Instructions unclear on configuring an OIDC provider during deployment

[chasemduffin]

What's the prescribed way to configure an OIDC provider for authentication during deployment? I understand this can be done manually, after the fact with the config tool, however I'd like to build it into the automatic deployment. Could you provide an example on how to do this?

[mjohanss-tibco]

Hi,

You can use the spotfire-server chart to create a spotfire-server configuration when the chart is installed. See https://github.com/spotfiresoftware/spotfire-cloud-deployment-kit/tree/main/helm/charts/spotfire-server#configuration specifically configuration.configurationScripts

Your values file can look something like this:

configuration:
  apply: initialsetup
  configurationScripts:
    - name: configure_oidc
      script: |
        echo "Configuring OIDC "
        config-oidc ...

For details on the configuration tool commands you need to run in your script please refer to the regular spotfire-server help:

• Scripting a configuration: https://docs.tibco.com/pub/spotfire_server/latest/doc/html/TIB_sfire_server_tsas_admin_help/server/topics/scripting_a_configuration.html
• config-oidc cli help: https://docs.tibco.com/pub/spotfire_server/latest/doc/html/TIB_sfire_server_tsas_admin_help/server/topics/config-oidc.html

Note the value configuration.apply=initialsetup means that the configuration is created the first time you install the helm chart and on subsequent upgrades the script will not be applied again. It will only bootstrap a configuration according to your values but when reconfiguring you will need to use the config tool. If you wish to apply the configuration scripts on every upgrade to you can instead set the value to always.

Please let me know if this helps or if you need additional information.

[chasemduffin]

@mjohanss-tibco Markus, thanks very much for pointing me in the right direction.

Here is the script block I used:

    configurationScripts:
    - name: configure_oidc
      script: |
        echo "configuring OIDC"
        config-oidc \
        --enabled=true \
        --third-party-login-init-enabled=true \
        --set-provider \
        --provider-name="${OIDC_PROVIDER_NAME}" \
        --provider-enabled=true \
        --provider-discovery-url="${OIDC_PROVIDER_DISCOVERY_URL}" \
        --provider-client-id="${OIDC_PROVIDER_CLIENT_ID}" \
        --provider-client-secret="${OIDC_PROVIDER_CLIENT_SECRET}"

I can confirm all the environment variables were passed correctly.

Running config step /opt/spotfire/configuration-scripts/0000-configure_oidc
======================================================

"configuring OIDC"
Added the provider 'Okta'
Successfully updated the OpenID Connect configuration
Endpoints:
    OpenID Connect Redirect URI:        http[s]://<host>[:<port>]/spotfire/auth/oidc/authenticate
    OAuth2 Redirect URI:            http[s]://<host>[:<port>]/spotfire/auth/oauth2/return
    Third Party Login Initiation Endpoint:  http[s]://<host>[:<port>]/spotfire/auth/oidc/v1/initiate

Relevant excerpt from the generated configuration:

     <oidc>
       <enabled>true</enabled>
       <enabled-tls-protocols />
       <enabled-tls-cipher-suites />
       <providers>
         <provider>
           <name>Okta</name>
           <enabled>true</enabled>
           <client-id>redacted</client-id>
           <client-secret>redacted</client-secret>
           <discovery-url>https://redacted.okta.com/.well-known/openid-configuration</discovery-url>
           <display-properties />
         </provider>
       </providers>
     </oidc>

However, I don't yet see any OIDC provider login option on my Spotfire login page. Is there another step I missed?

[chasemduffin]

Ah, @mjohanss-tibco, please disregard. It just took some time or my browser was caching the login page. I see it now. Thanks again so much!