OIDC configuration - Weaviate

Support
1

Description

I am trying to enable OIDC configuration for weaviate cluster

config added:

export AUTHENTICATION_OIDC_ENABLED=true
export AUTHENTICATION_OIDC_ISSUER=“{issuer_url}”
export AUTHENTICATION_OIDC_CLIENT_ID=“{client_id}”

verified the same in logs as well

time=“2024-04-23T18:01:36-07:00” level=debug msg=“configured OIDC and anonymous access client” action=startup startup_time_left=59m59.708999607s

http://weaviate-server:8080/v1/.well-known/openid-configuration

So configuration is set properly at weaviate server level.

OIDC config supports authorization_code. So we are trying to access weaviate using bearer_token
using the document Authentication | Weaviate - Vector Database

in the document it’s mentioned to run below to get access_token

* `{authorization_endpoint}`?client_id=`{clientId}`&response_type=code%20id_token&response_mode=fragment&redirect_url=`{redirect_url}`&scope=openid&nonce=abcd
* the `redirect_url` must have been [pre-registered](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest) with your token issuer.

I tried getting all the details and ran the request in browser

Error: Response type requested: “id_token”; The Implict grant type flow is not supported. Please change the grant type on your application to one of the supported values.

If i don’t use id_token in the url, it routes to weviate-url homepage and i see code(token) in the url

http://weaviate-server:8080/v1#code=************723aa3c

I tried to login using this code as bearer_token, but connection fails.

curl http://weaviate-server:8080/v1/objects -H “Authorization: Bearer ************723aa3c” | jq
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 89 100 89 0 0 44500 0 --:–:-- --:–:-- --:–:-- 44500
{
“code”: 401,
“message”: “oidc: malformed jwt: oidc: malformed jwt, expected 3 parts got 1”

Let me know how to fix this issue ?

Regards.
Adithya

Server Setup Information

  • Weaviate Server Version: 1.23
  • Deployment Method: On VM’s
  • Multi Node? Number of Running Nodes: yes
  • Client Language and Version: Python v4
2

Hi Team,

our OIDC support below response/grant types.

“response_types_supported”: [
“code”
],
“scopes_supported”: [
“openid”,
“offline_access”
],
“response_modes_supported”: [
“query”,
“fragment”
],
“grant_types_supported”: [
“authorization_code”,
“refresh_token”
],

Let me know how to configure the OIDC with these grant types !

Regards,
Adithya

3

Hi @adithya.ch !

I’ll take a look on this later today. I have not played with OIDC yet, and this is a great opportunity to do it :slight_smile:

I’ll get back here with more info!

4

Sure @DudaNogueira . Thank you

api_key authentication mechanism is not much secured as the keys (passwords) are plain text and who ever have access to values.yaml will be able to use these keys to connect. If we want to add new users, i need to update the values.yaml and update helm chart again which will in turn restarts the pods again which we want to avoid

It would be great if we make DUO OIDC work with weaviate.

Regards,
Adithya

5

@DudaNogueira , Please let me know if any updates about this OIDC issue ?

Regards,
Adithya

6

Hi @adithya.ch !

I was able to run weaviate using keycloak, but not sure this helps us here. :thinking:

As far as I understood, you want to generate the token yourself and pass it to the client, right?

You have a valid point that if you want to change the apikey, you will need to restart the pods. However, this should not bring downtime, as you will have HA with multiple pods.

For storing the keys in values.yml, you may be able to use helm-secrets:

Let me know if this helps. For new features in Weaviate, we advise opening a feature request in our repo: