How to enable custom identity provider support

The Anbox Cloud Appliance has support for custom identity providers for authentication through the use of OpenID Connect.

Support for a custom identity provider has to be enabled at initialisation by using a preseed configuration. See Anbox Cloud Appliance preseed configuration format for more details.

Anbox Cloud uses the authorisation code flow to obtain an identity token. No access token is requested in this flow because authorisation is handled within the Anbox Cloud services.

In order to allow discovery of the necessary endpoints on the identity provider, it must support the OpenID Connect Discovery protocol.

The following will show you how to configure an OpenID Connect based identity provider for the Anbox Cloud Appliance.

Preparation

In order to configure OpenID Connect based authentication, you will need the following from your identity provider:

  • The issuer URL

  • The client ID

  • (Optional) The audience URL, required by some providers. For example, Auth0

The identity provider is expected to provide the JSON Web Key Set endpoint on <issuer URL>/.well-known/jwks.json.

Your identity provider must have https://<appliance address or <DNS name>/oidc/callback configured as allowed redirect/callback URL.

Configure OpenID Connect

It is only possible to configure support for OpenID Connect only when the Anbox Cloud Appliance is being initialised with a preseed (see Anbox Cloud Appliance preseed configuration format). The other steps to install the Anbox Cloud Appliance as described in Install the appliance on a dedicated machine remain the same.

The issuer URL, client ID and optional audience URL are set in the preseed configuration as follows:

$ cat preseed.yaml
....
oidc:
  issuer: https://my.auth.com
  client_id: aff32f32ffwfsdfdsfdsg
  # Only if your identity provider requires it
  audience: https://my.auth.com/api/v2

With the preseed configuration you can initiate the initialisation process by running:

sudo anbox-cloud-appliance init --preseed < preseed.yaml

Once the initialisation has been completed, you can register a new user by running:

sudo anbox-cloud-appliance dashboard register <email address>

Once the user has been registered by following the printed URL and authenticated with your identity provider, access is granted to the web UI.