|
| 1 | +// Module included in the following assemblies: |
| 2 | +// |
| 3 | +// * hosted_control_planes/hcp-authentication-authorization.adoc |
| 4 | + |
| 5 | +:_mod-docs-content-type: PROCEDURE |
| 6 | +[id="hcp-configuring-oauth-console_{context}"] |
| 7 | += Configuring the OAuth server for a hosted cluster by using the web console |
| 8 | + |
| 9 | +You can configure the internal OAuth server for your hosted cluster by using the {product-title} web console. |
| 10 | + |
| 11 | +You can configure OAuth for the following supported identity providers: |
| 12 | + |
| 13 | +* `oidc` |
| 14 | +* `htpasswd` |
| 15 | +* `keystone` |
| 16 | +* `ldap` |
| 17 | +* `basic-authentication` |
| 18 | +* `request-header` |
| 19 | +* `github` |
| 20 | +* `gitlab` |
| 21 | +* `google` |
| 22 | +
|
| 23 | +Adding any identity provider in the OAuth configuration removes the default `kubeadmin` user provider. |
| 24 | + |
| 25 | +.Prerequisites |
| 26 | + |
| 27 | +* You logged in as a user with `cluster-admin` privileges. |
| 28 | +* You created your hosted cluster. |
| 29 | +
|
| 30 | +.Procedure |
| 31 | + |
| 32 | +. Navigate to *Home* -> *API Explorer*. |
| 33 | + |
| 34 | +. Use the *Filter by kind* box to search for your `HostedCluster` resource. |
| 35 | + |
| 36 | +. Click the `HostedCluster` resource that you want to edit. |
| 37 | + |
| 38 | +. Click the *Instances* tab. |
| 39 | + |
| 40 | +. Click the Options menu {kebab} next to your hosted cluster name entry and click *Edit HostedCluster*. |
| 41 | + |
| 42 | +. Add the OAuth configuration in the YAML file: |
| 43 | ++ |
| 44 | +[source,yaml] |
| 45 | +---- |
| 46 | +spec: |
| 47 | + configuration: |
| 48 | + oauth: |
| 49 | + identityProviders: |
| 50 | + - openID: <1> |
| 51 | + claims: |
| 52 | + email: <2> |
| 53 | + - <email_address> |
| 54 | + name: <3> |
| 55 | + - <display_name> |
| 56 | + preferredUsername: |
| 57 | + - <preferred_username> <4> |
| 58 | + clientID: <client_id> <5> |
| 59 | + clientSecret: |
| 60 | + name: <client_id_secret_name> <6> |
| 61 | + issuer: https://example.com/identity <7> |
| 62 | + mappingMethod: lookup <8> |
| 63 | + name: IAM |
| 64 | + type: OpenID |
| 65 | +---- |
| 66 | +<1> This provider name is prefixed to the value of the identity claim to form an identity name. The provider name is also used to build the redirect URL. |
| 67 | +<2> Defines a list of attributes to use as the email address. |
| 68 | +<3> Defines a list of attributes to use as a display name. |
| 69 | +<4> Defines a list of attributes to use as a preferred user name. |
| 70 | +<5> Defines the ID of a client registered with the OpenID provider. You must allow the client to redirect to the `\https://oauth-openshift.apps.<cluster_name>.<cluster_domain>/oauth2callback/<idp_provider_name>` URL. |
| 71 | +<6> Defines a secret of a client registered with the OpenID provider. |
| 72 | +<7> The link:https://openid.net/specs/openid-connect-core-1_0.html#IssuerIdentifier[Issuer Identifier] described in the OpenID spec. You must use `https` without query or fragment component. |
| 73 | +<8> Defines a mapping method that controls how mappings are established between identities of this provider and `User` objects. |
| 74 | + |
| 75 | +. Click *Save*. |
0 commit comments