Generic OAuth Auth
A Concourse server can authenticate against any valid OAuth auth provider, though it's a bit "closer to the metal" as you'll need to explicitly configure the auth, token, and user-info URLs. You may want to see if you can use Generic OIDC auth if your auth provider is compatible with OIDC.
Authentication
First you'll need to create a client with your oAuth provider.
The callback URL must be the URL of your Concourse server with /sky/issuer/callback appended. This address must be
reachable by your oAuth provider - it can't be localhost.
For example, Concourse's own CI server's callback URL would be:
The Generic oAuth provider has many values to set - for a full list consult concourse web --help.
A typical web node env config may look something like this:
CONCOURSE_OAUTH_DISPLAY_NAME=Acme
CONCOURSE_OAUTH_CLIENT_ID=myclientid
CONCOURSE_OAUTH_CLIENT_SECRET=myclientsecret
CONCOURSE_OAUTH_AUTH_URL=https://oauth.example.com/oauth2/auth
CONCOURSE_OAUTH_TOKEN_URL=https://oauth.example.com/oauth2/token
CONCOURSE_OAUTH_USERINFO_URL=https://oauth.example.com/oauth2/userinfo
Consult concourse web --help for a full list of flags with descriptions.
Authorization
OAuth users and groups can be authorized for a team by passing the following flags to
fly set-team:
--oauth-user=USERNAME- Authorize an individual user.--oauth-group=GROUP_NAME- Authorize anyone from the group.- You may only configure groups if the auth provider exposes this information in either the token itself, or in the contents of the userinfo endpoint.
- You can configure which claim points to the groups information by specifying
CONCOURSE_OAUTH_GROUPS_KEYon thewebnode.
For example:
... or via --config for setting user roles:
Configuring main Team Authorization
OAuth users and groups can be added to the main team authorization config by setting the following
env on the web node:
Multiple users and groups may be specified by comma-separating them.