Authentication Configuration
Conncentric authenticates Portal users via OIDC (OpenID Connect). Configure your identity provider details in the Helm values at deploy time.
Helm Configuration
All auth settings live under portal.auth in your values file:
portal:
auth:
provider: "external"
authority: "" # OIDC issuer URL
clientId: "" # OAuth2 client ID
scope: "openid profile email"
audience: "" # Required by some providers (e.g., Auth0)
Provider Examples
Auth0
portal:
auth:
provider: "external"
authority: "https://your-tenant.auth0.com/"
clientId: "your-client-id"
scope: "openid profile email"
audience: "https://your-api-identifier"
In your Auth0 dashboard:
- Create an SPA application
- Add your Portal URL to Allowed Callback URLs (e.g.
https://conncentric.example.com) - Add it to Allowed Logout URLs and Allowed Web Origins
- Create an API with the identifier you use as
audience
Okta
portal:
auth:
provider: "external"
authority: "https://your-tenant.okta.com/oauth2/default"
clientId: "your-client-id"
scope: "openid profile email offline_access"
audience: ""
In Okta, create an OIDC Web Application (use SPA type) and register the Portal URL as a redirect URI.
Azure Entra ID
portal:
auth:
provider: "external"
authority: "https://login.microsoftonline.com/{tenant-id}/v2.0"
clientId: "your-client-id"
scope: "openid profile email api://{client-id}/access_as_user"
audience: ""
In Azure, register a Single-page application, add the Portal URL as a redirect URI, and expose an API scope.
Verifying Configuration
After deploying with your auth settings, navigate to the Portal URL. You should be redirected to your identity provider's login page. After authenticating, you will be returned to the Portal.
If the redirect fails or you see an error, check:
- The
authorityURL is reachable from the user's browser (not just from the cluster) - The
clientIdmatches the application registered in your identity provider - Your Portal URL is listed as an allowed redirect URI in the provider