Comment on page
Advanced Agent Authentication
This part of the documentation is only intended in the context of a supported PoC (Proof of Concept) together with the Steadybit team. Please, book an appointment to scope your PoC before continuing to evaluate the on-prem solution.
By default, the agents are authenticating using the configured agent-key.
This key is global and all the same for all agents of your organization.
If you want to have more security controls, you can use OIDC for the agent authentication instead of the agent key. This requires a OIDC identity provider (e.g. Keycloak).
For each request to the platform the agent will use an access token which was issued by the identity provider. The platform verifies the token.
To instruct the platform to validate all incoming agent requests against a specific identity provider, set
STEADYBIT_AUTH_AGENT_PROVIDER=OAUTH2
and the STEADYBIT_AUTH_AGENT_OAUTH2_ISSUER_URI
to the issuer URI of your identity provider.To tell the agent to use OIDC, set
STEADYBIT_AGENT_AUTH_PROVIDER=OAUTH2
, STEADYBIT_AGENT_AUTH_OAUTH2_ISSUER_URI
to the issuer URI of your identity provider and the STEADYBIT_AGENT_AUTH_OAUTH2_CLIENT_ID
to the client id to use.
Alternatively instead of using the issuer URI you can directly configure the STEADYBIT_AGENT_AUTH_OAUTH2_TOKEN_URI
to tell the agents where to get the access tokens from, this won't try to read the OIDC discovery endpoint.To use the client credentials flow you need to set the
STEADYBIT_AGENT_AUTH_OAUTH2_CLIENT_SECRET
to the client secret.For using username and password set
STEADYBIT_AGENT_AUTH_OAUTH2_AUTHORIZATION_GRANT_TYPE=password
and provide a username and password with STEADYBIT_AGENT_AUTH_OAUTH2_USERNAME
and STEADYBIT_AGENT_AUTH_OAUTH2_PASSWORD
.For using mutual TLS specify PEM-files containing a X.509 certificate and a PKCS#8 private key by setting
STEADYBIT_AGENT_AUTH_OAUTH2_CLIENT_CERT_KEY_FILE
and STEADYBIT_AGENT_AUTH_OAUTH2_CLIENT_CERT_CHAIN_FILE
. In case the key is encrypted you can specify the password using STEADYBIT_AGENT_AUTH_OAUTH2_CLIENT_CERT_PASSWORD
.
The agent will re-load the certificates when the file changes automatically, but it might take up to ten seconds.Last modified 5d ago