Reconfigure OIDC for a tenant

Documentation Index

Fetch the complete documentation index at: https://docs.poolside.ai/llms.txt

Use this file to discover all available pages before exploring further.

​

Overview

• The OIDC client secret expired, or your identity provider rotated it.
• The Poolside deployment hostname changed, so the redirect URL no longer matches the identity provider configuration.
• The OIDC issuer URL or client ID changed.

​

Prerequisites

• kubectl access to the cluster running Poolside, with permission to exec into pods in the poolside namespace.
• The new OIDC values you want to apply: issuer URL, client ID, client secret, or redirect URL.

​

Steps

1. The reconfigure-tenant command requires the tenant ID as a positional argument. Find the tenant ID from the auth API or directly from Postgres.
   • Auth API
   • Postgres

   1. If the Poolside deployment is reachable from your workstation, query the tenant-login-options endpoint with any valid Poolside user email. URL-encode the @ as %40.
      curl -ks -X 'GET' 'https://<your-poolside-hostname>/v0/auth/tenant-login-options?email=<valid-email>' -H "Content-Type: application/json" | jq -r '.tenants[0].id'
      
      Example output:
      123e4567-e89b-12d3-a456-426614174000
      
   2. Copy the uuid value to use it as <tenant-id>.

   1. Exec into the postgres-0 pod and open a psql session:
      kubectl -n poolside exec -it postgres-0 -- psql -U poolside -d poolside
      
   2. Query the tenant table:
      select id, uuid from tenant;
      
      Example output for a single-tenant on-premises deployment:
       id |                 uuid
      ----+--------------------------------------
        1 | 123e4567-e89b-12d3-a456-426614174000
      (1 row)
      
   3. Copy the uuid value to use it as <tenant-id>.
   4. Exit psql with \q.
2. Exec into a core-api pod and run the reconfigure-tenant command with the flags you want to change. Include at least one OIDC flag. The reconfigure-tenant command supports the following flags:
   • --oidc-client-id: OIDC client ID.
   • --oidc-client-secret: OIDC client secret. Poolside encrypts this value at rest.
   • --oidc-issuer: OIDC issuer URL.
   • --oidc-redirect-url: OIDC redirect URL.
   Command syntax

   kubectl -n poolside exec -it deploy/core-api -- /usr/local/bin/api reconfigure-tenant <tenant-id> [flags]
   
   To rotate the client secret only:
   Example: Rotate the client secret

   kubectl -n poolside exec -it deploy/core-api -- /usr/local/bin/api reconfigure-tenant <tenant-id> --oidc-client-secret '<new-client-secret>'
   
   To update multiple fields in one command:
   Example: Update multiple OIDC fields

   kubectl -n poolside exec -it deploy/core-api -- /usr/local/bin/api reconfigure-tenant <tenant-id> --oidc-issuer '<new-issuer-url>' --oidc-client-id '<new-client-id>' --oidc-client-secret '<new-client-secret>' --oidc-redirect-url 'https://<new-poolside-hostname>/auth/callback'
   
   On success, the command prints:
   Tenant <tenant-id> reconfigured.
   
   Passing an empty string to any --oidc-* flag is rejected. Quote secrets with single quotes to avoid shell expansion of special characters.
3. Verify the change. Sign in to Poolside at https://<your-poolside-hostname> and complete the OIDC flow. A successful sign-in confirms the new configuration is in effect. If sign-in fails, check core-api logs for the OIDC error returned by the identity provider:
   kubectl -n poolside logs -l app.kubernetes.io/name=core-api --tail=200