OidcClient
An OidcClient resource registers an OAuth2/OIDC application with the Nauthera operator. Each client belongs to the namespace of the application it represents, enabling application teams to self-service their own OAuth2 client registrations without needing access to cluster-wide security resources.
Example
apiVersion: auth.nauthera.io/v1alpha1
kind: OidcClient
metadata:
name: my-webapp
namespace: my-app-dev
spec:
displayName: "My Awesome Web App"
redirectUris:
- "https://my-webapp.dev.example.com/callback"
allowedScopes:
- openid
- profile
- email
- "api:read"Spec Reference
spec.allowedOrigins
Type: []string | Optional
Browser origins allowed to make cross-origin requests for this client. Used to build the CORS allow-list. If no client configures any origins, all cross-origin requests are denied.
spec.allowedScopes
Type: []string | Required
OAuth2 scopes this client may request. Further restricted by applicable AuthPolicy/ClusterAuthPolicy.
spec.authMethod
Type: string | Optional
Client authentication method at the token endpoint.
Defaults to "client_secret_basic".
One of: client_secret_basic, client_secret_post, private_key_jwt, none.
spec.credentialsSecretName
Type: string | Optional
Name of the Secret the operator creates with OIDC credentials. Defaults to {resource-name}-credentials.
spec.displayName
Type: string | Optional
Human-readable name shown in admin UI and consent screens. Defaults to the resource name if omitted.
spec.grantTypes
Type: []string | Optional
Permitted OAuth2 grant types.
Defaults to ["authorization_code", "refresh_token"].
spec.logoutRedirectUris
Type: []string | Optional
Allowed redirect URIs for RP-initiated logout flows.
spec.pkce
Type: object | Optional
PKCE (RFC 7636) configuration.
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
allowPlaintext | boolean | No | false | If true, allow the plaintext challenge method (not recommended). |
required | boolean | No | false | If true, all authorization code requests must include a code_challenge. |
spec.redirectUris
Type: []string | Required
Allowed redirect URIs for authorization code flows. Must exactly match the redirect_uri parameter in requests.
Provisioned Resources
When you create an OidcClient, the operator provisions a Secret in the same namespace containing the generated credentials. The Secret has everything an application needs to integrate with Nauthera.
The operator sets an owner reference on the Secret, linking it to the OidcClient. Deleting the OidcClient also deletes the Secret.
Secret
Contains the sensitive credentials. The operator will only update Secrets it owns — it will not overwrite a pre-existing Secret that was not originally created by the operator.
apiVersion: v1
kind: Secret
metadata:
name: my-webapp-credentials
namespace: my-app-dev
ownerReferences:
- apiVersion: auth.nauthera.io/v1alpha1
kind: OidcClient
name: my-webapp
type: Opaque
data:
client_id: <base64>
client_secret: <base64>Using the Secret in a Pod
Mount the Secret as environment variables for OIDC integration:
apiVersion: apps/v1
kind: Deployment
metadata:
name: my-webapp
namespace: my-app-dev
spec:
template:
spec:
containers:
- name: app
image: myregistry/my-webapp:latest
envFrom:
- secretRef:
name: my-webapp-credentialsFor selective mounting, use individual valueFrom references:
env:
- name: OIDC_CLIENT_ID
valueFrom:
secretKeyRef:
name: my-webapp-credentials
key: client_id
- name: OIDC_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: my-webapp-credentials
key: client_secretTip: Use the OIDC discovery endpoint (
/.well-known/openid-configuration) to discover all endpoint URLs at runtime rather than hardcoding them.
Status
| Field | Type | Description |
|---|---|---|
clientId | string | The generated client ID. |
credentialsSecret | string | Name of the credentials Secret. |
lastReconciled | string | Last time the resource was reconciled. |
message | string | Human-readable message about current state. |
observedGeneration | integer | Current observed generation. |
ready | boolean | Whether the client is fully reconciled and ready. |
Multi-Environment Pattern
A common pattern is to create one OidcClient per environment namespace:
# my-app-dev namespace
apiVersion: auth.nauthera.io/v1alpha1
kind: OidcClient
metadata:
name: my-webapp
namespace: my-app-dev
spec:
redirectUris:
- "https://my-webapp.dev.example.com/callback"
allowedScopes: [openid, profile, email]
---
# my-app-prod namespace
apiVersion: auth.nauthera.io/v1alpha1
kind: OidcClient
metadata:
name: my-webapp
namespace: my-app-prod
spec:
redirectUris:
- "https://my-webapp.example.com/callback"
allowedScopes: [openid, profile, email]Related Resources
- NautheraServiceAccount — For machine-to-machine authentication without a user context.
- AuthPolicy — The policies governing what this client can do.
- EmailProvider — Configure email delivery for verification and password reset.
- Quick Start — Step-by-step guide to creating your first client.