Skip to main content
important

This topic is deleted from the product documentation because this Beta feature is deprecated.

Identity (Beta)

The Identity custom resource allows you to configure the Replicated identity service for your application.

The following is an example manifest file for the Identity custom resource:

apiVersion: kots.io/v1beta1
kind: Identity
metadata:
name: my-application
spec:
identityIssuerURL: https://{{repl ConfigOption "ingress_hostname"}}/dex
oidcRedirectUris:
- https://{{repl ConfigOption "ingress_hostname"}}/oidc/login/callback
supportedProviders: [ oidc ]
requireIdentityProvider: true
roles:
- id: member
name: Member
description: Can see every member and non-secret team in the organization.
- id: owner
name: Owner
description: Has full administrative access to the entire organization.
oauth2AlwaysShowLoginScreen: false
signingKeysExpiration: 6h
idTokensExpiration: 24h
webConfig:
title: My App
theme:
logoUrl: data:image/png;base64,<encoded_base64_stream>
logoBase64: <base64 encoded png file>
styleCssBase64: <base64 encoded [styles.css](https://github.com/dexidp/dex/blob/v2.27.0/web/themes/coreos/styles.css) file>
faviconBase64: <base64 encoded png file>

identityIssuerURL

(required) This is the canonical URL that all clients must use to refer to the OIDC identity service. If a path is provided, the HTTP service will listen at a non-root URL.

oidcRedirectUris

(required) A registered set of redirect URIs. When redirecting from the Replicated app manager identity OIDC server to the client, the URI requested to redirect to must match one of these values.

supportedProviders

A list of supported identity providers. If unspecified, all providers will be available.

requireIdentityProvider

If true, require the identity provider configuration to be set by the customer before the app can be deployed.

roles

(id required) A list of roles to be mapped to identity provider groups by the customer on the Replicated Admin Console identity service configuration page.

oauth2AlwaysShowLoginScreen

If true, show the identity provider selection screen even if there's only one configured. Default false.

signingKeysExpiration

Defines the duration of time after which the SigningKeys will be rotated. Default 6h.

idTokensExpiration

Defines the duration of time for which the IdTokens will be valid. Default 24h.

webConfig

Can be used for branding the application identity login screen.