Onyxia
HomeGitHub
v10
  • Documentation
  • Release Notes & Upgrade Instructions
  • Vulnerability Disclosure
v10
  • Admin doc
    • Install
      • Kubernetes
      • GitOps
      • User authentication
      • Data (S3)
      • Vault
    • Theme and branding
    • Catalog of services
      • Use your own repositories
      • Customize your charts
        • JSON Schema Support
        • Onyxia extension
      • Override schema for a specific instance
    • OpenID Connect Configuration
    • S3 Configuration
    • Setting up group projects
    • Security consideration
  • Contributors doc
    • The Web Application
      • Technical stack
      • Architecture
    • The REST API
    • Roadmap
    • Community calls
      • April 2025 community call
      • March 2025 community call
      • February 2025 community call
      • January 2025 community call
  • user doc
    • Getting started with Onyxia
    • Datascience Trainings and Tutorials
    • Setting up your dev environment in Onyxia
    • Community resources
Powered by GitBook
On this page
  • Deploying Keycloak
  • Configuring Keycloak
  • Updating the Onyxia configuration

Was this helpful?

Edit on GitHub
Export as PDF
  1. Admin doc
  2. Install

User authentication

Using Keycloak to enable user authentication

Last updated 2 months ago

Was this helpful?

Let's setup Keycloak to enable users to create account and login to our Onyxia instance.

Note that in this instalation guide we make you use Keycloak but you can use any OIDC compliant provider like Entra ID or Auth0. See the following gide for specific instructions for different provider and detailed authentication related configuration options.

Deploying Keycloak

We're going to install Keycloak just like we installed Onyxia.

Before anything open in your onyxia-ops repo and . Also write down the , you'll need it to connect to the Keycloak console.

Configuring Keycloak

You can now login to the administration console of https://auth.lab.my-domain.net/auth/ and login using username: keycloak and password: <the one you've wrote down earlier>.

  1. Create a realm called "datalab" (or something else), go to Realm settings

    1. On the tab General

      1. User Profile Enabled: On

    2. On the tab login

      1. User registration: On

      2. Forgot password: On

      3. Remember me: On

      1. From: noreply@lab.my-domain.net

      2. Host: email-smtp.us-east-2.amazonaws.com

      3. Port: 465

      4. Authentication: enabled

      5. Username: **************

      6. Password: ***************************************

      7. When clicking "save" you'll be asked for a test email, you have to provide one that correspond to a pre-existing user or you will get a silent error and the credentials won't be saved.

    3. On the tab Themes

      1. Login theme: onyxia-web (you can also select the login theme on a per client basis)

      2. Email theme: onyxia-web

    4. On the tab Localization

      1. Internationalization: Enabled

      2. Supported locales: <Select the languages you wish to support>

    5. On the tab Session.

      • Users without "Remember Me" will need to log in every 2 weeks:

        • Set Session idle timeout: 14 days.

        • Set Session max idle timeout: 14 days.

      • Users who checked "Remember Me" should stay logged in for 1 year:

        • Set Session idle timeout (Remember Me): 365 days.

        • Set Session max idle timeout (Remember Me): 365 days.

  2. Create a client with client ID "onyxia"

    1. Root URL: https://datalab.my-domain.net/

    2. Valid redirect URIs: https://datalab.my-domain.net/

    3. Login theme: onyxia-web

  3. In Authentication (on the left panel) -> Tab Required Actions enable and set as default action Therms and Conditions.

Now you want to ensure that the username chosen by your users complies with Onyxia requirement (only alphanumerical characters) and define a list of email domain allowed to register to your service.

Go to Realm Settings (on the left panel) -> Tab User Profile -> JSON Editor.

Now you can edit the file as suggested in the following DIFF snippet. Be mindful that in this example we only allow emails @gmail.com and @hotmail.com to register you want to edit that.

{
  "attributes": [
    {
      "name": "username",
      "displayName": "${username}",
      "validations": {
        "length": {
          "min": 3,
          "max": 255
        },
+       "pattern": {
+         "error-message": "${lowerCaseAlphanumericalCharsOnly}",
+         "pattern": "^[a-z0-9]*$"
+       },
        "username-prohibited-characters": {}
      }
    },
    {
      "name": "email",
      "displayName": "${email}",
      "validations": {
        "email": {},
+       "pattern": {
+         "pattern": "^[^@]+@([^.]+\\.)*((gmail\\.com)|(hotmail\\.com))$"
+       },
        "length": {
          "max": 255
        }
      }
    },
...

Now our Keycloak server is fully configured we just need to update our Onyxia deployment to let it know about it.

Updating the Onyxia configuration

In your GitOps repo you now want to update your onyxia configuration.

git clone https://github.com/<your-github-org>/onyxia-ops
cd onyxia-ops
cd apps/onyxia
mv values-keycloak-enabled.yaml values.yaml
git commit -am "Enable keycloak"
git push

Here is the DIFF of the onyxia configuration:

Now your users should be able to create account, log-in, and start services on their own Kubernetes namespace.

Next step in the installation proccess it to enable all the S3 related features of Onyxia:

Try to remember, when you to also update .

On the tab email, we give an example with , if you don't have a SMTP server at hand you can skip this by going to Authentication (on the left panel) -> Tab Required Actions -> Uncheck "set as default action" Verify Email. Be aware that with email verification disable, anyone will be able to sign up to your service.

update Onyxia in apps/onyxia/Chart.yaml
the Onyxia theme in apps/keycloak/values.yaml
AWS SES
Data (S3)
OpenID Connect Configuration
apps/keycloak/values.yaml
keycloak.auth.adminPassword
Enable Keycloak · InseeFrLab/onyxia-ops@37faa63GitHub
Logo
The screen you shoud see when clicking on "login" in your Onyxia deployment