Authenticate with OpenID Connect

LogScale supports authenticating with any provider following the OpenID Connect standard. When OpenID Connect (OIDC) is configured, LogScale accepts OpenID tokens issued by the OpenID Connect provider (LogScale acts as a resource in OpenID Connect terms). This is useful if you are running LogScale behind a proxy that handles authentication.

In addition to acting as a resource, LogScale can also act as a client responsible for authenticating users (a relying party in OpenID Connect terms). This is similar to other OAuth authentication flows LogScale supports.

The diagram illustrates how OpenID Connect (OIDC) authentication works with LogScale. LogScale can function in two roles within the OIDC framework:

  1. As a Resource where LogScale accepts tokens issued by an OIDC provider

  2. As a Relying Party (Client) where LogScale handles authentication through an OIDC provider

sequenceDiagram participant User participant Browser participant LogScale as LogScale participant IDP as OIDC Provider Note over User, IDP: LogScale as OIDC Relying Party (Client) Flow User->>Browser: Attempts to access LogScale Browser->>LogScale: Requests access to protected resource LogScale->>Browser: Redirects to OIDC provider Browser->>IDP: Redirects with client_id, redirect_uri, scope, etc. IDP->>Browser: Presents login page User->>Browser: Enters credentials Browser->>IDP: Submits login credentials IDP->>IDP: Authenticates user IDP->>Browser: Redirects with authorization code to redirect_uri Browser->>LogScale: Sends authorization code LogScale->>IDP: Requests tokens with authorization code + client_secret IDP->>LogScale: Returns ID token, access token, refresh token LogScale->>IDP: Validates tokens & requests user info (if needed) IDP->>LogScale: Returns user information LogScale->>LogScale: Creates session & maps OIDC claims to user profile Note right of LogScale: Maps username from claim<br>(configurable via OIDC_USERNAME_CLAIM)<br>Maps groups from claim<br>(configurable via OIDC_GROUPS_CLAIM) LogScale->>Browser: Returns authenticated session Browser->>User: Shows LogScale interface Note over User, IDP: Alternative: LogScale as Resource (Token Validation Only) User->>Browser: Attempts to access LogScale with token Browser->>LogScale: Sends request with OIDC token LogScale->>LogScale: Validates token signature using JWKS LogScale->>LogScale: Verifies audience, issuer, expiration LogScale->>LogScale: Extracts username & group info from claims LogScale->>Browser: Returns authenticated session if token valid
sequenceDiagram participant User participant Browser participant LogScale as LogScale participant IDP as OIDC Provider Note over User, IDP: LogScale as OIDC Relying Party (Client) Flow User->>Browser: Attempts to access LogScale Browser->>LogScale: Requests access to protected resource LogScale->>Browser: Redirects to OIDC provider Browser->>IDP: Redirects with client_id, redirect_uri, scope, etc. IDP->>Browser: Presents login page User->>Browser: Enters credentials Browser->>IDP: Submits login credentials IDP->>IDP: Authenticates user IDP->>Browser: Redirects with authorization code to redirect_uri Browser->>LogScale: Sends authorization code LogScale->>IDP: Requests tokens with authorization code + client_secret IDP->>LogScale: Returns ID token, access token, refresh token LogScale->>IDP: Validates tokens & requests user info (if needed) IDP->>LogScale: Returns user information LogScale->>LogScale: Creates session & maps OIDC claims to user profile Note right of LogScale: Maps username from claim<br>(configurable via OIDC_USERNAME_CLAIM)<br>Maps groups from claim<br>(configurable via OIDC_GROUPS_CLAIM) LogScale->>Browser: Returns authenticated session Browser->>User: Shows LogScale interface Note over User, IDP: Alternative: LogScale as Resource (Token Validation Only) User->>Browser: Attempts to access LogScale with token Browser->>LogScale: Sends request with OIDC token LogScale->>LogScale: Validates token signature using JWKS LogScale->>LogScale: Verifies audience, issuer, expiration LogScale->>LogScale: Extracts username & group info from claims LogScale->>Browser: Returns authenticated session if token valid

Create an OpenID Connect app

Important

Prior to performing the steps below, make sure that you have a fully activated Okta account.

Log in and navigate to the main page of the Okta interface:

  1. Click Adminto navigate to the Admin Dashboard. From there, click Applications and select Applications.

    Screenshot of the Okta Admin Dashboard showing the Applications navigation menu with the Applications option highlighted

    Figure 109. Navigating to the Applications Section in Okta


  2. Next, click Create App Integration.

    Screenshot of the Okta Applications page with the 'Create App Integration' button highlighted

    Figure 110. Starting the App Integration Process


  3. Select OIDC - OpenID Connect and Web Application. Click Next.

    Screenshot of the Okta "Create a new app integration" dialog showing the selection options for sign-in method and application type. The "OIDC - OpenID Connect" sign-in method and "Web Application" application type are selected, with the "Next" button enabled for proceeding with the configuration

    Figure 111. Selecting OpenID Connect App Type in Okta


  4. Name the app, for example LogScale OIDC, and upload an image (optional). Enter the following:

    • Grant Type: Client Credentials

    • Sign-in redirect URLs: $LOGSCALE_URL/auth/oidc

    • Sign-out redirect URLs: remove, if existing. Optional.

    • Assignments: Select Skip Group Assignment for now

    Click Save.

    Screenshot of the Okta "Create OpenID Connect App Integration" form showing the application configuration options including App integration name field, logo upload option, and Grant type selection. This is the first part of the configuration form where basic application identity details are specified

    Figure 112. Configuring OIDC Application Settings in Okta


    Screenshot of the Okta application configuration form's second section, showing the Sign-in redirect URI field populated with the LogScale authentication endpoint URL, Sign-out redirect URIs section, and the Assignment options where "Skip group assignment for now" is selected. This section configures how authentication redirects and user assignments are handled

    Figure 113. Configuring Redirect URLs and Assignments in Okta


  5. Click the Sign On tab of the app, and under OpenID Connect ID Token Set Issuer to Okta URL (https://dev-84903084.okta.com). Set Group claims filter to groups and select Matches regex with the regex pattern .*. Click Save.

    Screenshot of the Okta Admin Dashboard showing the Sign On tab configuration for OpenID Connect ID Token settings, where the issuer is set to the Okta URL and the Group claims filter is configured with "groups" using a regex pattern of ".*" to include all groups in the token

    Figure 114. Configuring Group Claims in OpenID Connect ID Token


Configure LogScale to use OpenID Connect

To configure OpenID Connect to work with LogScale, contact Support.