See open-metadata/OpenMetadata@d578aa7 from refs/heads/main

open-metadata · Dec 18, 2024 · 2c90450 · 2c90450
1 parent 6d051e5
commit 2c90450
Show file tree

Hide file tree

Showing 27 changed files with 1,542 additions and 589 deletions.
diff --git a/content/v1.5.x/deployment/security/auth0/auth-code-flow.md b/content/v1.5.x/deployment/security/auth0/auth-code-flow.md
@@ -0,0 +1,37 @@
+---
+title: Auth0 SSO for Docker
+slug: /deployment/security/auth0/auth-code-flow
+collate: false
+---
+
+# Auth Code Flow
+
+### Step 1: Create a New Application
+
+- Once you are on the Dashboard page, click on `Applications > Applications` available on the left-hand side panel.
+
+{% image 
+src="/images/v1.5/deployment/security/auth0/create-new-app-1.png" 
+alt="create-app" /%}
+
+- Click on `Create Application`.
+
+{% image 
+src="/images/v1.5/deployment/security/auth0/create-new-app-2.png" 
+alt="create-app" /%}
+
+- Enter the Application name.
+- Choose an application type and click on `Create`.
+
+{% image 
+src="/images/v1.5/deployment/security/auth0/auth-code-flow-1.png" 
+alt="create-app" /%}
+
+### Step 2: Where to Find the Credentials
+
+- Navigate to the Settings tab. 
+- You will find your `Client ID` and `Client Secret`.
+
+{% image 
+src="/images/v1.5/deployment/security/auth0/auth-code-flow-2.png" 
+alt="credentials" /%}
diff --git a/content/v1.5.x/deployment/security/auth0/implicit-flow.md b/content/v1.5.x/deployment/security/auth0/implicit-flow.md
@@ -0,0 +1,63 @@
+---
+title: Auth0 SSO for Docker
+slug: /deployment/security/auth0/implicit-flow
+collate: false
+---
+
+# Implicit Flow
+
+### Step 1: Create a New Application
+
+- Once you are on the Dashboard page, click on `Applications > Applications` available on the left-hand side panel.
+
+{% image 
+src="/images/v1.5/deployment/security/auth0/create-new-app-1.png" 
+alt="create-app" /%}
+
+- Click on `Create Application`.
+
+{% image 
+src="/images/v1.5/deployment/security/auth0/create-new-app-2.png" 
+alt="create-app" /%}
+
+- Enter the Application name.
+- Choose an application type and click on `Create`.
+
+{% image 
+src="/images/v1.5/deployment/security/auth0/create-new-app-3.png" 
+alt="create-app" /%}
+
+### Step 2: Where to Find the Credentials
+
+- Navigate to the Settings tab. 
+- You will find your `Client ID` and `Domain`.
+
+{% image 
+src="/images/v1.5/deployment/security/auth0/credentials.png" 
+alt="credentials" /%}
+
+After the applying these steps, you can update the configuration of your deployment:
+
+{% inlineCalloutContainer %}
+  {% inlineCallout
+    color="violet-70"
+    icon="celebration"
+    bold="Docker Security"
+    href="/deployment/security/auth0/docker" %}
+    Configure Auth0 SSO for your Docker Deployment.
+  {% /inlineCallout %}
+  {% inlineCallout
+    color="violet-70"
+    icon="storage"
+    bold="Bare Metal Security"
+    href="/deployment/security/auth0/bare-metal" %}
+    Configure Auth0 SSO for your Bare Metal Deployment.
+  {% /inlineCallout %}
+  {% inlineCallout
+    color="violet-70"
+    icon="fit_screen"
+    bold="Kubernetes Security"
+    href="/deployment/security/auth0/kubernetes" %}
+    Configure Auth0 SSO for your Kubernetes Deployment.
+  {% /inlineCallout %}
+{% /inlineCalloutContainer %}
diff --git a/content/v1.5.x/deployment/security/auth0/index.md b/content/v1.5.x/deployment/security/auth0/index.md
@@ -42,34 +42,33 @@ alt="create-account" /%}
 src="/images/v1.5/deployment/security/auth0/create-account-3.png" 
 alt="create-account" /%}
 
-### Step 2: Create a New Application
 
-- Once you are on the Dashboard page, click on `Applications > Applications` available on the left-hand side panel.
+## Step 2: Create Server Credentials
 
-{% image 
-src="/images/v1.5/deployment/security/auth0/create-new-app-1.png" 
-alt="create-app" /%}
+## Choose Your Authentication Flow
 
-- Click on `Create Application`.
+After creating the account, choose the authentication flow you want to use:
 
-{% image 
-src="/images/v1.5/deployment/security/auth0/create-new-app-2.png" 
-alt="create-app" /%}
+- [Implicit Flow](/deployment/security/auth0/implicit-flow) (Public)
+- [Auth Code Flow](/deployment/security/auth0/auth-code-flow) (Confidential)
 
-- Enter the Application name.
-- Choose an application type and click on `Create`.
 
-{% image 
-src="/images/v1.5/deployment/security/auth0/create-new-app-3.png" 
-alt="create-app" /%}
 
-### Step 3: Where to Find the Credentials
+{% note %}
 
-- Navigate to the Settings tab. 
-- You will find your `Client ID` and `Domain`.
+- **SPA (Single Page Application):**  
+  This type is designed for implicit flows. In this case, providing both the client ID and client secret will result in a failure because the implicit flow only requires the client ID for authentication.
 
-{% image 
-src="/images/v1.5/deployment/security/auth0/credentials.png" 
-alt="credentials" /%}
+- **Web:**  
+  This type is intended for confidential clients. If you select this option, you must provide both the client ID and client secret. Simply passing the client ID will cause the authorization process to fail, as the Authorization Code flow requires both credentials for successful authentication.
+  The [OIDC Authorization Code Flow](/deployment/security/oidc) is used in this case, where the client secret is required to securely exchange the authorization code for tokens.
+
+
+### Recommendation:
+
+- Use the **Web** type for confidential clients that require both a client ID and secret.
+- Use the **SPA** type for applications using implicit flows where only a client ID is needed.
+
+{% /note %}
 
 {% partial file="/v1.5/deployment/configure-ingestion.md" /%}
diff --git a/content/v1.5.x/deployment/security/keycloak/auth-code-flow.md b/content/v1.5.x/deployment/security/keycloak/auth-code-flow.md
@@ -0,0 +1,45 @@
+---
+title: Auth code flow of Keyclock
+slug: /deployment/security/keycloak/auth-code-flow
+collate: false
+---
+
+# Auth Code Flow 
+
+
+### Step 1: Create OpenMetadata as a new Client
+- Click on `Clients` in the menu.
+- Click on `Create Client` button.
+- Select the `Client type`.
+- Enter the `Client ID`.
+- Enter the Name and Description `(Optional)`.
+- Click on `Next` button.
+
+{% image src="/images/v1.5/deployment/security/keycloak/keycloak-step-3.png" alt="add-client" /%}
+
+### Step 2: Edit Configs of the client
+- Enable `Client authentication` and `Authorization`.
+- Select `Standard flow` as an `Authentication flow`.
+- Click `Next`.
+
+{% image src="/images/v1.5/deployment/security/keycloak/keycloak-step-4.png" alt="compatibility configs" /%}
+
+### Step 3: Add Login Settings
+- fill the required options
+
+{% image src="/images/v1.5/deployment/security/keycloak/keycloak-step-5.png" alt="edit-settings-url.png" /%}
+
+- Click on `Save` button.
+
+{% note %}
+
+Note: Scopes `openid`, `email` & `profile` are required to fetch the user details so you will have to add these scopes in your client.
+
+{% /note %}
+
+### Step 3: Where to Find the Credentials
+
+- Navigate to the `Credentials` tab.
+- You will find your `Client Secret` related to the Client id "open-metadata"
+
+{% image src="/images/v1.5/deployment/security/keycloak/keycloak-step-6.png" alt="client-credentials" /%}
diff --git a/content/v1.5.x/deployment/security/keycloak/implicit-flow.md b/content/v1.5.x/deployment/security/keycloak/implicit-flow.md
@@ -0,0 +1,71 @@
+---
+title: Implicit flow of Keyclock
+slug: /deployment/security/keycloak/implicit-flow
+collate: false
+---
+
+# Implicit Flow 
+
+### Step 1: Create OpenMetadata as a new Client
+
+- Click on `Clients` in the menu.
+- Click on `Create Client` button.
+- Select the `Client type`.
+- Enter the `Client ID`.
+- Enter the Name and Description `(Optional)`.
+- Click on `Next` button.
+
+{% image src="/images/v1.5/deployment/security/keycloak/keycloak-step-3.png" alt="add-client" /%}
+
+### Step 2: Edit Configs of the client
+
+- Select `Standard flow` and `Implicit flow` as an `Authentication flow`.
+- Click `Next`.
+
+{% image src="/images/v1.5/deployment/security/keycloak/implicit-keycloak-step-4.png" alt="compatibility configs" /%}
+
+### Step 3: Add Login Settings
+- fill the required options
+
+{% image src="/images/v1.5/deployment/security/keycloak/keycloak-step-5.png" alt="edit-settings-url.png" /%}
+
+- Click on `Save` button.
+
+{% note %}
+
+Note: Scopes `openid`, `email` & `profile` are required to fetch the user details so you will have to add these scopes in your client.
+
+{% /note %}
+
+
+
+
+After the applying these steps, the users in your realm are able to login in the openmetadata, as a suggestion create a user called "admin-user". Now you can update the configuration of your deployment:
+
+{% inlineCalloutContainer %}
+  {% inlineCallout
+    color="violet-70"
+    icon="celebration"
+    bold="Docker Security"
+    href="/deployment/security/keycloak/docker" %}
+    Configure Keycloak SSO for your Docker Deployment.
+  {% /inlineCallout %}
+  {% inlineCallout
+    color="violet-70"
+    icon="storage"
+    bold="Bare Metal Security"
+    href="/deployment/security/keycloak/bare-metal" %}
+    Configure Keycloak SSO for your Bare Metal Deployment.
+  {% /inlineCallout %}
+  {% inlineCallout
+    color="violet-70"
+    icon="fit_screen"
+    bold="Kubernetes Security"
+    href="/deployment/security/keycloak/kubernetes" %}
+    Configure Keycloak SSO for your Kubernetes Deployment.
+  {% /inlineCallout %}
+{% /inlineCalloutContainer %}
+
+{% note %}
+A dockerized demo for showing how this SSO works with OpenMetadata can be found [here](https://github.com/open-metadata/openmetadata-demo/tree/main/keycloak-sso).
+{% /note %}
diff --git a/content/v1.5.x/deployment/security/keycloak/index.md b/content/v1.5.x/deployment/security/keycloak/index.md
@@ -33,70 +33,31 @@ Security requirements for your **production** environment:
 - The Keycloak use Realms as the primary form of organization, we can't use the realm "master" for new clients (apps), only for administration, so change for your specific realm or create a new.
 - In this example we are used an existing one called "Data-sec".
 
-{% image src="/images/v1.5/deployment/security/keycloak/2-change-realm.png" alt="change-realm" /%}
+{% image src="/images/v1.5/deployment/security/keycloak/keycloak-step-2.png" alt="change-realm" /%}
 
-### Step 3: Create OpenMetadata as a new Client
-- Click on `Clients` in the menu.
-- Click on `Create` button.
-- Enter the Client ID and Protocol as the image.
-- Click on `Save` button.
+## Create Server Credentials
 
-{% image src="/images/v1.5/deployment/security/keycloak/3-add-client.png" alt="add-client" /%}
+## Choose Your Authentication Flow
 
-### Step 4: Edit settings of the client
-- Change "Access Type" value from "public" to "confidential".
-- Change "implicit flow" and "service accounts" to enabled.
+After creating the account, choose the authentication flow you want to use:
 
-{% image src="/images/v1.5/deployment/security/keycloak/4-edit-settings-client.png" alt="edit-settings-client" /%}
+- [Implicit Flow](/deployment/security/keycloak/implicit-flow) (Public)
+- [Auth Code Flow](/deployment/security/keycloak/auth-code-flow) (Confidential)
 
-- At the bottom of the same settings page, change the configurations to the openmetadata address.
-- The image below shows different possibilities, such as running locally or with a custom domain.
+{% note %}
 
-{% image src="/images/v1.5/deployment/security/keycloak/5-edit-settings-url.png" alt="edit-settings-url.png" /%}
+- **SPA (Single Page Application):**  
+  This type is designed for implicit flows. In this case, providing both the client ID and client secret will result in a failure because the implicit flow only requires the client ID for authentication.
 
-- Click on `Save` button.
+- **Web:**  
+  This type is intended for confidential clients. If you select this option, you must provide both the client ID and client secret. Simply passing the client ID will cause the authorization process to fail, as the Authorization Code flow requires both credentials for successful authentication.
+  The [OIDC Authorization Code Flow](/deployment/security/oidc) is used in this case, where the client secret is required to securely exchange the authorization code for tokens.
 
-{% note %}
 
-Note: Scopes `openid`, `email` & `profile` are required to fetch the user details so you will have to add these scopes in your client.
+### Recommendation:
 
-{% /note %}
+- Use the **Web** type for confidential clients that require both a client ID and secret.
+- Use the **SPA** type for applications using implicit flows where only a client ID is needed.
 
-### Step 5: Where to Find the Credentials
-
-- Navigate to the `Credentials` tab.
-- You will find your Client `Secret` related to the Client id "open-metadata"
-
-{% image src="/images/v1.5/deployment/security/keycloak/6-client-credentials.png" alt="client-credentials" /%}
-
-After the applying these steps, the users in your realm are able to login in the openmetadata, as a suggestion create a user called "admin-user". Now you can update the configuration of your deployment:
-
-{% inlineCalloutContainer %}
-  {% inlineCallout
-    color="violet-70"
-    icon="celebration"
-    bold="Docker Security"
-    href="/deployment/security/keycloak/docker" %}
-    Configure Keycloak SSO for your Docker Deployment.
-  {% /inlineCallout %}
-  {% inlineCallout
-    color="violet-70"
-    icon="storage"
-    bold="Bare Metal Security"
-    href="/deployment/security/keycloak/bare-metal" %}
-    Configure Keycloak SSO for your Bare Metal Deployment.
-  {% /inlineCallout %}
-  {% inlineCallout
-    color="violet-70"
-    icon="fit_screen"
-    bold="Kubernetes Security"
-    href="/deployment/security/keycloak/kubernetes" %}
-    Configure Keycloak SSO for your Kubernetes Deployment.
-  {% /inlineCallout %}
-{% /inlineCalloutContainer %}
-
-{% note %}
-A dockerized demo for showing how this SSO works with OpenMetadata can be found [here](https://github.com/open-metadata/openmetadata-demo/tree/main/keycloak-sso).
 {% /note %}
-
 {% partial file="/v1.5/deployment/configure-ingestion.md" /%}