Skip to content

Authentication

Updating an Identity Provider Secret

VOR Stream stores OIDC client secrets for configured identity providers in Vault. To update these secrets, there are two options:

  1. update the oidc_providers.yaml file for the deployment, and rerun the deployment
  2. manually update the secrets stored in Vault

To manually update the secrets stored in Vault, the secret needs to be updated in two places: the OIDC config JSON file and the Vault OIDC authentication method for the identity provider. The steps to update these are outlined in the two sections below.

Updating the oidc-config Vault KV JSON entry

The oidc-config Vault KV JSON entry stores OIDC credentials used by the Django Midtier to authenticate users via the VOR Stream web UI. To manually update the credentials, follow the steps below.

  1. Log in to the Vault instance with root credentials.

  2. Navigate to the oidc-config entry in the KV secrets engine.

    oidc-config KV entry in value

  3. Click Create new version.

  4. Edit the JSON in the to update the secret (client_secret in the JSON) for the identity provider that needs its secret updated.
  5. Click Save.

  6. Restart the Django Midtier.

    Note

    The command below needs to be run by the installation user (vrisk, by default) on the host that is running the Django Midtier.

    supervisorctl restart uwsgi

  7. Attempt to log in to the web UI to ensure the change is successful.

Updating secrets for Vault OIDC authentication method

The deployment automatically configures a Vault OIDC authentication method for each entry in the oidc_providers.yaml file. This auth method is used to authenticate users to Vault directly as well as to the CLI. To manually update its credentials, follow the steps below.

  1. Log in to the Vault instance with root credentials.
  2. Select Access in the navigation pane.
  3. Select Authentication Methods in the sub-navigation pane.
  4. Find the associated authentication method for the identity provider that needs its secret updated. It will have a name that matches the key of the identity provider in the oidc_providers.yaml file.

  5. Click the Configure button.

    oidc-config KV entry in value

  6. Scroll to the bottom of the page and expand OIDC Options.

  7. Enter the new secret in the OIDC client secret field.
  8. Click Save.
  9. Try logging in to the CLI using vor login to ensure the change is successful.