Authenticating with OpenID Connect
Security Requirements and Controls
Change identity providerspermission
LogScale supports authenticating with any provider following the OpenID Connect standard. When OpenID Connect is configured, LogScale accepts OpenID tokens issued by the OpenID Connect provider (LogScale acts as a resource in OpenID Connect terms). This is useful if you are running LogScale behind a proxy that handles authentication.
In addition to acting as a resource, LogScale can also act as a client responsible for authenticating users (a relying party in OpenID Connect terms). This is similar to other OAuth authentication flows LogScale supports.
The following parameters are necessary for running LogScale as either a relying party or resource:
OIDC_PROVIDER— URL to the OpenID Connect provider. The provider URL must match the issuer reported by the OpenID provider exactly. Required.
OIDC_AUDIENCE— The audience to expect in a JWT. Defaults to the client ID if set and to
OIDC_USERNAME_CLAIM— The name of the claim to interpret as username in LogScale. The value in the claim must be a string. Defaults to
humio-user. Can be set to
OIDC_GROUPS_CLAIM— The name of the claim to interpret as the groups in LogScale. The value in the claim must be an array of strings. Optional. Defaults to
OIDC_CACHE_USERINFO_MS— How long user info is cached on a LogScale node in milliseconds. Optional. Defaults to 600000 (10 minutes).
LogScale will use the OpenID Connect Discovery endpoint
to configure the remaining parameters automatically. If your provider
does not have such an endpoint, the following parameters must be
OIDC_AUTHORIZATION_ENDPOINT— A URL to the endpoint a user should be redirected to when authorizing. Required for clients.
OIDC_TOKEN_ENDPOINT— A URL to the token endpoint used to exchange a authentication code to an access token. Required for clients.
OIDC_TOKEN_ENDPOINT_AUTH_METHOD— The authentication method used to authenticate LogScale against the token endpoint. Can either be
client_secret_basicor client_secret_post for placing the client id and secret in either basic auth or post data, respectively. Defaults to
client_secret_basicis not supported as per the discovery endpoint.
OIDC_USERINFO_ENDPOINT— A URL to the user info endpoint used to retrieve user information from an access token. Required.
OIDC_JWKS_URI— A URL to the JWKS endpoint for retrieving keys for validating tokens. Required.
To use OIDC as a client,
PUBLIC_URL must be set,
LogScale must be registered as a client with your OpenID provider, and
the provider must allow
%PUBLIC_URL%/auth/oidc as a valid
redirect endpoint for the client. The following parameters can be used
to configure client setup
OIDC_OAUTH_CLIENT_ID— Client ID of your OpenID application. Required.
OIDC_OAUTH_CLIENT_SECRET— Client secret of your OpenID application. Required.
OIDC_SERVICE_NAME— The display name of the OIDC provider on the sign in page of LogScale. Optional. Defaults to "OpenID Connect".
OIDC_SCOPES— Comma-separated list of scopes to add in addition to the default requested scopes (
If you are running LogScale with an HTTP Proxy and do want to use it for OpenID Connect, you should set the following environment variable:
Below is an example of a configuration file:
# Basic configuration
# Client configuration
OIDC_OAUTH_CLIENT_ID=$CLIENT_ID #The client_id from your OpenID Connect Application
OIDC_OAUTH_CLIENT_SECRET=$CLIENT_SECRET #The client_secret your OpenID Connect Application
AUTO_CREATE_USER_ON_SUCCESSFUL_LOGIN=true # default is false
Read more about Configuration Settings.