streamnative.io
Help Center
Login
  1. StreamNative Cloud
  2. Manage Security
  3. Manage Authentication
  4. OIDC Identity Providers

Manage OAuth/OIDC Identity Providers on StreamNative Cloud

Note

This feature is currently in Private Preview. To access this feature, you need to join our Early Access Program.

Please note that currently, StreamNative Cloud only supports managing OAuth/OIDC identity providers through snctl. Support for the Console and Terraform will be available soon.

You can register an OAuth/OIDC identity provider on StreamNative Cloud to grant applications and services access to StreamNative Cloud resources. A registered OAuth/OIDC identity provider uses the industry standard OAuth 2.0 and OpenID Connect (OIDC) protocols to authenticate users and services, reduce operational overhead, and improve security.

Prerequisites

Before registering an OAuth/OIDC identity provider, ensure you have:

  • An account with the identity provider you want to register
  • A StreamNative Cloud account with Super Admin privileges
  • The following information from your identity provider:
    • OIDC Discovery URL: This URL is used to import the metadata needed for configuring your OIDC identity provider. The Discovery URL automatically provides both the JWKS URI and Issuer URI information. Note that StreamNative Cloud currently only supports configuration via Discovery URL.
  • Configured your identity provider to allow access from StreamNative Cloud

Obtain the OIDC Discovery URL

To obtain the OIDC discovery URL for an OIDC provider, you typically need to know the base URL of the provider. The discovery URL is constructed by appending /.well-known/openid-configuration to the base URL. Here's how you can find it:

Check the OIDC Provider's Documentation

Many OIDC providers specify their discovery URLs in their documentation. Common examples include:

  • Google: https://accounts.google.com/.well-known/openid-configuration
  • Auth0: https://<your-auth0-domain>/.well-known/openid-configuration
  • Okta: https://<your-okta-domain>/.well-known/openid-configuration
  • Azure AD: https://login.microsoftonline.com/<your-tenant-id>/v2.0/.well-known/openid-configuration (where <your-tenant-id> is your Azure AD tenant ID or "common" for multi-tenant)

Manually Construct the Discovery URL

If you know the base domain of your OIDC provider, construct the discovery URL like this:

<base-url>/.well-known/openid-configuration

Examples:

  • https://example-oidc-provider.com/.well-known/openid-configuration

Test the URL

Once you have the discovery URL:

  • Open it in a browser or use a tool like curl or wget to ensure it returns a JSON configuration.

    curl https://example-oidc-provider.com/.well-known/openid-configuration

Contact Your Provider

If you cannot find the base URL or documentation, contact your provider's support team or administrator to obtain the correct discovery URL.

For organizations using a custom or private OIDC implementation, the discovery URL will be specific to your deployment. Contact your OIDC provider administrator to obtain the appropriate URL.

Register an OAuth/OIDC identity provider

You can register an OAuth/OIDC identity provider by running the following command:

snctl create oidcprovider <provider-name> \
  --description '<provider-description>' \
  --discovery-url '<discovery-url>'

Alternatively, you can prepare a manifest file oidc-provider.yaml for the identity provider as follows:

apiVersion: cloud.streamnative.io/v1alpha1
kind: OIDCProvider
metadata:
  name: <provider-name>
  namespace: <organization-id>
spec:
  description: '<provider-description>'
  discoveryUrl: '<discovery-url>'

Then, create the identity provider by running the following command:

snctl create oidcprovider -f oidc-provider.yaml

Once the identity provider is created, you can check the status of the identity provider by running the following command:

snctl get oidcprovider <provider-name> -o yaml

You should be able to see the status of the identity provider as Ready.

Update an OAuth/OIDC identity provider

You can update the description and discovery URL of an OAuth/OIDC identity provider. When updating the discovery URL, ensure that StreamNative Cloud can still access the old discovery URL during the update process to avoid disrupting applications and services that use the identity provider.

To update an OAuth/OIDC identity provider, follow these steps:

You can use snctl edit <oidc-provider-name> to update the description and discovery URL of an OAuth/OIDC identity provider.

Alternatively, you can edit the manifest file oidc-provider.yaml and then apply the changes by running the following command:

snctl apply -f oidc-provider.yaml

You can also check the status of the identity provider by running the following command:

snctl get oidcprovider <oidc-provider-name> -o yaml

Delete an OAuth/OIDC identity provider

Warning

Deleting an OAuth/OIDC identity provider is irreversible and will remove all the information associated with the identity provider. This can cause disruption to the applications and services that use the identity provider.

You can delete an OAuth/OIDC identity provider by running the following command:

snctl delete oidcprovider <oidc-provider-name>
Previous
Overview
Next
Manage Identity Pools