Setup oidc login

Setup OIDC login with auth0.com

1. Open a free account on https://auth0.com/
   • Can use google login to signup
2. Go to Applications
   • Hit Create application
   • Choose Native type
3. Hit Settings of your new application
   • Enter allowed callback urls https://localhost:8443/oidc/callback. Note :8443 is the listening port for the lxd server, it may be different for your setup. You should check the config core.https_address to get the port number for your lxd server.
   • Enable Refresh Token Rotation
   • Go to advanced settings > Grant types and Enable Device code
   • Save changes
4. Scroll all the way up copy the Domain and use it as oidc issuer (important to have the https:// prefix and end with the /)
   • lxc config set oidc.issuer=https://dev-abcdef.us.auth0.com/
5. Copy the Client ID and use it as oidc client id
   • lxc config set oidc.client.id=6f6f6f6f6f6f
6. Hit APIs and copy the API Audience, use it as oidc audience
   • lxc config set oidc.audience=https://dev-abcdef.us.auth0.com/api/v2/

Now you can hit https://localhost:8443 with an unauthenticated browser and use SSO login. Use the crendentials for auth0

Setup custom claim for permission group mapping

An admin user may set up multiple users in auth0 and allocate roles to those users. When a specific user logs in using oidc, the allocated roles for that user can be mapped to lxd permission groups by using custom claims set in auth0. This section details steps for setting up roles for an user on auth0 as well as the custom claim so that lxd can map those roles to permission groups.

1. Under User Management -> Users, create a new user, provide an email and password for that user.
2. Under User Management -> Roles, create some roles with suitable names.
3. Go to the user you created in step 1, click on the Roles tab then click Assign Roles. Select the roles you just created in step 2.
4. You will need to setup a custom action on auth0 to set the custom claim on the id_token during the oidc login flow.

• Under Actions -> Library, click on Create Action. Give the action a suitable name like roles-in-id-token, select Login / Post Login for the Trigger and leave the Runtime selection as recommended. Hit Create and you will be redirected to a code editor. Insert the code snippet shown below and hit Deploy:

exports.onExecutePostLogin = async (event, api) => {
  if (event.authorization) {
    api.idToken.setCustomClaim(`lxd-idp-groups`, event.authorization.roles);
    api.accessToken.setCustomClaim(`lxd-idp-groups`, event.authorization.roles);
  }
};

• Once the action is deployed, got to Actions -> Flows -> Login, under the Custom actions tab, drag the action you just created and drop it in between the Start and Complete nodes of the Login flow.

5. Navigate to LXD UI, you should first authenticate using a trusted certificate, that way you can configure server settings without permission issues.
6. Now in LXD, set the server configuration oidc.groups.claim to be the custom claim you have set in step 4. Using the current example, the custom claim is lxd-idp-groups. You can do this with lxc config set oidc.groups.claim=lxd-idp-groups.
7. (experimental) In the UI for lxd, you will need to navigate to Permissions -> IDP groups and create mapping for assigning roles on auth0 to permission groups created on LXD. For each idp group created in LXD, the name of the idp group must match a role you have created in auth0 and it should map to one or more permission groups in LXD.
8. Lastly, you will need to login as an user with roles assigned in auth0. During the oidc flow, lxd will automatically try extract the custom claim from the user's id_token based on the oidc.groups.claim config value. The extracted custom claim would be an array of roles for your user from auth0, those roles will then be mapped to LXD permission groups using the mapping that you created in step 6.

Setup OIDC with local keycloak

1. Download keycloak as per the getting started guide.
   1. Download keycloak-25.0.4.zip
   2. Extract the file and run bin/kc.sh start-dev from within the folder
   3. Open http://localhost:8080/ and create an admin user with password.
   4. Login with the admin user to the console
2. Create a realm. Click "keycloak" dropdown in the top left corner of the admin console. Click "create realm". Enter a name (i.e. foo-realm) leave the rest blank.
3. Go to "Realm Settings" on the newly created realm and enter the IP or domain that lxd will use to reach keycloak as "Frontend URL:" http://10.237.187.1:8080. Click save.
4. Go to "Clients", "Create clients". Enter a "Client ID" i.e. foo-client and click "Next"
5. Enable the "OAuth 2.0 Device Authorization Grant". Click "Next".
6. Enter a "Valid redirect URIs", this is your lxd ip or domain with a suffix /oidc/callback i.e. https://10.192.38.215:8443/oidc/callback. Hit "Save".
7. Go to "Users" and "Create new user", enter a "Username", leave the rest blank.
8. On the user detail page hit "Credentials" and "Set password". Save the new password. We are done in Keycloak
9. Configure LXD with the two commands lxc config set oidc.issuer=http://10.237.187.1:8080/realms/foo-realm and lxc config set oidc.client.id=foo-client.
10. Now you can login to the UI with the user created in step 7.

Setup OIDC with Ory Hydra

1. Create an Ory Hydra account
2. Go to the Ory Console. Create a client by going to OAuth 2 -> OAuth2 Clients. Click Create OAuth2 Client then select the Mobile / SPA option. Enter a client name e.g. lxd-ory-client. In the Scope field, make sure to add email and profile scopes. Enter the callback redirect URIs for the client e.g. https://localhost:8414/oidc/callback. Leave everything else in the create client form as is.
3. In LXD, set oidc.issuer and oidc.audience to the issuer URL value from the Oauth 2 Overview tab e.g. lxc config set oidc.issuer=https://<ory-host>.com.
4. Set oidc.client.id as the id for the client created in step 2. You can find the id in the client details page.
5. Now go to the LXD login page, click on "Login with SSO" and you will be redirected to the Ory login page. Create an user by signing up and follow the instructions.