# Harbor Instructions to update authentication within Harbor on Photon OS. ## Switch Authentication Modes In order to switch authentication modes you must delete all the users. ``` docker exec -it harbor-db bash psql -U postgres \c registry select * from harbor_user; delete from harbor_user where user_id > 2; ``` This may not be allowed because there's a constraint on the `project` table for `owner_id`. ``` update project set owner_id=1; ``` Afterwards, refresh the **Administration** > **Configuration** page and the **Auth Mode** dropdown should now be editable. Reference: [Harbor FAQs ยท goharbor/harbor Wiki (github.com)](https://github.com/goharbor/harbor/wiki/harbor-faqs#authentication) ## Add CA This is specific to VMware Photon OS. ``` cat organized_chain.crt >> /etc/pki/tls/certs/ca-bundle.crt ``` ## OIDC Prerequisites: - There are no local DB users listed in Harbor under Administration > Users. Otherwise, delete them using the instructions under [Switch Authentication Modes](#switch-authentication-modes). - From the Harbor instance, be sure you can access the OpenID Configuration; the URL that ends with `/.well-known/openid-configuration` - If this fails, attempt to run the `curl` command with the `-k` parameter to verify that the issue is not related to TLS; if it is, [Add CA](#add-ca) within Harbor - If the issue does not appear to be TLS-related then be sure you can ping or trace route to the OIDC provider and verify you can access the port via `netcat` or `Test-NetConnection` (PowerShell) - Create a client within Keycloak - Be sure to enable **Client authentication** and enable **Service accounts roles** - Disable **Direct access grants** since it's not required - Once the client has been created, add the following: - Settings > Access settings > Valid redirect URLs > Update this with the URL from Harbor OIDC Settings - Client scopes > Add client scope > Add > groups; Assign Type to **Default** - Admin credentials to log into Harbor 1. Log into Harbor with your admin credentials. 2. Navigate to Administration > Configuration 3. Switch the **Auth mode** to **OIDC** 4. Set the following values: | Key | Value | Notes | | -------------------- | ------------------------- | -------------------------------------------------------------------------------------------------------------------------- | | OIDC Provider Name | Keycloak | Any identifier is fine | | OIDC Endpoint | \ | Do not include `/.well-known/openid-configuration` portion or the trailing slash | | OIDC Client ID | \ | Retrieve from OIDC | | OIDC Client Secret | \ | Retrieve from OIDC | | Group Claim Name | groups | Required to setup users with admin rights | | OIDC Admin Group | Harbor Admins | Group reserved for admins in Keycloak | | OIDC Scope | openid,offline_access | Comma-delimited with no spaces; Additional scopes may be added if they are not included by default, e.g., profile or email | | Verify Certificate | Unchecked | Certificate must be added to the immutable Docker image for this to be enabled (Out of scope) | | Automatic onboarding | Checked | | | Username Claim | preferred_username | Common field used for username defined in Keycloak | 5. Update the Keycloak Client with the correct **Redirect URI** 6. Click on the **Test OIDC Server** button 7. If no errors, then **Save**. Otherwise, check the logs for any errors by logging into your instance of Harbor and executing the following command: ``` docker logs harbor-core [--tail=10] [-f] ```