KEYCLOAK-10169 Openshift 4 User Identity Provider

server_admin/topics/identity-broker/social/openshift.adoc

@@ -1,5 +1,5 @@
 
-==== OpenShift
+==== OpenShift 3
 
 NOTE: OpenShift Online is currently in the developer preview mode. This documentation has been based on on-premise installations and local `minishift` development environment.
 
@@ -37,3 +37,48 @@ Use client ID and secret defined by `oc create` command to enter them back on th
 Go back to {project_name} and specify those items.
 
 Please refer to https://docs.okd.io/latest/architecture/additional_concepts/authentication.html#oauth[official OpenShift documentation] for more detailed guides.
+
+==== OpenShift 4
+
+NOTE: Prior to configuring OpenShift 4 Identity Provider, please locate the correct OpenShift 4 API URL up.
+In some scenarios, that URL might be hidden from users. The easiest way to obtain it is to invoke the following command (this might require installing `jq` command separately) `curl -s -k -H "Authorization: Bearer $(oc whoami -t)" \https://<openshift-user-facing-api-url>/apis/config.openshift.io/v1/infrastructures/cluster | jq ".status.apiServerURL"`. In most cases, the address will be protected by HTTPS. Therefore, it is essential to configure `X509_CA_BUNDLE` in the container and set it to `/var/run/secrets/kubernetes.io/serviceaccount/ca.crt`. Otherwise, {project_name} won't be able to communicate
+ with the API Server.
+
+There are a just a few steps you have to complete to be able to enable login with OpenShift 4.  First, go to the `Identity Providers` left menu item and select `OpenShift v4` from the `Add provider` drop down list.  This will bring you to the `Add identity provider` page.
+
+.Add Identity Provider
+image:images/openshift-4-add-identity-provider.png[]
+
+.Registering OAuth client
+
+You can register your client using `oc` command line tool.
+
+====
+[source,bash]
+----
+$ oc create -f <(echo '
+kind: OAuthClient
+apiVersion: v1
+metadata:
+ name: keycloak-broker <1>
+secret: "..." <2>
+redirectURIs:
+ - "<copy pasted Redirect URI from OpenShift 4 Identity Providers page>" <3>
+grantMethod: prompt <4>
+')
+----
+<1> The `name` of your OAuth client. Passed as `client_id` request parameter when making requests to `_<openshift_master>_/oauth/authorize` and `_<openshift_master>_/oauth/token`. The `name` parameter needs to be the same
+ in `OAuthClient` object as well as in {project_name} configuration.
+<2> `secret` is used as the `client_secret` request parameter.
+<3> The `redirect_uri` parameter specified in requests to `_<openshift_master>_/oauth/authorize` and `_<openshift_master>_/oauth/token` must be equal to (or prefixed by) one of the URIs in `redirectURIs`. The easiest way to configure it correctly is to copy-paste
+ it from {project_name} OpenShift 4 Identity Provider configuration page (`Redirect URI` field).
+<4> The `grantMethod` is used to determine what action to take when this client requests tokens and has not yet been granted access by the user.
+====
+
+Use the client ID and secret defined by `oc create` command to enter them back on the {project_name} `Add identity provider` page.
+Go back to {project_name} and specify those items.
+
+TIP: The OpenShift API server returns `The client is not authorized to request a token using this method` whenever `OAuthClient`
+ `name`, `secret` or `redirectURIs` is incorrect. Make sure you copy-pasted them into {project_name} OpenShift 4 Identity Provider page correctly.
+
+Please refer to https://docs.okd.io/latest/architecture/additional_concepts/authentication.html#oauth[official OpenShift documentation] for more detailed guides.