openshift/openshift-docs
1
0
Fork 0
mirror of https://github.com/openshift/openshift-docs.git synced 2026-02-05 12:46:18 +01:00
Code Issues Releases Activity

BZ-1730609: Clarify changes for 4.1

Browse Source
This commit is contained in:
Andrea Hoffer
2019-07-22 14:25:30 -04:00
committed by openshift-cherrypick-robot
parent 79db38ce18
commit 5a86889ee2
2 changed files with 13 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
modules/identity-provider-about-request-header.adoc
View File

@@ -20,13 +20,13 @@ requests for OAuth tokens to the proxy endpoint that proxies to
To redirect unauthenticated requests from clients expecting browser-based login flows:
1. Set the `provider.loginURL` parameter to the authenticating proxy URL that
* Set the `provider.loginURL` parameter to the authenticating proxy URL that
will authenticate interactive clients and then proxy the request to
`https://_<namespace_route>_/oauth/authorize`.
To redirect unauthenticated requests from clients expecting `WWW-Authenticate` challenges:
1. Set the `provider.challengeURL` parameter to the authenticating proxy URL that
* Set the `provider.challengeURL` parameter to the authenticating proxy URL that
will authenticate clients expecting `WWW-Authenticate` challenges and then proxy
the request to `https://_<namespace_route>_/oauth/authorize`.
@@ -35,19 +35,15 @@ the following tokens in the query portion of the URL:
* `${url}` is replaced with the current URL, escaped to be safe in a query parameter.
+
For example: `https://www.example.com/sso-login?then=${url}`
For example: [x-]`https://www.example.com/sso-login?then=${url}`
* `${query}` is replaced with the current query string, unescaped.
+
For example: `https://www.example.com/auth-proxy/oauth/authorize?${query}`
For example: [x-]`https://www.example.com/auth-proxy/oauth/authorize?${query}`
[WARNING]
[IMPORTANT]
====
If you expect unauthenticated requests to reach the OAuth server, a `clientCA`
parameter MUST be set for this identity provider, so that incoming requests
are checked for a valid client certificate before the request's headers are
checked for a user name. Otherwise, any direct request to the OAuth server can
impersonate any identity from this provider, merely by setting a request header.
As of {product-title} 4.1, your proxy must support mutual TLS.
====
[id="sspi-windows_{context}"]

8
modules/identity-provider-request-header-CR.adoc
View File

@@ -58,10 +58,16 @@ If this attribute is not defined, then `challengeURL` must be used.
<5> Reference to an {product-title} ConfigMap containing a PEM-encoded
certificate bundle. Used as a trust anchor to validate the TLS
certificates presented by the remote server.
+
[IMPORTANT]
====
As of {product-title} 4.1, the `ca` field is required for this identity
provider. This means that your proxy must support mutual TLS.
====
<6> Optional: list of common names (`cn`). If set, a valid client certificate with
a Common Name (`cn`) in the specified list must be presented before the request headers
are checked for user names. If empty, any Common Name is allowed. Can only be used in combination
with `clientCA`.
with `ca`.
<7> Header names to check, in order, for the user identity. The first header containing
a value is used as the identity. Required, case-insensitive.
<8> Header names to check, in order, for an email address. The first header containing