Skip to main content

Authentication

Ilum supports three methods for authenticating a user: internal authentication using static configuration properties, Lightweight Directory Access Protocol (LDAP), and OAuth2 external provider implementing OpenID.

Internal authentication

By default, the application comes with internal authentication enabled. The default user is admin with the password admin, and the role assigned is ADMIN. As a security measure, you must change the default password.

Changing the default password

You can change the default password using a helm upgrade command. For instance:

helm upgrade \
    --set ilum-core.security.internal.users[0].username=admin \
    --set ilum-core.security.internal.users[0].password=newPassword \
    --set ilum-core.security.internal.users[0].roles[0]=ADMIN \
    --reuse-values ilum ilum/ilum

Creating additional user accounts

You can create additional users by using the helm upgrade command and specifying the username, password, and roles:

helm upgrade \
    --set ilum-core.security.internal.users[0].username=admin \
    --set ilum-core.security.internal.users[0].password=adminPassword \
    --set ilum-core.security.internal.users[0].roles[0]=ADMIN \
    --set ilum-core.security.internal.users[1].username=user \
    --set ilum-core.security.internal.users[1].password=userPassword \
    --set ilum-core.security.internal.users[1].roles[0]=USER \
    --reuse-values ilum ilum/ilum

LDAP authentication

LDAP is a protocol for managing and accessing distributed directory information services. It is particularly useful for verifying user credentials in a centralized manner.

To enable LDAP authentication, you need to provide the LDAP server URL, base DN, user DN pattern, etc. Here's an example helm command:

helm upgrade \
    --set ilum-core.security.type="ldap" \
    --set ilum-core.security.ldap.urls[0]="ldap://host:port" \
    --set ilum-core.security.ldap.base="dc=example\,dc=ilum\,dc=cloud" \
    --set ilum-core.security.ldap.username="cn=admin\,dc=example\,dc=ilum\,dc=cloud" \
    --set ilum-core.security.ldap.password="psswd" \
    --set ilum-core.security.ldap.userSearch.base="ou=people" \
    --set ilum-core.security.ldap.userSearch.filter="cn={0}" \
    --set ilum-core.security.ldap.userSearch.passwordAttr="userPassword" \
    --set ilum-core.security.ldap.groupSearch.base="ou=group" \
    --set ilum-core.security.ldap.groupSearch.filter="member={0}" \
    --set ilum-core.security.ldap.groupSearch.roleAttr="cn" \
    --reuse-values ilum ilum/ilum

OAuth2 authentication

OAuth2 external provider allows users to authenticate using provider such as Google, GitHub, etc. This is the most secure way of authenticating users and is recommended for production environments.

It's crucial to highlight that the OAuth2 authentication method in our application is designed to work exclusively with OpenID Connect. OpenID Connect is an identity layer built on top of the OAuth2 protocol, which allows clients to verify the identity of end-users based on the authentication performed by an authorization server.

To enable OAuth2 authentication, you need to provide the issuer URL of your OAuth2 provider and client ID. Here's an example helm command:

helm upgrade \
    --set ilum-core.security.type="oauth2" \
    --set ilum-core.security.oauth2.clientId=CLIENT_ID \
    --set ilum-core.security.oauth2.issuerUri=https://login.microsoftonline.com/TENANT_ID/v2.0 \
    --reuse-values ilum ilum/ilum