Authenticating with OpenID Connect

From version 1.9.0, Humio supports authenticating with any provider following the OpenID Connect standard. When OpenID Connect is configured, Humio accepts OpenID tokens issued by the OpenID Connect provider (Humio acts as a “resource” in OpenID Connect terms). This is useful if you are running Humio behind a proxy that handles authentication.

In addition to acting as a resource, Humio can also act as a client responsible for authenticating users (a “relying party” in OpenID Connect terms). This is similar to other OAuth authentication flows Humio supports.

Configuration

The following parameters are necessary for running Humio as either a relying party or resource:

  • OIDC_PROVIDER — URL to the OpenID Connect provider. The provider URL must match the issuer reported by the OpenID provider exactly. Required.
  • OIDC_AUDIENCE— The audience to expect in a JWT. Defaults to the client ID if set and to “humio” otherwise.
  • OIDC_USERNAME_CLAIM — The name of the claim to interpret as username in Humio. The value in the claim must be a string. Defaults to humio-user. Can be set to email if using emails as usernames.
  • OIDC_GROUPS_CLAIM — The name of the claim to interpret as the groups in Humio. The value in the claim must be an array of strings. Optional. Defaults to humio-groups.
  • OIDC_CACHE_USERINFO_MS — How long user info is cached on a Humio node in milliseconds. Optional. Defaults to 600000 (10 minutes).

Humio will use the OpenID Connect Discovery endpoint (%OIDC_PROVIDER%/.well-known/openid-configuration) to configure the remaining parameters automatically. If your provider does not have such an endpoint, the following parameters must be specified:

  • OIDC_AUTHORIZATION_ENDPOINT — A URL to the endpoint a user should be redirected to when authorizing. Required for clients.
  • OIDC_TOKEN_ENDPOINT — A URL to the token endpoint used to exchange a authentication code to an access token. Required for clients.
  • OIDC_USERINFO_ENDPOINT — A URL to the user info endpoint used to retrieve user information from an access token. Required.
  • OIDC_JWKS_URI — A URL to the JWKS endpoint for retrieving keys for validating tokens. Required.

To use OIDC as a client, PUBLIC_URL must be set, Humio must be registered as a client with your OpenID provider, and the provider must allow %PUBLIC_URL%/auth/oidc as a valid redirect endpoint for the client. The following parameters can be used to configure client setup

  • OIDC_OAUTH_CLIENT_ID — Client ID of your OpenID application. Required.
  • OIDC_OAUTH_CLIENT_SECRET — Client secret of your OpenID application. Required.
  • OIDC_SERVICE_NAME — The display name of the OIDC provider on the sign in page of Humio. Optional. Defaults to “OpenID Connect”.

Configuration Example

# Basic configuration
PUBLIC_URL=$YOUR_SERVERS_BASE_URL
OIDC_PROVIDER=$PROVIDER_URL
OIDC_USERNAME_CLAIM="email"

# Client configuration
AUTHENTICATION_METHOD=oauth
OIDC_OAUTH_CLIENT_ID=$CLIENT_ID #The client_id from your OpenID Connect Application
OIDC_OAUTH_CLIENT_SECRET=$CLIENT_SECRET #The client_secret your OpenID Connect Application
AUTO_CREATE_USER_ON_SUCCESSFUL_LOGIN=true  # default is false

Read more about Configuring Humio