Lookout OIDC Authentication Mapping to Groups

[washcycle]

Setting up OIDC authentication for Lookout.

I was able to get the new auth features for OIDC working with help from @dejanzele and associates.

I'd like to be able to map users in my OIDC provider to groups in Armada.

Environment

• Lookout: v0.19.2
• OIDC Provider: Keycloak 26.2.4

lookout config

apiPort: 8080
auth:
  anonymousAuth: true
corsAllowedOrigins:
- http://localhost
postgres:
  connection:
    dbname: lookout
    host: xxxxxxx
    password: xxxxxxxx
    port: 5432
    sslmode: require
    user: xxxxx
uiConfig:
  oidc:
    authority: https://example.com/realms/apqx
    clientId: armada-client
    scope: openid profile email
  oidcEnabled: true

I assume I need configuration under the application config auth item or perhaps another scope to pull in user groups.

Another question I have is the auth section for Lookout is what is authorized against the backend server?

[dejanzele]

Hi @washcycle,

Thanks for raising the issue and documenting the auth config!

Does this also need to be configured at top level?

auth:
  anonymousAuth: false
  openIdAuth:
    clientId: some-client-armada
    groupsClaim: some-claim
    providerUrl: https://example.idp.net/realms/some-realm

We'll try to answer your question for mapping users as soon as possible!

[washcycle]

A follow up for auth configuration is do I need to make each basicAuth section match in each component.

Components being:

• server
• scheduler
• lookout
• binoculars
• executors

I'd assume I have to make each auth section identical in each one, or can I mix and match. Have basic auth between binoculars and lookout and odic for the UI in lookout, and basic auth on the server from the armadactl or SDKs.

Update:

I tested adding basic auth to only the server and scheduler and I was able to launch a job, owner came through correctly.

I disabled the anonymous auth and it's stuck in the queued state now.

I don't see any errors in the logs, but I assume I need to add some basic auth from the scheduler <--> executor.

[washcycle]

This is what I did for my executor(s) config. And that seems to have gotten the queued job to run.

application:
  clusterId: aks
  pool: default
executorApiConnection:
  armadaUrl: apqx-armada-scheduler.rxample.comt:443
  basicAuth:
    password: xxxxxxxx
    username: armada-svc
  forceNoTls: false

[washcycle]

025-05-29T19:54:36.904Z WARN queue_cache.go:54 Error fetching queues: rpc error: code = Unauthenticated desc = Invalid credentials presented for user "armada-svc" via auth service "Basic" getting this error when trying to add basic auth from the server to the scheduler.

I have the basic auth filled on both ends, I must be putting it in the wrong section.

[dejanzele]

Here's an example for configuring per-queue permissions (there isn't a way to edit the queue definition in place, so we get it first, add changes and then apply it):

$ armadactl get queue some-queue
apiVersion: armadaproject.io/v1beta1
kind: Queue
...
permissions:
- subjects:
  - kind: User
    name: some-user1
  - kind: User
    name: some-user2
  verbs:
  - cancel
  - preempt
  - reprioritize
  - submit
  - watch
- verbs:
  - cancel
  - preempt
  - reprioritize
  - watch
priorityFactor: 500

# get queue yaml
armadactl get queue queue-a > queue-a.yaml
# edit file as needed and then apply
armadactl create -f queue-a.yaml

[dejanzele]

Here is a list of which Permissions Armada supports.

This field needs to be set to match the groups claim key in your ID token (most probably it is just groups).

Then, you can configure mappings from some permission to a list of groups in this field.

[washcycle]

Another auth issue I noticed seems to be binoculars specific.

@dejanzele

I am trying to secure this connectivity, but the binoculars configuration doesn't seem to accept anything besides anonymous auth. 

config

auth:
  anonymousAuth: false
  basicAuth:
    lookout-svc:
      groups:
      - everyone
      password: xxxxxxx
corsAllowedOrigins:
- http://localhost
- https://xxxxxxxx
impersonateUsers: false

Error

{"level":"info","time":"2025-06-12T17:58:57.709Z","caller":"startup.go:41","message":"Read base config from /app/config/binoculars/config.yaml"}
{"level":"info","time":"2025-06-12T17:58:57.709Z","caller":"startup.go:43","message":"Read override config from [/config/application_config.yaml]"}
{"level":"info","time":"2025-06-12T17:58:57.709Z","caller":"startup.go:53","message":"Read config from /config/application_config.yaml"}
{"level":"warn","time":"2025-06-12T17:58:57.710Z","caller":"startup.go:73","message":"Unused keys: [Auth.BasicAuth.armada-svc]"}
{"level":"info","time":"2025-06-12T17:58:57.710Z","caller":"main.go:45","message":"Starting..."}
{"level":"info","time":"2025-06-12T17:58:57.710Z","caller":"http.go:20","message":"Pprof server not configured, skipping"}
{"level":"info","time":"2025-06-12T17:58:57.710Z","caller":"startup.go:123","message":"Starting http server listening on 9000"}
{"level":"info","time":"2025-06-12T17:58:57.711Z","caller":"kubernetes_client.go:90","message":"Running with in cluster client configuration"}
{"level":"info","time":"2025-06-12T17:58:57.711Z","caller":"startup.go:123","message":"Starting http server listening on 8080"}
{"level":"error","time":"2025-06-12T17:58:57.712Z","caller":"server.go:33","message":"Failed to create auth services at least one auth method must be specified in config"}

[washcycle]

I did get the groups working... I haven't tried OIDC via the server yet, but I would like to limit user's abilities in the lookout UI.

   auth:
      anonymousAuth: false
      basicAuth:
        users:
          user1:
            groups:
              - user1
            password: xxxxxx
          armada-svc:
            groups:
              - armada-admin
            password: xxxxx
          test:
            groups:
              - test
            password: xxxxxxx
          user2:
            groups:
              - user2
            password: xxxxxx
      permissionGroupMapping:
        cancel_any_jobs:
          - everyone
        create_queue:
          - armada-admin
        delete_queue:
          - armada-admin
        execute_jobs:
          - user1
          - user2
        preempt_any_jobs:
          - user1
          - user2
        reprioritize_any_jobs:
          - everyone
        submit_any_jobs:
          - user1
          - user2
          - test
        watch_all_events:
          - everyone

[washcycle]

When trying to cancel a job in Armada with OIDC from lookout I got.

{
    "error": "Invalid credentials presented via auth service \"OIDC\": oidc: expected audience \"xxxx-armada\" got [\"account\"]",
    "code": 16,
    "message": "Invalid credentials presented via auth service \"OIDC\": oidc: expected audience \"xxxx-armada\" got [\"account\"]"
}

Looks like there is a small note here about it having to be the same as the clientId.

armada/docs/developer/oidc.md

Line 15 in d89bfb3

8) Select Audience to be your client id.

[dimm0]

If you want to interact with Armada, you have to use one of our client APIs. The armadactl is not setup to work with OIDC at this time.

https://github.com/armadaproject/armada/blob/master/docs/developer/setting-up-oidc.md

Has anybody succeeded in using OIDC with Armada?

Also what's KubernetesNativeAuth in

armada/pkg/client/connection.go

Line 40 in 68108c6

KubernetesNativeAuth kubernetes.NativeAuthDetails

?

[washcycle]

I got it working in the Lookout UI, but that’s it. Regards, Matthew Landowski

…

On Fri, Sep 19, 2025 at 17:33 Dmitry Mishin ***@***.***> wrote: *dimm0* left a comment (armadaproject/armada#4356) <#4356 (comment)> If you want to interact with Armada, you have to use one of our client APIs. The armadactl is not setup to work with OIDC at this time. https://github.com/armadaproject/armada/blob/master/docs/developer/setting-up-oidc.md Has anybody succeeded in using OIDC with Armada? Also what's KubernetesNativeAuth in https://github.com/armadaproject/armada/blob/68108c6b830be7419ab7d272f21e606f05e479b1/pkg/client/connection.go#L40 ? — Reply to this email directly, view it on GitHub <#4356 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAIGT7WYJXNYWBV4IIRNZET3TSAFLAVCNFSM6AAAAAB5W76OT2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZTGMJUGAZTGOJTGM> . You are receiving this because you were mentioned.Message ID: ***@***.***>