Teleport
TeleportOIDCConnector
- Version 17.x
- Version 16.x
- Version 15.x
- Version 14.x
- Older Versions
This guide is a comprehensive reference to the fields in the TeleportOIDCConnector
resource, which you can apply after installing the Teleport Kubernetes operator.
resources.teleport.dev/v3
apiVersion: resources.teleport.dev/v3
| Field | Type | Description |
|---|---|---|
| apiVersion | string | APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources |
| kind | string | Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds |
| metadata | object | |
| spec | object | OIDCConnector resource definition v3 from Teleport |
spec
| Field | Type | Description |
|---|---|---|
| acr_values | string | ACR is an Authentication Context Class Reference value. The meaning of the ACR value is context-specific and varies for identity providers. |
| allow_unverified_email | boolean | AllowUnverifiedEmail tells the connector to accept OIDC users with unverified emails. |
| claims_to_roles | []object | ClaimsToRoles specifies a dynamic mapping from claims to roles. |
| client_id | string | ClientID is the id of the authentication client (Teleport Auth server). |
| client_redirect_settings | object | ClientRedirectSettings defines which client redirect URLs are allowed for non-browser SSO logins other than the standard localhost ones. |
| client_secret | string | ClientSecret is used to authenticate the client. |
| display | string | Display is the friendly name for this provider. |
| google_admin_email | string | GoogleAdminEmail is the email of a google admin to impersonate. |
| google_service_account | string | GoogleServiceAccount is a string containing google service account credentials. |
| google_service_account_uri | string | GoogleServiceAccountURI is a path to a google service account uri. |
| issuer_url | string | IssuerURL is the endpoint of the provider, e.g. https://accounts.google.com. |
| max_age | string | MaxAge is the amount of time that user logins are valid for. If a user logs in, but then does not login again within this time period, they will be forced to re-authenticate. |
| prompt | string | Prompt is an optional OIDC prompt. An empty string omits prompt. If not specified, it defaults to select_account for backwards compatibility. |
| provider | string | Provider is the external identity provider. |
| redirect_url | []string | RedirectURLs is a list of callback URLs which the identity provider can use to redirect the client back to the Teleport Proxy to complete authentication. This list should match the URLs on the provider's side. The URL used for a given auth request will be chosen to match the requesting Proxy's public address. If there is no match, the first url in the list will be used. |
| scope | []string | Scope specifies additional scopes set by provider. |
| username_claim | string | UsernameClaim specifies the name of the claim from the OIDC connector to be used as the user's username. |
spec.claims_to_roles items
| Field | Type | Description |
|---|---|---|
| claim | string | Claim is a claim name. |
| roles | []string | Roles is a list of static teleport roles to match. |
| value | string | Value is a claim value to match. |
spec.client_redirect_settings
| Field | Type | Description |
|---|---|---|
| allowed_https_hostnames | []string | a list of hostnames allowed for https client redirect URLs |
| insecure_allowed_cidr_ranges | []string | a list of CIDRs allowed for HTTP or HTTPS client redirect URLs |