Skip to main content
Version: v3.8.0

Embedded OIDC Authentication

Greenfield release: v3.8.0

Platform train v3.8.0 uses embedded OIDC as the default auth mode. You do not need Keycloak or any external IdP for a standard deploy. Legacy Keycloak-first guides live in the v3.7.3 snapshot.

Embedded OIDC ships inside the Controller image. The issuer runs at {CONTROLLER_PUBLIC_URL}/oidc. EdgeOps Console and potctl use the same OAuth BFF and RBAC model.

For enterprise IdP integration (Okta, Azure AD, Keycloak, or any OIDC provider), see External OIDC Authentication.

When to use embedded OIDC

ScenarioUse embedded OIDC
Greenfield PoT v3.8 deployYes (default)
Lab or single-site installYes
Quick start and tutorialsYes
Corporate SSO requiredNo - use External OIDC

Minimal Control Plane YAML

Set auth.mode: embedded and bootstrap credentials in your Control Plane manifest. potctl maps these fields to Controller environment variables at deploy time.

auth:
mode: embedded
bootstrap:
username: admin
password: "LocalTest12!" # ≥12 chars, 1 uppercase, 1 special character
controller:
publicUrl: https://controller.example.com:51121
consoleUrl: https://console.example.com:8008

Local Docker installs can set auth.insecureAllowHttp: true when publicUrl uses http://. Production deploys should use HTTPS and valid TLS certificates.

Full YAML field reference: Control Plane YAML. Runtime env mapping: Controller configuration.

Core environment variables

These are the primary knobs for embedded auth. YAML keys under auth.* and controller.* map to the same names.

Environment variableYAML keyEmbedded mode
AUTH_MODEauth.modeSet to embedded (default)
CONTROLLER_PUBLIC_URLcontroller.publicUrlRequired. Issuer base is {CONTROLLER_PUBLIC_URL}/oidc
CONSOLE_URLcontroller.consoleUrlPublic EdgeOps Console URL for OAuth redirects
CONSOLE_PORTcontroller.consolePortConsole listen port (default 8008)
OIDC_BOOTSTRAP_ADMIN_USERNAMEauth.bootstrap.usernameFirst admin login name
OIDC_BOOTSTRAP_ADMIN_PASSWORDauth.bootstrap.passwordBootstrap admin password
AUTH_INSECURE_ALLOW_HTTPauth.insecureAllowHttpAllow http:// in CONTROLLER_PUBLIC_URL (dev only)
TRUST_PROXYcontroller.trustProxyHonor X-Forwarded-* behind a reverse proxy

Optional embedded-only settings (AUTH_SESSION_*, token TTL overrides, rate limits) are listed in Controller configuration.

TLS environment variables

Controller v3.8 renamed SSL_* to TLS_*. Listener certificates are used for HTTPS, agent trust on provision, and embedded OAuth token exchange.

Environment variableYAML keyPurpose
TLS_PATH_CERTcontroller.tls.cert or mounted secretTLS certificate
TLS_PATH_KEYcontroller.tls.keyTLS private key
TLS_PATH_INTERMEDIATE_CERTcontroller.tls.intermediateCertIntermediate / chain certificate
TLS_BASE64_CERTbase64 in YAMLAlternative to file paths
TLS_BASE64_KEYbase64 in YAMLAlternative to file paths

On Kubernetes, the operator can inject TLS from a Secret (controller.secretName) instead of path env vars.

First login

Bootstrap admin

On first startup, Controller creates the bootstrap admin when no admin user exists. Set credentials in deploy YAML or env before the first boot:

auth:
mode: embedded
bootstrap:
username: admin
password: "LocalTest12!"

If env credentials change later, Controller reconciles the bootstrap user (greenfield behavior). Plan credential rotation during a maintenance window.

EdgeOps Console (browser)

  1. Open the Console at CONSOLE_URL (or run potctl view).
  2. Click Sign in.
  3. Complete the embedded login form at {CONSOLE_URL}/login/oauth?interaction=….
  4. Enroll MFA when prompted (required for users in the admin group after first login).

Browser login uses the OAuth BFF (GET /api/v3/user/oauth/authorize). The Console does not POST passwords directly to the IdP.

potctl (CLI)

potctl login

Or call the REST API:

curl -sS -X POST "${CONTROLLER_PUBLIC_URL}/api/v3/user/login" \
-H 'Content-Type: application/json' \
-d '{"email":"admin","password":"LocalTest12!","totp":""}'

Use the bootstrap username as email when it is not an email address.

What embedded OIDC replaces

Removed (v1.6 / v3.7)v3.8 embedded
Keycloak realm setup before deployNot required
auth.url, auth.realm, viewerClientauth.mode: embedded
ECN Viewer OAuth clientEdgeOps Console via Controller BFF
KC_* env varsOIDC_*, AUTH_*, TLS_*

HA notes

DatabaseController replicasEmbedded issuer
SQLite (default)1 onlySupported
MySQL / PostgreSQL2+Supported (shared DB)

For multi-replica browser login with external IdP, use AUTH_SESSION_STORE_TYPE=database. Embedded mode with mysql/postgres auto-selects database-backed BFF sessions when configured.

Next steps

DocumentTopic
Platform Deployment IntroductionRemote or Kubernetes Control Plane
Quick Start With Local DeploymentLocal ECN with embedded auth
External OIDC AuthenticationOptional enterprise IdP
EdgeOps Console configurationconsoleUrl and runtime auth.* paths
Controller configurationFull env var tables
Group 3See anything wrong with the document? Help us improve it!