Authentication
Available on: Enterprise Edition
How to configure the authentication for your Kestra instance.
Kestra provides two authentication methods:
- Basic Auth: enabled by default
- OpenID Connect (OIDC)
By default, the JWT token security is configured to use the default Kestra encryption key. If you haven't already configured it, generate a secret that is at least 256 bits and add it to your kestra configuration as follows:
kestra:
encryption:
secret-key: your-256-bits-secret
This secret must be the same on all your webserver instances and will be used to sign the JWT cookie and encode the refresh token.
If you want to use different keys, you can configure the key using the following configuration:
micronaut:
security:
token:
jwt:
generator:
refresh-token:
secret: refresh-token-256-bits-secret
signatures:
secret:
generator:
secret: signature-256-bits-secret
JWT configuration
It is possible to change the JWT cookie behavior using Micronaut Cookie Token Reader configuration. For example, you can define the cookie's maximum lifetime as micronaut.security.token.cookie.cookie-max-age: P2D.
Basic Authentification
The default installation comes with no users defined. To create an administrator account, use the following CLI command:
./kestra auths users create --admin --username=<admin-username> --password=<admin-password> --tenant=<tenant-id>
If you don't have multi-tenancy enabled, you can omit the --tenant parameter.
OpenID Connect (OIDC)
To enable OIDC in the application, make sure to enable OIDC in Micronaut:
micronaut:
security:
oauth2:
enabled: true
clients:
google:
client-id: "{{ clientId }}"
client-secret: "{{ clientSecret }}"
openid:
issuer: "{{ issuerUrl }}"
More information can be found in the Micronaut OIDC configuration.
Single Sign-On (SSO) with Google, Microsoft, and others
Check the Single Sign-On documentation for more details on how to configure SSO with Google, Microsoft, and other providers.
Was this page helpful?