Skip to main content

Accessing using OpenID Connect

Headlamp supports OIDC for cluster users to effortlessly log in using a "Sign in" button.

screenshot the login dialog for a cluster

To use OIDC, Headlamp needs to know how to configure it, so you have to provide the following OIDC-related arguments to Headlamp from your OIDC provider:

  • the client ID: -oidc-client-id or env var HEADLAMP_CONFIG_OIDC_CLIENT_ID
  • the client secret: -oidc-client-secret or env var HEADLAMP_CONFIG_OIDC_CLIENT_SECRET
  • the issuer URL: -oidc-idp-issuer-url or env var HEADLAMP_CONFIG_OIDC_IDP_ISSUER_URL
  • (optionally) the OpenId scopes: -oidc-scopes or env var HEADLAMP_CONFIG_OIDC_SCOPES

and you have to tell the OIDC provider about the callback URL, which in Headlamp it is your URL + the /oidc-callback path, e.g.: https://YOUR_URL/oidc-callback.

Scopes

Besides the mandatory openid scope, Headlamp also requests the optional profile and email scopes. Scopes can be overridden by using the -oidc-scopes option. Remember to include the default ones if you need them when using that option. For example, if you need to keep the default scopes and add Github's repo, then add them all to the option:

-oidc-scopes=profile,email,repo

Note: Before Headlamp 0.3.0, a scope groups was also included, as it's used by Dex and other services, but since it's not part of the default spec, it was removed in the mentioned version.

Example: OIDC with Keycloak in Minikube

If you are interested in a comprehensive example of using OIDC and Headlamp, you can check the tutorial on setting up OIDC with Keycloack in Minikube.

Example: OIDC with Dex

If you are using Dex and want to configure Headlamp to use it for OIDC, then you have to:

  • Add the callback URL (e.g. https://YOUR_URL/oidc-callback) to Dex's staticClient.redirectURIs
  • Set -oidc-client-id as Dex's staticClient.id
  • Set -oidc-client-secret as Dex's staticClient.secret
  • Set -oidc-idp-issuer-url as Dex's URL (same as in --oidc-issuer-url in the Kubernetes APIServer)
  • Set -oidc-scopes if needed, e.g. -oidc-scopes=profile,email,groups

Note If you already have another static client configured for Kubernetes for the apiserver's OIDC (OpenID Connect) configuration, use a single static client ID i.e -oidc-client-id for both Dex and Headlamp. Additionally, the redirectURIs need to be specified for each client.