Skip to content

title: Authentication Configuration Overview | abcdesktop.io description: Overview of authentication configuration in abcdesktop.io: manager types (implicit, explicit, external), provider chaining, and the od.config ConfigMap structure. keywords: authentication, overview, implicit, explicit, external, OAuth, LDAP, od.config, ConfigMap, abcdesktop, Kubernetes tags: - authentication


Authentication Overview

Configuration File

Authentication in abcdesktop.io is configured in the od.config file, which is stored as a Kubernetes ConfigMap. This section requires modifying the od.config configuration file. Refer to Updating the Configuration File for the procedure to apply changes in a Kubernetes cluster.

The authmanagers Dictionary

The authmanagers object is the root authentication configuration dictionary:

authmanagers: {
  'external': {},
  'explicit': {},
  'implicit': {}}

The od.config file supports four authmanagers entry types:

  • external — OAuth 2.0 / OpenID Connect authentication (Google, GitHub, Facebook, and other OIDC providers)
  • explicit — Directory service authentication via LDAP, LDAPS, or Microsoft Active Directory
  • metaexplicit — Microsoft Active Directory cross-domain and cross-forest trust authentication, with support for Foreign Security Principals (FSPs)
  • implicit — Anonymous (always-allow) authentication and SSL/TLS client certificate authentication

Authentication Manager Reference

authmanagers Type Description
external OAuth 2.0 / OpenID Connect authentication
metaexplicit Microsoft Active Directory cross-domain trust authentication with Foreign Security Principal and Special Identity support
explicit LDAP, LDAPS, Active Directory, and Kerberos authentication
implicit Anonymous, always-allow, and SSL/TLS client certificate authentication

Prerequisites

Before configuring authentication, read:

Configuring the authmanagers Dictionary

Edit the od.config file and initialize the authmanagers dictionary with empty provider entries for all manager types:

authmanagers: {
  'external': {},
  'explicit': {},
  'implicit': {}}
JSON Dictionary Syntax
When defining a dictionary, the closing `}` must appear on the same line as the last entry. Example:
authmanagers: {
  'external': {},
  'explicit': {},
  'implicit': {}}

To apply the changes, recreate the abcdesktop-config ConfigMap and restart the pyos deployment:

kubectl create -n abcdesktop configmap abcdesktop-config --from-file=od.config  -o yaml --dry-run | kubectl replace -n abcdesktop -f -
kubectl rollout restart deployment pyos-od -n abcdesktop

Open a web browser and navigate to http://localhost:30443:

authmanangers no provider

The login page displays no authentication providers until at least one provider is configured.

implicit Authentication

implicit is the simplest authentication mode. It grants anonymous, always-allow access without requiring user credentials.

auth-overview-implicit

See Authentication: implicit for configuration details.

explicit Authentication

explicit authentication integrates with directory services such as LDAP, LDAPS, and Microsoft Active Directory. Users authenticate by providing a username and password, which are validated against the configured directory server.

auth-overview-explicit

See Authentication: explicit for configuration details.

metaexplicit Authentication

The metaexplicit authentication manager enables authentication across multiple Active Directory domains or forests through trust relationships. It reads the user's domain from a metadirectory attribute and delegates authentication to the user's home domain. This provider supports Foreign Security Principals (FSPs) and Special Identities.

auth-overview-explicit

See Authentication: metaexplicit for configuration details.

external Authentication

external authentication delegates to external OAuth 2.0 providers, including Google OAuth 2.0, GitHub OAuth 2.0, Facebook, Orange, and any OIDC-compliant identity provider.

auth-overview-external

See Authentication: external for configuration details.

Combining Multiple Authentication Providers

abcdesktop.io supports combining external, explicit, and implicit providers in a single authmanagers dictionary. The login page renders a button or form for each configured provider.

Example of a combined configuration:

allproviders

The following authmanagers configuration produces the combined login page shown above:

authmanagers: {
  'external': {
    'providers': {
      'google': { 
        'icon': 'img/auth/google_icon.svg',
        'displayname': 'Google', 
        'textcolor': '#000000',
        'backgroundcolor': '#FFFFFF',
        'enabled': True,
        'client_id': 'xxxx', 
        'client_secret': 'xxxx',
        'userinfo_auth': True,
        'scope': [ 'https://www.googleapis.com/auth/userinfo.email',  'openid' ],
        'userinfo_url': 'https://www.googleapis.com/oauth2/v1/userinfo',