Skip to content

v5 authentication changes

Jump to bottom
Damien Coraboeuf edited this page Oct 4, 2025 · 1 revision

V5 authentication changes

See the instructions in the Yontrack Helm chart README to see how to set up authentication in Yontrack.

Three modes are documented:

  • Keycloak with user/group managed in its database
  • Keycloak is delegating to an external LDAP
  • Direct OIDC to a compatible IdP (Okta, Auth0, etc.)

Account management

Accounts cannot be created or managed in Yontrack any longer, either using the UI or the API. Accounts are created automatically upon authentication. Only their groups and display names can be edited by an administrator.

Changing the password of an account is no longer available in Yontrack itself. Authentication (and therefore password management) is entirely delegated to the identity provider:

  • Built-in keycloak instance: in their profile page, the users can click on “Manage account” and be redirected to Keycloak to change their password there
  • Keycloak using an external LDAP as user federation: passwords and accounts are managed entirely in the LDAP
  • OIDC connection: passwords and accounts are managed entirely in the IdP

API tokens

Users can still create API tokens, and those created before the migration should have been migrated.

These API tokens cannot be used as passwords any longer.

Group mappings

Group mappings in Yontrack can be used to convert the groups set by the IdP to actual authorised groups in Yontrack.

While the setup of the groups may differ from IdP to IdP, the principle remains the same:

  • The emitted JWT Access Token must contain a groups claim containing the list of the IdP groups
  • The Yontrack administrator can the map these IdP groups to actual Yontrack groups
    • This setup can be done using the UI or CasC

Keycloak database

When using the default Keycloak instance as your repository for users and groups, when using the default Helm chart settings, the groups claim is already configured correctly to include the list of groups.

LDAP federation from Keycloak

When using the default Keycloak instance as a front for a LDAP, when using the default Helm chart settings, the groups claim is already configured correctly to include the list of groups provided by the LDAP.

However, the way the LDAP can fetch the groups must be configured. See the Helm chart documentation for more information.

Direct OIDC

In order for your OIDC-compliant IdP to pass the groups claim in the access token, it must be configured. See the Helm chart documentation for more information.

Clone this wiki locally