- You cannot change an existing installation from basic auth mode to OAuth with PKCE (deprecated) or vice versa - installations must be either one or the other. A basic auth installation requires a completely fresh installation including a separate PostgreSQL database/schema, unless migrating from an existing
Nonetype installation (see below). - Users must be given their initial auto-generated password once they are invited. This password may be changed later by any Organization Admin.
- You cannot use both basic auth and OAuth with client secret at the same time.
Requirements and features
- There is a single
Defaultorganization that is provisioned during initial installation, and creating additional organizations is not supported - Your initial password (configured below) must be least 12 characters long and have at least one lowercase, uppercase, and symbol
- There are no strict requirements for the secret used for signing JWTs, but we recommend securely generating a string of at least 32 characters. For example:
openssl rand -base64 32
Migrating from None auth
Only supported in versions 0.7 and above. Migrating an installation from None auth mode replaces the single “default” user with a user with the configured credentials and keeps all existing resources. The single pre-existing workspace ID post-migration remains00000000-0000-0000-0000-000000000000, but everything else about the migrated installation is standard for a basic auth installation.
To migrate, simply update your configuration as shown below and run helm upgrade (or docker-compose up) as usual.
Configuration
Changing the JWT secret will log out your users
initialOrgAdminEmail and initialOrgAdminPassword values, and your user will be auto-provisioned with role Organization Admin. See the admin guide for more details on organization roles.
