openshift/openshift-docs
1
0
Fork 0
mirror of https://github.com/openshift/openshift-docs.git synced 2026-02-05 12:46:18 +01:00
Code Issues Releases Activity
Files
eb39dc899af41a4e29579db262ef7439ea169b22
openshift-docs/modules/external-auth-about.adoc
Andrea Hoffer 8fe7cf8e42 OSDOCS#16171: Docs for BYO OIDC GA
2025-11-25 15:10:53 +00:00

31 lines
2.0 KiB
Plaintext
Raw Blame History

// Module included in the following assemblies:
//
// * authentication/external-auth.adoc
:_mod-docs-content-type: CONCEPT
[id="external-auth-about_{context}"]
= About direct authentication with an external OIDC identity provider
[role="_abstract"]
You can enable direct integration with an external OpenID Connect (OIDC) identity provider to issue tokens for authentication. This bypasses the built-in OAuth server and uses the external identity provider directly.
By integrating directly with an external OIDC provider, you can leverage the advanced capabilities of your preferred OIDC provider instead of being limited by the capabilities of the built-in OAuth server. Your organization can manage users and groups from a single interface, while also streamlining authentication across multiple clusters and in hybrid environments. You can also integrate with existing tools and solutions.
// TODO: Add back in if we test machine-to-machine workflows in the future
// You can also facilitate machine-to-machine workflows and integrate with existing tools and solutions.
[IMPORTANT]
====
Currently, you may configure only one OIDC provider for direct authentication.
====
After switching to direct authentication, existing authentication configuration is not guaranteed to be preserved. Prior to enabling direct authentication, back up any existing user, group, oauthclient, or identity provider configuration in case you need to revert back to using the built-in OAuth server for authentication.
Before replacing the built-in OAuth server with an external provider, ensure that you have access to a long-lived method of logging in with cluster administrator permissions, such as one of the following:
* a certificate-based user `kubeconfig` file, such as the one generated by the installation program
* a long-lived service account token `kubeconfig` file
* a certificate-based service account `kubeconfig` file
If there are any issues with the external identity provider, you need one of these methods to gain access to the {product-title} cluster in an emergency situation.
View Git Blame Copy Permalink