Login to GitHub and navigate to the organisation you wish to integrate with kPow.
Navigate to Settings > Developer Settings > OAuth Apps > New Oath Application
Fill out the Register a new OAuth application form:
Application Name: The name of your kPow instance, e.g. 'kPow Staging'.
Homepage URL: The absolute URL to your kPow instance, e.g.
Authorization callback URL: The absolute URL for authorization callback, e.g.
Open your freshly created OAuth App and make note of the Client ID and Client Secret.
Set the following environment variables and start kPow:
OPENID_AUTH_URI= The URI to authorize Github users, e.g.
https://github.com/login/oauth/authorize, or[Github Enterprise Host]/login/oauth/authorize
OPENID_TOKEN_URI= The URI to retrieve an OAuth token, e.g.
https://github.com/login/oauth/access_token, or[Github Enterprise Host]/login/oauth/access_token
OPENID_API_URI= The URI to perform user actions, e.g.
https://api.github.com/user, or[Github Enterprise Host]/api/v3/user
OPENID_CLIENT_ID= the Client ID found in the OAuth Apps page (required)
OPENID_CLIENT_SECRET= the Client Secret found in the OAuth Apps page (required)
OPENID_LANDING_URI= The absolute kPow URI, e.g.
kPow will now authenticate users with Github via OAuth2.
See the guide to Role Based Access Control for full configuration details.
When RBAC is enabled kPow will request
orgs:read scope to view a user's roles.
Github Organisation roles are restricted to
member so they are the two default roles you can configure with kPow RBAC when using Github SSO.
kPow makes a request to the GitHub API for user membership state and role information by querying
GET /orgs/:org/memberships/:username. Specify the
github key inside your
rbac-config.yaml to define the Github Organisation to query for role information, and optional role_field to use.
kPow can use the teams associated with the authenticated user as roles in kPow. You can do this by specifying a custom
roles_field in the RBAC yaml:
# Specifically restrict Auth to a single Github Organization# Specify that a user's teams field should be used to identify rolesgithub:org: operatr-iorole_field: teams
Once enabled, kPow will use the list teams API call to query for roles.
This sample configuration specifies:
Who may access kPow
Which users are kPow admins
What RBAC policies are in place
Access is restricted to one Github organisation
Github Teams are used as user-roles for RBAC
See: Role Based Access Control for more information.
# Allow all users who can authenticate access to kPowauthorized_roles:- "*"# Specify that users with 'admin' role are kPow Adminsadmin_roles:- "admin"# Define some RBAC policiespolicies:- resource: ["cluster", "N9xnGujkR32eYxHICeaHuQ"]effect: "Allow"actions: ["TOPIC_INSPECT", "TOPIC_PRODUCE"]role: "admin"# Specifically restrict Auth to a single Github Organization# Specify that a user's teams field should be used to identify rolesgithub:org: operatr-iorole_field: teams