Harbor

This guide walks you through connecting Harbor to Nauthera so that users can sign in with their Nauthera account and have Harbor project roles assigned automatically based on group membership.

#What you will set up

• OIDC sign-in for Harbor via Nauthera
• Automatic group sync so Harbor project membership follows Nauthera groups
• Optional: restrict access to specific groups

#Prerequisites

• A running Nauthera instance with a reachable issuer URL (e.g. https://auth.example.com)
• Harbor 2.9+ deployed and accessible
• A ClusterAuthPolicy or AuthPolicy that includes the groups scope

#Step 1 — Create the OidcClient

apiVersion: auth.nauthera.io/v1alpha1
kind: OidcClient
metadata:
  name: harbor
  namespace: harbor
spec:
  displayName: Harbor Registry
  redirectUris:
    - "https://harbor.example.com/c/oidc/callback"
  allowedScopes:
    - openid
    - profile
    - email
    - groups
  grantTypes:
    - authorization_code
    - refresh_token

kubectl apply -f harbor-oidc-client.yaml

Retrieve the generated credentials:

CLIENT_ID=$(kubectl get secret harbor-credentials -n harbor -o jsonpath='{.data.client_id}' | base64 -d)
CLIENT_SECRET=$(kubectl get secret harbor-credentials -n harbor -o jsonpath='{.data.client_secret}' | base64 -d)
echo "Client ID: $CLIENT_ID"
echo "Client Secret: $CLIENT_SECRET"

#Step 2 — Enable the groups scope

Ensure your policy includes the groups scope and claim mapping:

apiVersion: auth.nauthera.io/v1alpha1
kind: ClusterAuthPolicy
metadata:
  name: default
spec:
  scopes:
    - openid
    - profile
    - email
    - groups
  claimMappings:
    - claim: groups
      attribute: groups

#Step 3 — Configure Harbor

#Via Harbor UI

1. Log in to Harbor as admin.
2. Go to Administration > Configuration > Authentication.
3. Set Auth Mode to OIDC.
4. Fill in the fields:

5. Click Test OIDC Server to verify connectivity.
6. Click Save.

#Via Helm values (harbor chart)

# values.yaml
externalURL: "https://harbor.example.com"
 
core:
  configureUserSettings: |
    {
      "auth_mode": "oidc_auth",
      "oidc_name": "Nauthera",
      "oidc_endpoint": "https://auth.example.com",
      "oidc_client_id": "<your-client-id>",
      "oidc_client_secret": "<your-client-secret>",
      "oidc_groups_claim": "groups",
      "oidc_scope": "openid,profile,email,groups",
      "oidc_auto_onboard": true,
      "oidc_user_claim": "preferred_username",
      "oidc_verify_cert": true
    }

#Step 4 — Map groups to Harbor projects

Harbor maps OIDC groups to project membership. After the first OIDC login, configure group access per project:

1. Go to a Harbor project (e.g. my-app).
2. Click Members > + Group.
3. Enter the Nauthera group name (e.g. dev-team).
4. Select the role:

5. Click OK.

Any user in the dev-team Nauthera group will now have the assigned role when they access that project.

#Step 5 — Verify

1. Open Harbor and click Login via OIDC Provider.
2. Authenticate at the Nauthera login page.
3. After redirect, check your Harbor profile — username and email should be populated.
4. Navigate to a project — your role should match the group mapping from Step 4.
5. Test Docker CLI access:

docker login harbor.example.com
# Use your Harbor username and CLI secret (generated in Harbor profile)
docker pull harbor.example.com/my-app/my-image:latest

#Restricting access

Add requiredGroups to the OidcClient to limit who can sign in:

spec:
  requiredGroups:
    - harbor-admins
    - dev-team

#Troubleshooting

#Related

• OidcClient — Full CRD reference
• AuthPolicy — Scope and claim mapping configuration
• User Management — Creating users and groups
• SCIM 2.0 — Automatic group sync from your directory