Navigation :

AdminUiSettings

Proto: admin_ui_settings.proto

Package: portal.gloo.solo.io

Types:

AdminUiSettingsSpec
AdminUiSettingsSpec.AuthenticationConfig
AdminUiSettingsSpec.AuthorizationConfig
AdminUiSettingsStatus
JwksOnDemandCacheRefreshPolicy
OidcConfig
OidcConfig.AuthEndpointQueryParamsEntry
OidcConfig.TokenEndpointQueryParamsEntry
UserMapping

AdminUiSettingsSpec

Field	Type	Label	Description
`authn`	portal.gloo.solo.io.AdminUiSettingsSpec.AuthenticationConfig		Configuration used to authenticate incoming requests.
`authz`	portal.gloo.solo.io.AdminUiSettingsSpec.AuthorizationConfig		Configuration used to authorize incoming requests.

AdminUiSettingsSpec.AuthenticationConfig

Field	Type	Label	Description
`oidc`	portal.gloo.solo.io.OidcConfig		OIDC Configuration used to authenticate incoming requests.

AdminUiSettingsSpec.AuthorizationConfig

Field	Type	Label	Description
`enableRbac`	bool		Enable RBAC. When this is enabled, Gloo Portal will use RBAC resources from the cluster to determine if users are allowed to see resources in the Admin UI For this to work, the Admin UI and the kubernetes cluster need to have the same identity source (i.e. OIDC with the same user and group claims). When using OIDC, make sure to configure the userMapping field.

AdminUiSettingsStatus

Status field is required to generate a client, but this is currently not updated anywhere

Field	Type	Description
`observedGeneration`	int64	The observed generation of the AdminUISettingsStatus. When this matches the AdminUISettings’ metadata.generation, it indicates the status is up-to-date.
`state`	common.portal.gloo.solo.io.State	The current state of the AdminUISettings
`reason`	string	A human-readable string explaining the error, if any.

JwksOnDemandCacheRefreshPolicy

The json web key set (JWKS) (https://tools.ietf.org/html/rfc7517) is discovered at an interval from a remote source. When keys rotate in the remote source, there may be a delay in the local source picking up those new keys. Therefore, a user could execute a request with a token that has been signed by a key in the remote JWKS, but the local cache doesn't have the key yet. The request would fail because the key isn't contained in the local set. Since most IdPs publish keys in their remote JWKS before they are used, this is not an issue most of the time. This policy lets you define the behavior for when a user has a token with a key not yet in the local cache.

Field	Type	Description
`never`	google.protobuf.Empty	Never refresh the local JWKS cache on demand. If a key is not in the cache, it is assumed to be malicious. This is the default policy since we assume that IdPs publish keys before they rotate them, and frequent polling finds the newest keys.
`always`	google.protobuf.Empty	If a key is not in the cache, fetch the most recent keys from the IdP and update the cache. NOTE: This should only be done in trusted environments, since missing keys will each trigger a request to the IdP. Using this in an environment exposed to the internet will allow malicious agents to execute a DDoS attack by spamming protected endpoints with tokens signed by invalid keys.
`maxIdpReqPerPollingInterval`	uint32	If a key is not in the cache, fetch the most recent keys from the IdP and update the cache. This value sets the number of requests to the IdP per polling interval. If that limit is exceeded, we will stop fetching from the IdP for the remainder of the polling interval.

OidcConfig

Field	Type	Label	Description
`clientId`	string		The client ID token that you got when you registered your app with the issuer.
`clientSecretRef`	common.portal.gloo.solo.io.SecretRef		The Kubernetes secret that stores the client secret that you got when you registered your app with the issuer. The secret must exist on the same cluster as the Admin UI deployment.
`issuerUrl`	string		The URL of the issuer. Gloo Portal automatically discovers the OIDC configuration by querying the `.well-known/openid-configuration` endpoint on the `issuer_url`.
`authEndpointQueryParams`	[]portal.gloo.solo.io.OidcConfig.AuthEndpointQueryParamsEntry	repeated	Extra query parameters to apply to the authorization request to the identity provider. For example, using the PKCE flow (https://www.oauth.com/oauth2-servers/pkce/authorization-request/) by setting `code_challenge` and `code_challenge_method`.
`tokenEndpointQueryParams`	[]portal.gloo.solo.io.OidcConfig.TokenEndpointQueryParamsEntry	repeated	Extra query parameters to apply to the token request to the identity provider. For example, using the PKCE flow (https://www.oauth.com/oauth2-servers/pkce/authorization-request/) by setting `code_challenge` and `code_challenge_method`.
`appUrl`	string		URL to redirect to after successful auth.
`callbackPath`	string		Path to handle the OIDC callback.
`scopes`	[]string	repeated	Scopes to request in addition to ‘openid’, such as ‘email’ or ‘profile’.
`userSession`	enterprise.gloo.solo.io.UserSession		Configuration for storing the user session, such as cookie options. For more information, see UserSession in the Gloo Edge docs.
`discoveryOverride`	enterprise.gloo.solo.io.DiscoveryOverride		Ensure that certain values are set regardless of what the OIDC provider returns.
`discoveryPollInterval`	google.protobuf.Duration		How often to poll the OIDC issuer for new configuration. (Default 30s)
`jwksCacheRefreshPolicy`	portal.gloo.solo.io.JwksOnDemandCacheRefreshPolicy		If a user executes a request with a key that is not found in the JWKS, it could be that the keys have rotated on the remote source, and not yet in the local cache. This policy lets you define the behavior for how to refresh the local cache during a request where an invalid key is provided
`userMapping`	portal.gloo.solo.io.UserMapping		If set, the ID token will be used to infer user identity, which can be used to make authorization decisions. If not specified, no authorization will be made.
`caCertSecretRef`	common.portal.gloo.solo.io.SecretRef		A Kubernetes secret that stores the CA certificate to use when talking to the OIDC issuer.
`caCertConfigmapRef`	common.portal.gloo.solo.io.ObjectRef		A Kubernetes config map to use when talking to the OIDC issuer. The config map must contain a key named “ca.crt” with the PEM-encoded CA certificate.
`signingKey`	string		The signing key used to sign the state field. Instead of providing the signing key directly, you can use the ‘signingKeyFile’ option instead.
`signingKeyFile`	string		The path to a file containing the signing key used to sign the state field.

OidcConfig.AuthEndpointQueryParamsEntry

Field	Type	Label	Description
`key`	string
`value`	string

OidcConfig.TokenEndpointQueryParamsEntry

Field	Type	Label	Description
`key`	string
`value`	string

UserMapping

Settings to make sure the identity derived from the clientId issuer token matches the Kubernetes identity. These settings correspond with Kubernetes API server oidc options, such as --oidc-username-claim for the usernameClaim setting. For more information, see the Kubernetes API server docs.

Field	Type	Description
`usernameClaim`	string	The JWT field to use as the user's username.
`usernamePrefix`	string	If specified, causes claims mapping to username to be prefix with the provided value. A value “oidc:” would result in usernames like “oidc:john”.
`groupsClaim`	string	If specified, causes the OIDCAuthenticator to try to populate the user's groups with an ID Token field. If the GroupsClaim field is present in an ID Token the value must be a string or list of strings.
`groupsPrefix`	string	If specified, causes claims mapping to group names to be prefixed with the value. A value “oidc:” would result in groups like “oidc:engineering” and “oidc:marketing”.