Use a Built-in OIDC Identity Provider

With GoodData Cloud Native (GoodData.CN), you can use Dex, a built-in OpenID Connect (OIDC) Identity Provider that can store user credentials. Dex is used by default if you do not set up an external OIDC Identity Provider.

We recommend that you use Dex only if you have one Organization because it may not be able to distinguish users among multiple Organizations. If you have more than one Organization, use an external OIDC Identity Provider.

Dex does not require any additional configuration. Once you have deployed GoodData.CN, Dex is ready to be used.

When managing users in Dex, you will have to provide the $GDC_API_TOKEN.

Create a User in Dex

To create a user in Dex, submit a POST request to /api/auth/users.

curl -H "Authorization: Bearer $GDC_API_TOKEN" \
     -H "Content-type: application/json" -d '{"email": "boss@alpha.example.com",
     "password": "123456", "displayName": "John Doe"}' --request POST \
     https://analytics.alpha.example.com/api/auth/users

The user is created, and the following JSON object with the user’s properties is returned:

{
  "email": "boss@alpha.example.com",
  "password": null,
  "displayName": "John Doe",
  "authenticationId": "CiQ0YWFiZmIzNy03MTNiLTQyNWYtODZhMy0yNmFlNmM1ZjYwNDMSBWxvY2Fs"
}

Once the user has been created, map the user to your Organization. You are going to need the value of the authenticationId property for mapping the user, therefore copy this value from the returned JSON object.

Update a User in Dex

To update a user, submit a PUT request to /api/auth/users/{:email}.

curl -H "Authorization: Bearer $GDC_API_TOKEN" \
     -H "Content-type: application/json" -d '{"email": "boss@alpha.example.com",
     "password": "Bett3rPa$$w0rd", "displayName": "John Doe"}' --request PUT \
     https://analytics.alpha.example.com/api/auth/users/boss@alpha.com

This API request changes the current password of the user with the email boss@alpha.example.com to the one that you have provided in the request.

You cannot update a user’s authenticationId property. It is automatically generated when the user is being created and is immutable.

Other Available Operations

In addition to creating and updating a user, you can also:

List all users - submit a GET request to /api/auth/users.
View a user - submit a GET request to /api/auth/users/{:email}.
Delete a user - submit a DELETE request to /api/auth/users/{:email}
This request deletes the user’s credentials, which prevents the user from being able to log in, but does not delete the user from the system. To delete the user completely, you need to also delete the user’s mapping.

For more information, see the API documentation.

Create the Bootstrap Token

Use an External OIDC Identity Provider