NOTE: OpenShift Online is currently in the developer preview mode. This documentation has been based on on-premise installations and local `minishift` development environment.
<1> The `name` of your OAuth client. Passed as `client_id` request parameter when making requests to `_<openshift_master>_/oauth/authorize` and `_<openshift_master>_/oauth/token`.
<2> `secret` is used as the `client_secret` request parameter.
<3> The `redirect_uri` parameter specified in requests to `_<openshift_master>_/oauth/authorize` and `_<openshift_master>_/oauth/token` must be equal to (or prefixed by) one of the URIs in `redirectURIs`.
<4> The `grantMethod` is used to determine what action to take when this client requests tokens and has not yet been granted access by the user.
Please refer to https://docs.okd.io/latest/architecture/additional_concepts/authentication.html#oauth[official OpenShift documentation] for more detailed guides.
NOTE: Prior to configuring OpenShift 4 Identity Provider, please locate the correct OpenShift 4 API URL up.
In some scenarios, that URL might be hidden from users. The easiest way to obtain it is to invoke the following command (this might require installing `jq` command separately) `curl -s -k -H "Authorization: Bearer $(oc whoami -t)" \https://<openshift-user-facing-api-url>/apis/config.openshift.io/v1/infrastructures/cluster | jq ".status.apiServerURL"`. In most cases, the address will be protected by HTTPS. Therefore, it is essential to configure `X509_CA_BUNDLE` in the container and set it to `/var/run/secrets/kubernetes.io/serviceaccount/ca.crt`. Otherwise, {project_name} won't be able to communicate
with the API Server.
There are a just a few steps you have to complete to be able to enable login with OpenShift 4. First, go to the `Identity Providers` left menu item and select `OpenShift v4` from the `Add provider` drop down list. This will bring you to the `Add identity provider` page.
You can register your client using `oc` command line tool.
====
[source,bash]
----
$ oc create -f <(echo '
kind: OAuthClient
apiVersion: v1
metadata:
name: keycloak-broker <1>
secret: "..." <2>
redirectURIs:
- "<copy pasted Redirect URI from OpenShift 4 Identity Providers page>" <3>
grantMethod: prompt <4>
')
----
<1> The `name` of your OAuth client. Passed as `client_id` request parameter when making requests to `_<openshift_master>_/oauth/authorize` and `_<openshift_master>_/oauth/token`. The `name` parameter needs to be the same
in `OAuthClient` object as well as in {project_name} configuration.
<2> `secret` is used as the `client_secret` request parameter.
<3> The `redirect_uri` parameter specified in requests to `_<openshift_master>_/oauth/authorize` and `_<openshift_master>_/oauth/token` must be equal to (or prefixed by) one of the URIs in `redirectURIs`. The easiest way to configure it correctly is to copy-paste
it from {project_name} OpenShift 4 Identity Provider configuration page (`Redirect URI` field).
<4> The `grantMethod` is used to determine what action to take when this client requests tokens and has not yet been granted access by the user.
====
Use the client ID and secret defined by `oc create` command to enter them back on the {project_name} `Add identity provider` page.
Go back to {project_name} and specify those items.
TIP: The OpenShift API server returns `The client is not authorized to request a token using this method` whenever `OAuthClient`
`name`, `secret` or `redirectURIs` is incorrect. Make sure you copy-pasted them into {project_name} OpenShift 4 Identity Provider page correctly.
Please refer to https://docs.okd.io/latest/architecture/additional_concepts/authentication.html#oauth[official OpenShift documentation] for more detailed guides.
