IdentityProvider
An IdentityProvider resource registers an upstream OIDC/OAuth2 identity provider (e.g. Google, GitHub, Okta, or any generic OIDC IdP) with the Nauthera operator. Users can then sign in via the upstream IdP instead of — or in addition to — username and password.
This feature requires a Business+ license (Feature::Sso).
Example
apiVersion: auth.nauthera.io/v1alpha1
kind: IdentityProvider
metadata:
name: google
namespace: my-app
spec:
displayName: "Sign in with Google"
issuerUrl: "https://accounts.google.com"
clientId: "123456789.apps.googleusercontent.com"
clientSecretRef:
name: google-oidc-creds
iconUrl: "https://www.google.com/favicon.ico"GitHub
apiVersion: auth.nauthera.io/v1alpha1
kind: IdentityProvider
metadata:
name: github
namespace: my-app
spec:
displayName: "Sign in with GitHub"
issuerUrl: "https://token.actions.githubusercontent.com"
clientId: "gh-client-id"
clientSecretRef:
name: github-oidc-creds
key: secret
scopes:
- openid
- email
claimMappings:
- upstreamClaim: login
localField: nickname
iconUrl: "https://github.com/favicon.ico"Client Secret
The clientSecretRef points to a Kubernetes Secret in the same namespace:
apiVersion: v1
kind: Secret
metadata:
name: google-oidc-creds
namespace: my-app
type: Opaque
stringData:
client_secret: "GOCSPX-xxxxxxxxxxxx"Spec Reference
spec.displayName
Type: string | Optional
Human-readable name shown on the login button (e.g. "Sign in with Google"). Defaults to the resource name if omitted.
spec.issuerUrl
Type: string | Required
OIDC issuer URL. Used to discover the upstream OpenID Connect metadata at {issuerUrl}/.well-known/openid-configuration.
spec.clientId
Type: string | Required
Client ID registered with the upstream identity provider.
spec.clientSecretRef
Type: object | Required
Reference to the Kubernetes Secret containing the client secret.
| Field | Type | Default | Description |
|---|---|---|---|
name | string | — | Name of the Secret in the same namespace |
key | string | client_secret | Key within the Secret that holds the value |
spec.scopes
Type: []string | Optional
OAuth2 scopes to request from the upstream IdP. Defaults to ["openid", "email", "profile"].
spec.claimMappings
Type: []object | Optional
Map upstream JWT/userinfo claims to local user record fields. When omitted, standard OIDC claims (email, name, given_name, family_name, picture, locale) are mapped automatically.
Each entry has:
| Field | Type | Description |
|---|---|---|
upstreamClaim | string | Name of the claim in the upstream ID token or userinfo response |
localField | string | Local user record field to populate |
Supported localField values: email, name, given_name, family_name, nickname, picture, locale, phone_number.
spec.iconUrl
Type: string | Optional
URL of an icon/logo image to display on the login button. When omitted the login UI shows a generic IdP icon.
Status
| Field | Type | Description |
|---|---|---|
ready | bool | Whether the provider is fully reconciled and ready |
providerId | string | Provider ID used in federation URLs: {namespace}.{resource-name} |
message | string | Human-readable message about current reconciliation state |
lastReconciled | string | Last time the resource was reconciled |
observedGeneration | int | Current observed generation |
How Federation Works
- User clicks "Sign in with ..." on the Nauthera login page.
- Nauthera redirects to the upstream IdP's authorization endpoint.
- User authenticates at the upstream IdP.
- The upstream IdP redirects back to Nauthera's callback URL.
- Nauthera exchanges the authorization code for tokens, maps claims to a local user record, and issues its own tokens.
Federation URLs follow the pattern:
- Initiate:
GET /login/federation/{providerId} - Callback:
GET /login/federation/{providerId}/callback
Related Resources
- OidcClient — The application that users sign in to.
- AuthPolicy — MFA and token policies apply to federated sessions as well.
- SamlIdentityProvider — For SAML 2.0 upstream providers (Enterprise).