==== OpenShift 3 NOTE: OpenShift Online is currently in the developer preview mode. This documentation has been based on on-premise installations and local `minishift` development environment. There are a just a few steps you have to complete to be able to enable login with OpenShift. First, go to the `Identity Providers` left menu item and select `OpenShift` from the `Add provider` drop down list. This will bring you to the `Add identity provider` page. .Add Identity Provider image:images/openshift-add-identity-provider.png[] .Registering OAuth client You can register your client using `oc` command line tool. ==== [source,bash] ---- $ oc create -f <(echo ' kind: OAuthClient apiVersion: v1 metadata: name: kc-client <1> secret: "..." <2> redirectURIs: - "http://www.example.com/" <3> grantMethod: prompt <4> ') ---- <1> The `name` of your OAuth client. Passed as `client_id` request parameter when making requests to `__/oauth/authorize` and `__/oauth/token`. <2> `secret` is used as the `client_secret` request parameter. <3> The `redirect_uri` parameter specified in requests to `__/oauth/authorize` and `__/oauth/token` must be equal to (or prefixed by) one of the URIs in `redirectURIs`. <4> The `grantMethod` is used to determine what action to take when this client requests tokens and has not yet been granted access by the user. ==== Use client ID and secret defined by `oc create` command to enter them back on the {project_name} `Add identity provider` page. Go back to {project_name} and specify those items. Please refer to https://docs.okd.io/latest/authentication/configuring-internal-oauth.html#oauth-register-additional-client_configuring-internal-oauth[official OpenShift documentation] for more detailed guides. ==== OpenShift 4 NOTE: Prior to configuring OpenShift 4 Identity Provider, please locate the correct OpenShift 4 API URL up. In some scenarios, that URL might be hidden from users. The easiest way to obtain it is to invoke the following command (this might require installing `jq` command separately) `curl -s -k -H "Authorization: Bearer $(oc whoami -t)" \https:///apis/config.openshift.io/v1/infrastructures/cluster | jq ".status.apiServerURL"`. In most cases, the address will be protected by HTTPS. Therefore, it is essential to configure `X509_CA_BUNDLE` in the container and set it to `/var/run/secrets/kubernetes.io/serviceaccount/ca.crt`. Otherwise, {project_name} won't be able to communicate with the API Server. There are a just a few steps you have to complete to be able to enable login with OpenShift 4. First, go to the `Identity Providers` left menu item and select `OpenShift v4` from the `Add provider` drop down list. This will bring you to the `Add identity provider` page. .Add Identity Provider image:images/openshift-4-add-identity-provider.png[] .Registering OAuth client You can register your client using `oc` command line tool. ==== [source,bash] ---- $ oc create -f <(echo ' kind: OAuthClient apiVersion: v1 metadata: name: keycloak-broker <1> secret: "..." <2> redirectURIs: - "" <3> grantMethod: prompt <4> ') ---- <1> The `name` of your OAuth client. Passed as `client_id` request parameter when making requests to `__/oauth/authorize` and `__/oauth/token`. The `name` parameter needs to be the same in `OAuthClient` object as well as in {project_name} configuration. <2> `secret` is used as the `client_secret` request parameter. <3> The `redirect_uri` parameter specified in requests to `__/oauth/authorize` and `__/oauth/token` must be equal to (or prefixed by) one of the URIs in `redirectURIs`. The easiest way to configure it correctly is to copy-paste it from {project_name} OpenShift 4 Identity Provider configuration page (`Redirect URI` field). <4> The `grantMethod` is used to determine what action to take when this client requests tokens and has not yet been granted access by the user. ==== Use the client ID and secret defined by `oc create` command to enter them back on the {project_name} `Add identity provider` page. Go back to {project_name} and specify those items. TIP: The OpenShift API server returns `The client is not authorized to request a token using this method` whenever `OAuthClient` `name`, `secret` or `redirectURIs` is incorrect. Make sure you copy-pasted them into {project_name} OpenShift 4 Identity Provider page correctly. Please refer to https://docs.okd.io/latest/authentication/configuring-internal-oauth.html#oauth-register-additional-client_configuring-internal-oauth[official OpenShift documentation] for more detailed guides.