The Identity Provider (IDP) for Varnish Controller is Keycloak, which is a open source software. Via Keycloak it is possible to use Github, Google, Facebook, LDAP, AD, etc. Hence, Keycloak will act as a proxy for different third-party authentication services.
The IDP is configured per organization in Varnish Controller and cannot be added globally.
When login is done via IDP for an organization the given access and refresh tokens are taken care of by Varnish Controller and new tokens are handed out from Varnish Controller that is generated and signed by Varnish Controller.
The access/refresh token handling is therefore the same if the user logs in via IDP or basic auth to Varnish Controller.
Once there is an organization and an user assigned with IDP write permissions to the organization, the IDP can be added. The configuration in the example below is taken from Keycloak, see Identity Provider Installation.
# Adding IDP as an organization administrator
$ vcli idp add --org 1 --base-url http://localhost:8080/auth/realms/demo/protocol/openid-connect --client-id demo-client --client-secret b124d51e-93e8-48c0-85cd-803657765040
Now the users in the IDP can log in to Varnish Controller. However, they will not have permissions to start with. Once the users have logged in for the first time, then the organization admin can add permissions for the different users.
See the authorization chapter for assigning permissions.
See Identity Provider Installation for Keycloak installation and configuration.
When logging in via IDP as a user for an organization, a web browser window will open and a login form will be presented. On successful login, the access token and refresh token are presented. The CLI, however, will automatically log in if the login is performed within a certain period. Therefore, when using the CLI, the presented tokens do not have to be noted (only if REST API is used).
The CLI will automatically handle the refresh token and fetch a new access token if needed without involving the user.
# Login via IDP to the organization "myorg" (first time)
vcli login http://localhost:8002 -o myorg --idp
# Second time
vcli login
The http://localhost:8002
is the API endpoint. Once this is done for the first time the API endpoint, organization and --idp
can be skipped since it will be saved in the CLI configuration file.