Use a Built-in OIDC Identity Provider

Only available with GoodData.CN

With GoodData Cloud Native (GoodData.CN), you can use Dex, a built-in OpenID Connect (OIDC) Identity Provider that can store user credentials. Dex is used by default if you do not set up an external OIDC Identity Provider.

Important

We do not recommend using Dex in production environments managing sensitive or confidential data. The API provided for interacting with Dex exposes the entire user list stored in Dex. This means that users can see all the users that are part of their organization, as well as users that are not part of their organization. If you have multiple organizations or want to reduce the risk of data leaking, we recommend you use an external OIDC Identity Provider.

Dex does not require any additional configuration. Once you have deployed GoodData.CN, Dex is ready to be used.

Note

When managing users in Dex, you will have to provide the $BOOTSTRAP_API_TOKEN.

Create a User in Dex

To create a user in Dex, submit a POST request to /api/v1/auth/users.

curl -H "Authorization: Bearer $BOOTSTRAP_API_TOKEN" \
     -H "Content-type: application/json" -d '{"email": "boss@alpha.example.com",
     "password": "123456", "displayName": "John Doe"}' --request POST \
     $HOST_URL/api/v1/auth/users

The user is created, and the following JSON object with the user’s properties is returned:

{
  "email": "boss@alpha.example.com",
  "password": null,
  "displayName": "John Doe",
  "authenticationId": "CiQ0YWFiZmIzNy03MTNiLTQyNWYtODZhMy0yNmFlNmM1ZjYwNDMSBWxvY2Fs"
}

Once the user has been created, map the user to your Organization. You are going to need the value of the authenticationId property for mapping the user, therefore copy this value from the returned JSON object.

Update a User in Dex

To update a user, submit a PUT request to /api/v1/auth/users/{:email}.

curl -H "Authorization: Bearer $BOOTSTRAP_API_TOKEN" \
     -H "Content-type: application/json" -d '{"email": "boss@alpha.example.com",
     "password": "Bett3rPa$$w0rd", "displayName": "John Doe"}' --request PUT \
     $HOST_URL/api/v1/auth/users/boss@alpha.example.com

This API request changes the current password of the user with the email boss@alpha.example.com to the one that you have provided in the request.

Note

You cannot update a user’s authenticationId property. It is automatically generated when the user is being created and is immutable.

Other Available Operations

In addition to creating and updating a user, you can also do the following actions:

List all users - submit a GET request to /api/v1/auth/users.
Important
This request returns all of the users in Dex, independent of their organization.
View a user - submit a GET request to /api/v1/auth/users/{:email}.
Delete a user - submit a DELETE request to /api/v1/auth/users/{:email}
This request deletes the user’s credentials, which prevents the user from being able to log in, but does not delete the user from the system. To delete the user completely, you need to also delete the user’s mapping.

For more information, see the API documentation.

Create the Bootstrap Token

Use an External OIDC Identity Provider