Reconfigure OIDC for a tenant

Overview

Use this guide to update the OIDC configuration of an existing Poolside deployment. Common reasons to reconfigure include:

The OIDC client secret expired, or your identity provider rotated it.
The Poolside deployment hostname changed, so the redirect URL no longer matches the identity provider configuration.
The OIDC issuer URL or client ID changed.

You can use the reconfigure-tenant command to update one OIDC field or several fields in a single reconfiguration. When you update the client secret, Poolside re-encrypts it at rest. This guide does not cover initial OIDC configuration. For the initial OIDC application setup in your identity provider, see OIDC authentication.

Prerequisites

kubectl access to the cluster running Poolside, with permission to exec into pods in the poolside namespace.
The new OIDC values you want to apply: issuer URL, client ID, client secret, or redirect URL.

Steps

The reconfigure-tenant command requires the tenant ID as a positional argument. Find the tenant ID from the auth API or directly from Postgres.
- Auth API
- Postgres
1. If the Poolside deployment is reachable from your workstation, query the tenant-login-options endpoint with any valid Poolside user email. URL-encode the @ as %40.
  curl -ks -X 'GET' 'https://<your-poolside-hostname>/v0/auth/tenant-login-options?email=<valid-email>' -H "Content-Type: application/json" | jq -r '.tenants[0].id'
  Example output:
  123e4567-e89b-12d3-a456-426614174000
2. Copy the uuid value to use it as <tenant-id>.
1. Exec into the postgres-0 pod and open a psql session:
  kubectl -n poolside exec -it postgres-0 -- psql -U poolside -d poolside
2. Query the tenant table:
  select id, uuid from tenant;
  Example output for a single-tenant on-premises deployment:
  id | uuid ----+-------------------------------------- 1 | 123e4567-e89b-12d3-a456-426614174000 (1 row)
3. Copy the uuid value to use it as <tenant-id>.
4. Exit psql with \q.
Exec into a core-api pod and run the reconfigure-tenant command with the flags you want to change. Include at least one OIDC flag. The reconfigure-tenant command supports the following flags:
- --oidc-client-id: OIDC client ID.
- --oidc-client-secret: OIDC client secret. Poolside encrypts this value at rest.
- --oidc-issuer: OIDC issuer URL.
- --oidc-redirect-url: OIDC redirect URL.
Command syntax
```
kubectl -n poolside exec -it deploy/core-api -- /usr/local/bin/api reconfigure-tenant <tenant-id> [flags]
```
To rotate the client secret only:
Example: Rotate the client secret
```
kubectl -n poolside exec -it deploy/core-api -- /usr/local/bin/api reconfigure-tenant <tenant-id> --oidc-client-secret '<new-client-secret>'
```
To update multiple fields in one command:
Example: Update multiple OIDC fields
```
kubectl -n poolside exec -it deploy/core-api -- /usr/local/bin/api reconfigure-tenant <tenant-id> --oidc-issuer '<new-issuer-url>' --oidc-client-id '<new-client-id>' --oidc-client-secret '<new-client-secret>' --oidc-redirect-url 'https://<new-poolside-hostname>/auth/callback'
```
On success, the command prints:
```
Tenant <tenant-id> reconfigured.
```
Passing an empty string to any --oidc-* flag is rejected. Quote secrets with single quotes to avoid shell expansion of special characters.
Verify the change. Sign in to Poolside at https://<your-poolside-hostname> and complete the OIDC flow. A successful sign-in confirms the new configuration is in effect. If sign-in fails, check core-api logs for the OIDC error returned by the identity provider:
```
kubectl -n poolside logs -l app.kubernetes.io/name=core-api --tail=200
```

​Overview

​Prerequisites

​Steps

Overview

Prerequisites

Steps