openshift/openshift-docs
1
0
Fork 0
mirror of https://github.com/openshift/openshift-docs.git synced 2026-02-05 12:46:18 +01:00
Code Issues Releases Activity
Files
enterprise-4.21
openshift-docs/modules/hcp-configuring-oauth-console.adoc
xenolinux 86cbd683d4 OSDOCS#12398: IDPs need workers for DNS resolution
2024-11-04 17:24:06 +00:00

81 lines
2.9 KiB
Plaintext
Raw Permalink Blame History

// Module included in the following assemblies:
//
// * hosted_control_planes/hcp-authentication-authorization.adoc
:_mod-docs-content-type: PROCEDURE
[id="hcp-configuring-oauth-console_{context}"]
= Configuring the OAuth server for a hosted cluster by using the web console
You can configure the internal OAuth server for your hosted cluster by using the {product-title} web console.
You can configure OAuth for the following supported identity providers:
* `oidc`
* `htpasswd`
* `keystone`
* `ldap`
* `basic-authentication`
* `request-header`
* `github`
* `gitlab`
* `google`
Adding any identity provider in the OAuth configuration removes the default `kubeadmin` user provider.
[NOTE]
====
When you configure identity providers, you must configure at least one `NodePool` replica in your hosted cluster in advance. Traffic for DNS resolution is sent through the worker nodes. You do not need to configure the `NodePool` replicas in advance for the `htpasswd` and `request-header` identity providers.
====
.Prerequisites
* You logged in as a user with `cluster-admin` privileges.
* You created your hosted cluster.
.Procedure
. Navigate to *Home* -> *API Explorer*.
. Use the *Filter by kind* box to search for your `HostedCluster` resource.
. Click the `HostedCluster` resource that you want to edit.
. Click the *Instances* tab.
. Click the Options menu {kebab} next to your hosted cluster name entry and click *Edit HostedCluster*.
. Add the OAuth configuration in the YAML file:
+
[source,yaml]
----
spec:
configuration:
oauth:
identityProviders:
- openID: <1>
claims:
email: <2>
- <email_address>
name: <3>
- <display_name>
preferredUsername: <4>
- <preferred_username>
clientID: <client_id> <5>
clientSecret:
name: <client_id_secret_name> <6>
issuer: https://example.com/identity <7>
mappingMethod: lookup <8>
name: IAM
type: OpenID
----
<1> This provider name is prefixed to the value of the identity claim to form an identity name. The provider name is also used to build the redirect URL.
<2> Defines a list of attributes to use as the email address.
<3> Defines a list of attributes to use as a display name.
<4> Defines a list of attributes to use as a preferred user name.
<5> Defines the ID of a client registered with the OpenID provider. You must allow the client to redirect to the `\https://oauth-openshift.apps.<cluster_name>.<cluster_domain>/oauth2callback/<idp_provider_name>` URL.
<6> Defines a secret of a client registered with the OpenID provider.
<7> The link:https://openid.net/specs/openid-connect-core-1_0.html#IssuerIdentifier[Issuer Identifier] described in the OpenID spec. You must use `https` without query or fragment component.
<8> Defines a mapping method that controls how mappings are established between identities of this provider and `User` objects.
. Click *Save*.
View Git Blame Copy Permalink