0:00 Introduction & Problem

0:00 Security is hard. Authentication is hard. User management, you guessed it, hard. So let's make our Portainer lives a little bit simpler by using an authentication method that we know and we trust. Today, we'll take a look at configuring Portainer to use GitHub and Google. In just a few clicks, you could turn on single sign on and never have to worry about manually provisioning users again. Let's take a look at our Portainer instance. So here we are on the Portainer homepage. You'll see here that I have added my local Docker instance, my Docker desktop on macOS,

0:27 Current Portainer Internal Authentication

0:39 where we can click and see all the usual information that we expect. Stacks, images, networks, yada yada yada. However, for me to access this Portainer instance, I used local authentication. You can see here in the admin user and if I pop back here, I log in with my username and password. If we go to settings and click authentication, we have the ability here to select between internal authentication that we're using now, LDAP, active directory or and OAuth. We're gonna focus today on OAuth because this is the authentication method that most people will find handy. We can click on OAuth here and we'll

1:26 OAuth Configuration Options Overview (SSO, Provisioning)

1:27 see that we have a couple of toggles that we can change. One, do we even want to use single sign on? Spoiler alert, yeah, we do. Managing individual users sucks. You then have a decision to make. Do you want to enable automatic user provisioning? This just means that if you want anyone within your organization, anyone with an account on your external authentication provider, single sign on provider, to access your Portainer, that can be configured. And to do so, you configure a default team. For today, we're not gonna use that. The other setting you can enable is automatic

2:08 team membership. So giving people access to teams by default based on claims within the external authentication provider. And we will do a follow-up video where we take a look at automatic user provisioning and automatic team membership. But today, we're gonna keep this short and sweet. We're gonna focus on setting up Google and GitHub authentication for your Portainer instance. Let's start with GitHub. Like most OAuth configurations, you need a client ID and a client secret. To get these, you can go to your GitHub organization where you can click settings, scroll all the way down to developer and

2:41 Creating the GitHub OAuth App

2:49 select OAuth apps. Now you'll see I already have a few, but we're going to create a new one. I'm going to call this Portainer in production. And it doesn't matter what your homepage is set to. So I'm just going to say google.com. For the authorization callback, this will need to be a URL that resolves to your Portainer instance. Because I'm running this locally, I'm going to use local host 9 4 4 3. From here, we can click register. Oh, and make sure you get the protocol right. This gives us a client ID like so. Let's pop back over to Portainer and drop

3:30 Configuring Portainer with GitHub Credentials

3:36 it in. Next, we need a client secret. So we'll click generate new client secret, but you'll have to provide some authentication to GitHub. This secret will never be shown to you again, so make sure you store it at a nice safe place. We drop this in like so and hit save. And that's it. You've now configured your Portainer instance to authenticate with a GitHub application. Now before we log out and test our GitHub authentication, we need to do one more thing. Because automatic user provisioning is disabled and automatic team membership is disabled, we have to go to users and add

4:05 Adding User for GitHub Authentication

4:19 Rawkode. This is my GitHub username. From here, I can say I am an administrator. Let's pop that in here to authentication. Click save just to confirm that everything looks alright before finally logging out. Now you'll see right away that it'll log me straight back in. And if you caught the little flickers, you would have seen the Portainer logo that detected that I'm not unauthenticated. Now that we've logged out of Portainer, it's redirected us to a GitHub page. What's happened is we browse to local host 9443. Portainer has detected that we're no longer logged in. We directed us to get up to

4:43 Testing GitHub Login

5:06 see if it can get authentication details, where I've logged out and authentication has failed. So we can say, hey. Let's log in to get up. And you'll see that our continue with the Portainer in production application is here. We click sign in, verify our TOTP, and now we're being asked to authenticate the Portainer in production app against GitHub. We can click authorize, we'll be redirected, and logged in to Portainer. And that is GitHub authentication. Now word of warning, this is easy to mess up. And in fact, I've done it a few times. You can turn off the hide authentication

5:38 Fallback: Allowing Internal Authentication

5:46 hide internal authentication prompt. This just means that if you do mess up any settings, you can come back here and log out. We'll sign out of GitHub. Go back to Portainer. And now we have an option. Log in with GitHub or use internal authentication. So if you do mess up, don't worry. Just remember to check that box. And that is external authentication with GitHub. So next, let's take a look at Google. So we go back to the settings authentication screen where we can select Google. Now it's important to note that you can only have one of these enabled at any given time.

6:16 Setting up Google OAuth

6:28 When we select Google, we lose GitHub. We're going to delete the client ID. The client secret is already hidden, and we're gonna head over to Google Cloud. From Google Cloud, you're gonna want to go to API and services and credentials. The easy way to get there is in the search bar to type OAuth, and that's the second hit. From here, we say create credentials where we want to create an OAuth client ID. Now we can see that we are web application, and we'll call this Portainer in production. And I'm just gonna add Google to that

6:40 Creating the Google OAuth Client ID

7:04 to avoid any confusion or ambiguity with the GitHub client. From here, we can add the authorized JavaScript origin. We're gonna use local host nine four four three. And in fact, we're going to copy this for the authorized redirect URLs too. We click create and much like the GitHub one, we get our client ID. We can hit copy, pop back, and paste. Next, we're going to copy the secret where we head back to Portainer and paste. From here, we click save. Much like the GitHub, we have to pre add our user. Go back to users. Now we're going to add david at Rawkode

7:45 Adding User for Google Authentication

7:54 dot academy. Why? That is my Google username. And I'm going to make me an administrator. Now we can go and log out. So let's click log in with Google. We get presented with the account switcher, and you can see that it's going to continue to the Rawkode Academy because that's the Google Cloud project name that we should. We select the user, and we're logged in. This is just a short video today showing you how to improve your security posture by removing some headaches from managing your Portainer instance. Nobody likes managing individual user account. You're probably already using GitHub,

8:25 Summary & Benefits of Using OAuth

8:39 Google, or some other authentication provider. So just let that do the heavy lifting and manage your Portainer users too. In the next video, we'll take a look at automatic team membership and automatic account creation using those two little checkboxes we avoided in the first video. So come back and see how to go a little deeper with Portainer's external authentication. We'll see you in a couple of days. Until then, have a great day.