Setup#

Follow below steps to set up and configure the DevOps Dashboard:

  1. Enable OAuth authentication for the RESTCONF API

    Configure the admin service to accept OAuth access tokens for RESTCONF API access.

  2. Enable the DevOps dashboard feature

    Enable the DevOps Dashboard in the admin service settings.

  3. Verify the configuration

    Ensure that the OAuth authentication and DevOps dashboard features are correctly enabled.

  4. Access the dashboard

    Log in to the DevOps Dashboard using the admin UI login page.

Prerequisites#

Before you begin, ensure you have:

  • Admin access to the Curity Identity Server admin UI
  • An OAuth profile configured
  • At least one authenticator configured in your OAuth profile
  • The admin service running (typically on https://localhost:6749)

This guide uses the admin UI for setup, which is the recommended approach. The UI automatically handles the configuration details and creates the required OAuth client. XML configuration examples are provided in the Configuration Reference section for advanced users.

Step 1: Enable OAuth Authentication for RESTCONF API#

  1. Navigate to System → Admin Service in the admin UI

  2. Scroll down to the RESTCONF API section (below the main toggles)

  3. You’ll see two authentication options:

    • Basic Authentication (enabled by default) - allows RESTCONF API access using basic credentials
    • OAuth (disabled by default) - allows RESTCONF API access using OAuth access tokens
    authentication options
    fig 1: authentication options

  4. Toggle OAuth to enable it (the toggle will turn green)

  5. Two configuration fields will appear:

    • Token Service Profile* (required) - Select the OAuth profile to accept tokens from when accessing the Dashboard
    • Client - Select the OAuth clients to use for authenticating users to the RESTCONF API
token service profile options
fig 2: token service profile options

Both Basic Authentication and OAuth can be enabled simultaneously. The Token Service Profile determines which OAuth profile validates tokens, while the Client field specifies which OAuth clients are allowed to access the RESTCONF API.

Step 2: Enable the DevOps Dashboard#

  1. On the same System → Admin Service page, scroll to the top
  2. You’ll see three main toggles at the top:
    • Web UI - Enable the admin Web UI
    • RESTCONF API - Enable the RESTCONF API
    • DevOps Dashboard - Enable the DevOps Dashboard UI
  3. Toggle DevOps Dashboard to enable it (currently disabled/gray)
devops dashboard toggle
fig 3: devops dashboard toggle
  1. The “Enable DevOps Dashboard” dialog will appear with:
    • “An OAuth client named devops_dashboard_restconf_client will be created in the selected OAuth profile oauth-dev
    • User Authentication* (required) - Select the authenticators to use for authenticating the dashboard client
  2. Click Select Values and choose one or more authenticators from your OAuth profile
  3. Click Submit to enable the dashboard
  4. A “Deploy Changes” dialog will automatically appear:
    • Message: “This will deploy your changes to your environment”
    • Comment field - pre-filled with a description (e.g., “Enabled the restconf and devops dashboard”)
    • You can edit the comment or keep the default
  5. Click OK to commit (deploy) the changes
  6. The system will automatically:
    • Create the OAuth client devops_dashboard_restconf_client with all required settings
    • Configure redirect URIs, scopes, and audiences
    • Set up PKCE and other security requirements
    • Apply all changes to the running environment
  7. After deployment, verify that the DevOps Dashboard toggle at the top is now green (enabled)

The Curity Identity Server automatically prompts you to deploy (commit) changes when you enable the DevOps Dashboard. The changes are applied immediately after you click OK in the Deploy Changes dialog.

Step 3: Verify the Configuration#

After enabling, verify the configuration in the admin UI:

In Admin Service Settings:

  • Navigate to System → Admin Service
  • Confirm RESTCONF OAuth is enabled and shows your selected OAuth profile
  • Confirm DevOps Dashboard is enabled and shows the configured client

Check OAuth Client:

  1. Navigate to Profiles → [Your OAuth Profile] → Clients
  2. Find the auto-created client (e.g., devops_dashboard_restconf_client)
  3. Verify it has the following settings:
    • Client Authentication: Public (no authentication)
    • Redirect URI: https://localhost:6749/admin/dashboard/assisted.html
    • Scopes: openid, urn:se:curity:scopes:admin:api
    • PKCE: Required
    • Allowed Origins: https://localhost:6749

Check CORS Settings:

  1. Navigate to System → Environments → [Your Environment] → Services
  2. Under Zones → Default Zone
  3. Verify Allowed Origins for CORS includes https://localhost:6749

The admin UI automatically configures all required settings when you enable the DevOps Dashboard. Manual verification ensures everything is set up correctly.

Step 4: Access the Dashboard#

Now you’re ready to access the DevOps Dashboard:

  1. Log out from the admin UI (if currently logged in)
  2. Navigate to the admin login page: https://localhost:6749/admin/login
  3. You should see a DevOps Dashboard button on the login page
  4. Click the DevOps Dashboard button
  5. Authenticate using your configured authenticator
  6. You will be redirected to the DevOps Dashboard interface

If the DevOps Dashboard button does not appear on the login page, verify that:

  1. The DevOps Dashboard toggle is enabled (navigate to System → Admin Service)
  2. The RESTCONF API toggle is enabled on the same page
  3. OAuth toggle is enabled in the RESTCONF API section (scroll down below the main toggles)

Once enabled, the DevOps Dashboard can be accessed in two ways:

  1. From the admin login page - Click the DevOps Dashboard button

Admin UI login screen with a button to the DevOps Dashboard when it is enabled

  1. Direct URL - Navigate to https://localhost:6749/admin/dashboard

If you change the base URL or listening port of the admin service, the dashboard URL will automatically update. The correct URL is always shown on the admin UI login page.

Understanding the Configuration#

This section explains the technical requirements and configuration details for the DevOps Dashboard. Understanding these details helps with troubleshooting and custom configurations.

An example configuration for enabling the DevOps Dashboard can be seen below:

<admin-service>
  <http>
    <ssl-server-keystore>server-key-1</ssl-server-keystore>
    <restconf>
      <oauth xmlns="https://curity.se/ns/conf/profile/oauth">
        <oauth-profile>my-good-oauth-profile</oauth-profile>
        <client>devops_dashboard_restconf_client</client>
      </oauth>
    </restconf>
    <devops-dashboard xmlns="https://curity.se/ns/conf/profile/oauth">
      <client>devops_dashboard_restconf_client</client>
    </devops-dashboard>
  </http>
</admin-service>

OAuth Client Requirements#

The DevOps Dashboard requires a specifically configured OAuth client. When you use the admin UI to enable the dashboard, this client is automatically created with all the correct settings. The requirements are:

  • Client Type: Must be a public client (no authentication required)
  • Redirect URI: Must include $ADMIN_BASE_URL/admin/dashboard/assisted.html
  • PKCE: Must require proof key for code exchange
  • Scopes: Must include urn:se:curity:scopes:admin:api and openid
  • Audience: Must include the client’s ID and urn:se:curity:audiences:admin:api
  • Post-Logout Redirect URIs: Must include $ADMIN_BASE_URL/admin/dashboard/assisted.html
  • Capabilities: Only code flow should be enabled
  • Refresh Tokens: Should be disabled (refresh-token-ttl set to disabled)
  • Allowed Origins: Must include $ADMIN_BASE_URL
<client>
    <id>devops_dashboard_restconf_client</id>
    <client-name>DevOps Dashboard Client</client-name>
    <description>The OAuth client that is used to login to the DevOps dashboard.</description>
    <no-authentication>true</no-authentication>
    <redirect-uris>https://localhost:6749/admin/dashboard/assisted.html</redirect-uris>
    <proof-key>
      <require-proof-key>true</require-proof-key>
    </proof-key>
    <refresh-token-ttl>disabled</refresh-token-ttl>
    <audience>urn:se:curity:audiences:admin:api</audience>
    <audience>devops_dashboard_restconf_client</audience>
    <scope>openid</scope>
    <scope>urn:se:curity:scopes:admin:api</scope>
    <user-authentication>
      <allowed-authenticators>my-good-authenticator</allowed-authenticators>
      <allowed-post-logout-redirect-uris>https://localhost:6749/admin/dashboard/assisted.html</allowed-post-logout-redirect-uris>
    </user-authentication>
    <allowed-origins>https://localhost:6749</allowed-origins>
    <capabilities>
      <code/>
    </capabilities>
</client>

The admin UI automatically configures all these requirements when you enable the DevOps Dashboard. Manual configuration is only needed for advanced use cases or when using XML/CLI configuration.

CORS Configuration#

The DevOps Dashboard client needs to make cross-origin (CORS) requests to the revoke endpoint in the OAuth profile. Therefore, the allowed-origins setting in the environment must include the $ADMIN_BASE_URL.

This is automatically configured when using the admin UI setup wizard.

<config xmlns="http://tail-f.com/ns/config/1.0">
  <environments xmlns="https://curity.se/ns/conf/base">
    <environment>
      <services>
        <zones>
          <default-zone>
            <allowed-origins-for-cors>https://localhost:6749</allowed-origins-for-cors>
          </default-zone>
        </zones>
      </services>
    </environment>
  </environments>
</config>

Do not use the DevOps Dashboard OAuth client for any other purpose. It is specifically configured for dashboard access only.

Was this helpful?