin-rhdh.
• Sufficient permissions in RHSSO.

Procedure

1. To allow Developer Hub to authenticate with RHSSO, complete the steps in RHSSO: 
2. Create a new realm, such as RHDH.
3. Add a new user.

• Username: Username for the user, for example: rhdhuser
• Email: Email address of the user.
• First name: First name of the user.
• Last name: Last name of the user.
• Email verified: Toggle to On.

1. Click Create.
2. Navigate to the Credentials tab.
3. Click Set password.
4. Enter the Password for the user account and toggle Temporary to Off.
5. Create a new Client ID, for example, RHDH.

• Client authentication: Toggle to On.
• Valid redirect URIs: Set to the OIDC handler URL: https://<RHDH_URL>/api/auth/oidc/handler/frame.

1. Navigate to the Credentials tab and copy the Client secret.
2. Save the Client ID and the Client Secret for the next step.

1. Add your GitHub credentials in your Developer Hub secrets.
2. Edit your Developer Hub secrets, such as secrets-rhdh.
3. Add the following key/value pairs:

• AUTH_OIDC_CLIENT_ID
• AUTH_OIDC_CLIENT_SECRET

1. Set up the GitHub authentication provider in your Developer Hub custom configuration.
   Edit your custom Developer Hub config map, such as app-config-rhdh.
   In the app-config-rhdh.yaml content, add the microsoft provider configuration under the root auth configuration, and enable the microsoft provider for sign-in:
   app-config-rhdh.yaml fragment
   auth:
     environment: production <1>
     providers:
       oidc:
         production:
           metadataUrl: ${AUTH_OIDC_METADATA_URL}
           clientId: ${AUTH_OIDC_CLIENT_ID}
           clientSecret: ${AUTH_OIDC_CLIENT_SECRET}
           prompt: ${AUTH_OIDC_PROMPT} # Recommended to use auto
           ## Uncomment for additional configuration options
           # callbackUrl: ${AUTH_OIDC_CALLBACK_URL}
           # tokenEndpointAuthMethod: ${AUTH_OIDC_TOKEN_ENDPOINT_METHOD}
           # tokenSignedResponseAlg: ${AUTH_OIDC_SIGNED_RESPONSE_ALG}
           # scope: ${AUTH_OIDC_SCOPE}
           ## Declarative resolvers to override the default resolver: `emailLocalPartMatchingUserEntityName`
           ## The authentication provider tries each sign-in resolver until it succeeds, and fails if none succeed. Uncomment the resolvers that you want to use.
           # signIn:
           #   resolvers:
           #     - resolver: preferredUsernameMatchingUserEntityName
           #     - resolver: emailMatchingUserEntityProfileEmail
           #     - resolver: emailLocalPartMatchingUserEntityName
   signInPage: oidc <2>
   dangerouslyAllowSignInWithoutUserInCatalog: true <3>
   <1> Marking the environment as production hides the Guest login in the RHDH home page
   <1> Uncomment if using GitHub Enterprise
   <2> To enable the GitHub provider as default sign-in provider.
   <3> To enable authentication without requiring to provision the user catalog.

Verification

• Go to the RHDH login page. Log in with the Guest user account is disabled. Log in with OIDC.